Squid 3.4.9 no traffic in transparent mode.
-
Just got to the bottom of this.
This Squid package for 2.2RC is not build correctly and actually it's quite sloppy.Three errors:
- Package need to be compiled with "–enable-pf-transparent" as pointed out by firstzerg
- Use the "tproxy" directive to be a completely transparent proxy
- Instead of port 3128, use port 3129 for intercepted traffic.
Details can be found here:
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPfIf Squid 3.4.9 is a beta package you may as well remove it from the list, because it definitely doesn't work.
Cheers.
-
Just got to the bottom of this.
This Squid package for 2.2RC is not build correctly and actually it's quite sloppy.Three errors:
- Package need to be compiled with "–enable-pf-transparent" as pointed out by firstzerg
- Use the "tproxy" directive to be a completely transparent proxy
- Instead of port 3128, use port 3129 for intercepted traffic.
Details can be found here:
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPfIf Squid 3.4.9 is a beta package you may as well remove it from the list, because it definitely doesn't work.
Cheers.
The nov 25th build seemed to work fine, if you figure out how to get it installed let me know
https://files.pfsense.org/packages/10/All/squid-3.4.9 works
squid-3.3.11_1 workssquid-3.4.9_1 broken
squid-3.3.13_2 broken -
Sorry but so far I did the troubleshooting and it's a confirmed problem with the package.
I'm fairly new here and maybe I misunderstand the priorities of the devs, or maybe Squid is not an essential PFSense component.Anyway I do not feel we have to fiddle around with packages that are broken or have install issues, simple request: If it isn't finished just don't release it.
Don't let people sort things out on their own without even commenting on issues.Bug report created:
https://redmine.pfsense.org/issues/4114Cheers.
-
squid3-dev 3.3.13_2 is now working in transparent mode.
I installed 12/20 RC build and then performed a clean install of squid3-dev. When I first enabled transparent mode, it failed. I left it configured for transparent mode and simply rebooted the firewall. When it came up, it all works (verified by real time tab).
I will see if the simple reboot works for the squid3 3.4.9_1 package later when I can reboot router without impacting users.
-
Yes, 3.3.13 works.
Sadly I'm in the same boat, it's not possible to experiment without causing trouble for my users.
I'll test stuff after midnight.A few days ago there was a second package released for Squid 3.4.9, but that one still won't work for transparent proxy.
Also tried creating a rule to intercept port 80 traffic and redirect to port 3128 or port 3129, but Squid didn't pick it up.
This makes me believe that there may be other issues besides transparent proxy not working.Cheers.
-
I have found every time I do a firmware update in 2.2 rc build's, I have to re-install the squid 2.7.9 pkg v.4.3.6 package every time and all is well. Settings are still the same just refresh the package install. If am unable to surf the web! I have no special settings pretty much basic and in transparent mode!
-
I've just made some more tests with Squid 3.4.9.
As transparent proxy doesn't work, it would be possible to create NAT rules to redirect traffic to Squid.
Setting the browser config to use the proxy on port 3128 works, so redirect port 80 to port 3128 should work just fine…Not so. I found that Squid somehow strips the "http" part, resulting in an "invalid url".
This is the output from the access log:192.168.31.27 TAG_NONE/400 3555 GET /?host=m.telegraaf.nl&hdn=%2FhmMlNFJ%2FfNLigi3ZtUwuQ%3D%3D - HIER_NONE/- text/html 1419307530.384 0 192.168.31.27 TAG_NONE/400 3551 GET /article/23484473/skiester-14-zwaargewond-door-botsing-tirol - HIER_NONE/- text/htmlthe NAT redirect rule however works fine. It's Squid that somehow doesn't know how to process redirected traffic.
So in short, I still haven't got a clue.Cheers.
-
Today the Squid package was updated to 3.4.10.
Issues still remain, it is not possible to redirect traffic by means of a NAT rule, error persist:"invalid URL".
Cheers.
Edit:
Activating the transparent proxy option now yields a different error instead of "no traffic received", observe the pic:
-
Todays update did not resolve the issues with transparent proxy.
Manual redirecting traffic to port 3128 still doesn't work, above described issue persists.Cheers.
-
Todays update did not resolve the issues with transparent proxy.
Manual redirecting traffic to port 3128 still doesn't work, above described issue persists.Cheers.
squid3 beta 3.4.10_2 pkg 0.2.1 has –enable-pf-transparent compilation flag…
but now there is another problems:no libecap.so.2 in path variable
this help my:ln -s /lib/libmd.so.6 /usr/lib/libmd5.so.0 ln -s /usr/pbi/squid-amd64/local/lib/libecap.so.2 /usr/lib/libecap.so.2 ln -s /usr/pbi/squid-amd64/local/etc/squid /usr/local/etc/squid ln -s /usr/pbi/squid-amd64/local/libexec/squid /usr/local/libexec/squidwith transparent requests in access.log looks like this:
1420270719.456 0 127.0.0.1 TCP_DENIED/403 4169 GET http://google.com/ - HIER_NONE/- text/html 1420270719.456 1 192.168.56.9 TCP_MISS/403 4271 GET http://google.com/ - ORIGINAL_DST/127.0.0.1 text/htmlI have no idea why squid blocks localhost and why there are two requests
Оther sources suggest to redirect through ipfw… but pfsens is not working with ipfwP.S. Sorry for my english :)
-
The squid 3 package is currently only a disaster with 2.2 :/
- Transparent Mode does not work
- Required lib-paths are not available
- .pbirun hangs after installed squid3 package and causes high cpu load
- the tcp port 3128 is set to closed, instead to listen (tested with netstat)
-
Thanks both for sharing your findings.
Port 3128 is not closed I believe.
I found that adding this directive in squid.conf:http_port 3128 accel vhost allow-directand restarting squid from the console (not GUI)
makes the proxy work in "transparent" mode.
I put it in quotes because normally the directive "intercept" should work for Squid 3.
So for me it's unclear if "accel vhost allow-direct" does something else.Cheers.
-
squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0
-
squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0
Yes, it should be. Please everyone try the latest and report back. 2 of the 5 remaining open 2.2 bugs are for Squid.
https://redmine.pfsense.org/issues/4114
https://redmine.pfsense.org/issues/4059 -
seems to be working fine
-
Feedback is in the bugreport, seems transparent proxy is still not working for some.
Perhaps it's because of PfSense RC build, I'm still on a December build.Cheers.
-
~~Also in the newest package, the tcp port will be closed :/
Squid 2.7 works fine
What did I do wrong ?
/usr/local/libexec/squid: netstat -a | grep 3128 tcp4 0 0 172.21.0.1.3128 *.* CLOSED tcp4 0 0 fw1.3128 *.* CLOSED ```~~ Edit: Problem solved ! I have enable ipv6 in the Firewall Settings, that solved the Problem. -
@cmb:
squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0
Yes, it should be. Please everyone try the latest and report back. 2 of the 5 remaining open 2.2 bugs are for Squid.
https://redmine.pfsense.org/issues/4114
https://redmine.pfsense.org/issues/4059I've added a couple more =D
https://redmine.pfsense.org/issues/4196 squid.pid issue
https://redmine.pfsense.org/issues/4197 not related to transparent mode but the anti-virus feature -
The issue as described by rubinho does not apply to my configuration, tested for closed ports and this is the output:
/usr/local/libexec/squid: netstat -a | grep 3128 tcp4 0 0 localhost.3128 *.* LISTEN tcp4 0 0 192.168.50.1.3128 *.* LISTEN tcp4 0 0 192.168.40.1.3128 *.* LISTEN tcp4 0 0 192.168.20.1.3128 *.* LISTEN tcp4 0 0 192.168.10.2.3128 *.* LISTEN tcp4 0 0 192.168.33.1.3128 *.* LISTEN tcp4 0 0 192.168.31.1.3128 *.* LISTEN tcp4 0 0 192.168.60.1.3128 *.* LISTEN tcp4 0 0 192.168.168.4.3128 *.* LISTEN tcp4 0 0 server.3128 *.* LISTENAs said before, setting the browser manually to use port 3128 does work fine.
Transparent proxy however still does not work.Cheers.
-
@Escorpiom
Transparent proxy does not works for me too. (Invalid URL)The problem with closed ports was already in general Proxy operating.
But the problem is now solved (Closed Ports)Excuse the Mess