Transparent Proxy issue?
-
Sorry, for the late response..
The tmp/rules.debug can be viewed via WinSCP or using the command "cat /tmp/rules.debug" in pfsense GUI: diagnostics->command.
I've checked the "squid.inc" file in the package, and that will normally create the appropriate rules on pressing "save".
I'm not sure on how to fix that manually if it turns out to be wrong. -
-
Redirect on interface de1, protocol TCP, from Source "Any" to Destination "NOT LAN Address", and send it to localhost on port 3128. Basically it means that anyone on your LAN sending anything to port 80 (HTTP) but not directed to your pfSense box will be redirected to your pfSense box port 3128.
It's the redirect rule that turns Transparent mode on or off.
-
rdr on de1 proto tcp from any to !(de1) port 80 -> 127.0.0.1 port 3128redirect all traffic using tcp protocol on port 80, from any source other than the de1 and redirect that to the localhost using the proxy port.
So it only half of what is needed.
You'll need both lines from my example for transparent mode to work, both are set by the squid GUI.Do you have "Allow users on interface" enabled?
-
I've unchecked this "Allow users on interface" and saved.
Now I get a denied message, too.Please check "Allow users on interface", or add the allowed subnets manually in the tab "ACLs"
Have you added anything to the "Authentication" tab?
Can you try and set "Authentication method" to "none", or add the subnets to "Subnets that don't need authentication" field below that. -
So it only half of what is needed.
You'll need both lines from my example for transparent mode to work, both are set by the squid GUI.Do you have "Allow users on interface" enabled?
see attached, so how I do I add the other line?7
Thanks
-
authentication tab is set to none?
-
the strange thing is when I turn transparent proxy on, google page works (hit and miss), but if I try another site say bbc.co.uk it say page cannot be displayed?
:-\
really confusing the hell out of me!
-
The second is depending on your connection type, PPPoE for instance has a different rule than Ethernet connected.
Have you tried to remove the pkg config, uninstall the package and then fully re-install the package?
Login the terminal/ssh or local on the box.
Use the option 12 (developer shell)
And issue the "playback" command to remove pkg config.
(playback removepkgconfig squid/squid3/squid3-dev)
The logout of the terminal shell.
The package config is the removed from the config.XML, so re-installing squid package from the GUI will be like the very first install, no old settings are restored.I'm currently running "squid3-dev" on pfSense v2.1.4 (64-bit) from what I can tell from your images you are running a previous squid package version?
I don't know if the missing libs is fixed yet in the "squid3-dev" installer, but you can look up these libs in the forum topic there.
https://forum.pfsense.org/index.php?topic=62256.165Marcello has done a lot of work in the squid3-dev package, and for my use case it works great. (it works for me
)
https://forum.pfsense.org/index.php?topic=48347.0My 2cents to get SquidGuard to cooperate with squid3-dev
https://forum.pfsense.org/index.php?topic=73640.0 -
here is the screen print of packages installed, do you want me to uninstall this and install the highlighted in yellow on the second screen print?
Thanks
-
Your current squid is version 2 based. (a.k.a old)
I don't know if there is any development on that package…When re-installing you version of squid, just make sure the old squid pkg settings are gone, because now you have weird issues.
I suggest you use "Squid3-dev" in combination with "Squidguard-squid3", because there is more development on that being done.
-
Squid3-dev in pfSense 2.1.x is fragile and I would not recommend using it unless you have both time on your hands and a masochistic streak. Perhaps look at it in pfSense 2.2-ALPHA.
-
more confusion!! :-\
im thinking of giving up on this, unless someone gives me assured tested solution please?
Thanks
-
Zaf, by chance do you have multiple WAN interfaces? Squid (and even pfsense itself) tend to by super-flakey with multi-wan since I upgraded to 2.1.4 and I think it has to do with apinger failing and dropping connections that are perfectly valid, while also continuously saying that the gateway that is down is actually up.
I'd initially thought that squid was at fault, but I completely removed squid and still had the issue, so I shut down the failover interface and suddenly everything works again. Moved the two connections to an old router and it seems to be working fine now, though its much slower than having the connections directly connected to the pfsense box.
-
Liath, no I don't have multiple WAN interface on pfsense, I have attached some screen prints and my network setup.
Basically, I connect via wireless router for LAN access, DHCP is set on pfsense firewall, so I get IP in range of 192.168.0.X.
Could this be an issue that I'm connecting via wireless router though its just used as LAN connection?
Thanks
 -
anymore to add before I give up on this?
Thanks
-
@KOM:
Squid3-dev in pfSense 2.1.x is fragile and I would not recommend using it unless you have both time on your hands and a masochistic streak. Perhaps look at it in pfSense 2.2-ALPHA.
What is fragile about it?
I Must be mayor masochist then, runs fine here. (before the 2.1.5 update Squid3-dev was running no problems for 51 days)At least I was (am) trying to help zaf.
@zaf are you double NAT-ting? (double NAT is bad!)
I don't get it? Does the wireless come from your ISP with a private address?I suggest google double NAT.
Try and resolve that issue first then try squid again, even the squid2 you where trying would work fine then. -
@zaf are you double NAT-ting? (double NAT is bad!)
I don't get it? Does the wireless come from your ISP with a private address?Tikimotel, the wireless router is mine used for wireless access.
when you say double NAT, do you mean I have LAN interface on pfsense (DHCP) and WAN interface of Pfsense to wireless router (DHCP) and wireless router to Virgin Media broadband router.
Then the answer is probably yes.
I use wireless router for wireless connections but the clients get IP from the Pfsense DHCP!
Thanks
-
@zaf:
@zaf are you double NAT-ting? (double NAT is bad!)
I don't get it? Does the wireless come from your ISP with a private address?Tikimotel, the wireless router is mine used for wireless access.
when you say double NAT, do you mean I have LAN interface on pfsense (DHCP) and WAN interface of Pfsense to wireless router (DHCP) and wireless router to Virgin Media broadband router.
Then the answer is probably yes.
I use wireless router for wireless connections but the clients get IP from the Pfsense DHCP!
Thanks
If you are able to get your Internet Provider to provide a "Bridged Mode" setting in the Modem, this will eliminate the Double NAT issue.
Your Modem is getting the Real Internet Address instead of pfSense getting the real address.
-
The issue with double NAT is that the translation can only happen once.
So the first NAT can translate the private address and corresponding internet connection fine, but the second NAT can only translate the private address to another private address and basically does nothing.
I'm no expert at this, but the pfsense box should handle the real internet adress.
I've setup all my wireless stuff using an wireless router as a access point.ISP –> pfSense box --> wired device(s) incl. wireless router
Configure wireless router as an access point, other devices should point to pfSense to get DHCP address information (so wireless devices are routed to the pfSense box by the access point automatically).
Safety Tip! You need to make sure only wired devices are allowed to change the wireless router configuration.
