Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid 3.4.9 no traffic in transparent mode.

    Scheduled Pinned Locked Moved Cache/Proxy
    54 Posts 15 Posters 32.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rubinho
      last edited by

      The squid 3 package is currently only a disaster with 2.2 :/

      • Transparent Mode does not work
      • Required lib-paths are not available
      • .pbirun hangs after installed squid3 package and causes high cpu load
      • the tcp port 3128 is set to closed, instead to listen  (tested with netstat)

      [Pfsense 2.4] Supermicro A1SRI-2558F@Atom C2558 4Gb RAM
      [Pfsense 2.4] Jetway NF9D@Atom D2550 + AD3INLAN-G Expansioncard  (3x Intel 82541PI Gigabit Controller)

      1 Reply Last reply Reply Quote 0
      • E
        Escorpiom
        last edited by

        Thanks both for sharing your findings.
        Port 3128 is not closed I believe.
        I found that adding this directive in squid.conf:

        http_port 3128 accel vhost allow-direct
        

        and restarting squid from the console (not GUI)
        makes the proxy work in "transparent" mode.
        I put it in quotes because normally the directive "intercept" should work for Squid 3.
        So for me it's unclear if "accel vhost allow-direct" does something else.

        Cheers.

        1 Reply Last reply Reply Quote 0
        • F
          firstzerg
          last edited by

          squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @firstzerg:

            squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0

            Yes, it should be. Please everyone try the latest and report back. 2 of the 5 remaining open 2.2 bugs are for Squid.

            https://redmine.pfsense.org/issues/4114
            https://redmine.pfsense.org/issues/4059

            1 Reply Last reply Reply Quote 0
            • J
              jeepster
              last edited by

              seems to be working fine

              1 Reply Last reply Reply Quote 0
              • E
                Escorpiom
                last edited by

                Feedback is in the bugreport, seems transparent proxy is still not working for some.
                Perhaps it's because of PfSense RC build, I'm still on a December build.

                Cheers.

                1 Reply Last reply Reply Quote 0
                • R
                  rubinho
                  last edited by

                  ~~Also in the newest package, the tcp port will be closed :/

                  Squid 2.7 works fine

                  What did I do wrong ?

                  /usr/local/libexec/squid: netstat -a | grep 3128
                  tcp4       0      0 172.21.0.1.3128        *.*                    CLOSED
                  tcp4       0      0 fw1.3128               *.*                    CLOSED
                  ```~~
                  
                  Edit:
                  
                  Problem solved !
                  
                  I have enable ipv6 in the Firewall Settings, that solved the Problem.

                  [Pfsense 2.4] Supermicro A1SRI-2558F@Atom C2558 4Gb RAM
                  [Pfsense 2.4] Jetway NF9D@Atom D2550 + AD3INLAN-G Expansioncard  (3x Intel 82541PI Gigabit Controller)

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cino
                    last edited by

                    @cmb:

                    @firstzerg:

                    squid3 3.4.10_2 pkg 0.2.2 looks like working in transparent mode and not require patches like libmd5.so.0

                    Yes, it should be. Please everyone try the latest and report back. 2 of the 5 remaining open 2.2 bugs are for Squid.

                    https://redmine.pfsense.org/issues/4114
                    https://redmine.pfsense.org/issues/4059

                    I've added a couple more =D

                    https://redmine.pfsense.org/issues/4196  squid.pid issue
                    https://redmine.pfsense.org/issues/4197  not related to transparent mode but the anti-virus feature

                    1 Reply Last reply Reply Quote 0
                    • E
                      Escorpiom
                      last edited by

                      The issue as described by rubinho does not apply to my configuration, tested for closed ports and this is the output:

                      /usr/local/libexec/squid: netstat -a | grep 3128
                      tcp4       0      0 localhost.3128         *.*                    LISTEN
                      tcp4       0      0 192.168.50.1.3128      *.*                    LISTEN
                      tcp4       0      0 192.168.40.1.3128      *.*                    LISTEN
                      tcp4       0      0 192.168.20.1.3128      *.*                    LISTEN
                      tcp4       0      0 192.168.10.2.3128      *.*                    LISTEN
                      tcp4       0      0 192.168.33.1.3128      *.*                    LISTEN
                      tcp4       0      0 192.168.31.1.3128      *.*                    LISTEN
                      tcp4       0      0 192.168.60.1.3128      *.*                    LISTEN
                      tcp4       0      0 192.168.168.4.3128     *.*                    LISTEN
                      tcp4       0      0 server.3128            *.*                    LISTEN
                      

                      As said before, setting the browser manually to use port 3128 does work fine.
                      Transparent proxy however still does not work.

                      Cheers.

                      1 Reply Last reply Reply Quote 0
                      • R
                        rubinho
                        last edited by

                        @Escorpiom
                        Transparent proxy does not works for me too. (Invalid URL)

                        The problem with closed ports was already in general Proxy operating.
                        But the problem is now solved (Closed Ports)

                        Excuse the Mess

                        [Pfsense 2.4] Supermicro A1SRI-2558F@Atom C2558 4Gb RAM
                        [Pfsense 2.4] Jetway NF9D@Atom D2550 + AD3INLAN-G Expansioncard  (3x Intel 82541PI Gigabit Controller)

                        1 Reply Last reply Reply Quote 0
                        • E
                          Escorpiom
                          last edited by

                          It's 4 a.m. and this finally works OK with the latest 0.2.4 package.
                          There is something strange with the redirect rules, will expand later on that.

                          Cheers.

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            The transparent mode is fixed since 0.2.2 but /var/run/squid check(that was preventing squid reload on config changes) was fixed only in 0.2.3

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • J
                              jencijanos
                              last edited by

                              pfSense 2.2-RC (amd64) built on Thu Jan 15 08:01:35 CST 2015
                              squid3 3.4.10_2 pkg 0.2.4
                              when i apply limiters in Firewall rules the traffic is blocked (see attachment)
                              config imported from working pfsensen install 2.1.3
                              i try reset settings and reinstall pfsense and squid3 but no changes, traffic is blocked when set limiters in firewall rules

                              ![Screen Shot 2015-01-15 at 10.40.59 PM copy.jpg](/public/imported_attachments/1/Screen Shot 2015-01-15 at 10.40.59 PM copy.jpg)
                              ![Screen Shot 2015-01-15 at 10.40.59 PM copy.jpg_thumb](/public/imported_attachments/1/Screen Shot 2015-01-15 at 10.40.59 PM copy.jpg_thumb)

                              1 Reply Last reply Reply Quote 0
                              • E
                                Escorpiom
                                last edited by

                                Chris said:

                                "Disable transparent proxy in Squid and add your own port forward to do it, then edit the associated rule and apply the limiter."

                                Cheers.

                                Edit: Sorry about that, the port forward rule are actually TWO rules. This is what I found out in the ruleset:

                                no rdr on igb1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
                                rdr on igb1 proto tcp from any to !(igb1) port 80 -> 127.0.0.1 port 3128
                                

                                That's the idea, I've got a couple of vlans and the principle is the same.
                                I don't understand why we need the first rule, but it only works like this, a single rule does not work.

                                1 Reply Last reply Reply Quote 0
                                • T
                                  Topper727
                                  last edited by

                                  @rubinho:

                                  @Escorpiom
                                  Transparent proxy does not works for me too. (Invalid URL)

                                  The problem with closed ports was already in general Proxy operating.
                                  But the problem is now solved (Closed Ports)

                                  Excuse the Mess

                                  Same for me RC 64 bit Pfsense and squid 3.4.10

                                  I will say that I can go to some sites though.. like www.yahoo.com and not sure how many others but most do not work.
                                  Ahh not thought of this.. maybe the sites that work are https: sites  secure ones ::: Confirmed HTTPS are able to be browsed with Transparent on but http is not.

                                  Also note: CPU usage on my Intel is 100% cause of squid..

                                  ERROR

                                  The requested URL could not be retrieved

                                  The following error was encountered while trying to retrieve the URL: /2015/01/15/byron-scott-divorce-wife-demands-baller-lifestyle-i-cant-live-without-my-gucci/

                                  Invalid URL

                                  Some aspect of the requested URL is incorrect.

                                  Some possible problems are:

                                  Missing or incorrect access protocol (should be http:// or similar)

                                  Missing hostname

                                  Illegal double-escape in the URL-Path

                                  Illegal character in hostname; underscores are not allowed.

                                  Your cache administrator is webmaster.

                                  Generated Fri, 16 Jan 2015 04:27:47 GMT by pfSense.localdomain (squid/3.4.10)

                                  Dell 2950 g3 server
                                  Intel(R) Xeon(R) CPU E5430 @ 2.66GHz
                                  Current: 2000 MHz, Max: 2667 MHz
                                  8 CPUs: 2 package(s) x 4 core(s)
                                  8152 MiB and 600meg 10k drive
                                  Pfsense 2.4 .. Hoping to get the phpvirtualbox going again.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    Tikimotel
                                    last edited by

                                    Could it be that the syntax changed from Squid2 tot Squid3++.
                                    Instead of the tickbox option to disable "Disable X-Forward", I use "forwarded_for transparent" in the "Custom ACLS (Before_Auth)" box.

                                    Can't test on 2.2, maybe the forward_for options should become a pull-down list in place of a tickbox.

                                    http://www.squid-cache.org/Versions/v3/3.4/cfgman/forwarded_for.html

                                    X-Forwarded-For: unknown

                                    If set to "transparent", Squid will not alter the
                                    X-Forwarded-For header in any way.

                                    If set to "delete", Squid will delete the entire
                                    X-Forwarded-For header.

                                    If set to "truncate", Squid will remove all existing
                                    X-Forwarded-For entries, and place the client IP as the sole entry.

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      Check squid config gui options on all tabs and/or run squid  -k parse on console

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        Tikimotel
                                        last edited by

                                        What I meant was with forward_for you used to have "on" or "off".
                                        Now with 3.3 and 3.4 you have multiple settings. (since 3.1)

                                        
                                        forward_for "on" # (default, send client IP info in forward for header)
                                        forward_for "off" # (tickbox, Disable X-forward option, always respond with "unknown", some forum sites don't like this option!)
                                        forward_for "transparant" # (do not touch anything, more private?)
                                        forward_for "delete" # (remove the header info entirely)
                                        forward_for "truncate" # (single, last, client IP info in the forward for header)
                                        
                                        
                                        1 Reply Last reply Reply Quote 0
                                        • T
                                          Topper727
                                          last edited by

                                          The recent 3.4.10_2 pkg 0.2.5 just installed problem still seems there.  I thought worked but maybe I didn't pay attention to what pages where ssl or not. I did turn on the icap just a second ago maybe that had something to do with it.

                                          [2.2-RC][admin@pfSense.localdomain]/root: squid -k parse
                                          2015/01/16 09:19:43| Startup: Initializing Authentication Schemes …
                                          2015/01/16 09:19:43| Startup: Initialized Authentication Scheme 'basic'
                                          2015/01/16 09:19:43| Startup: Initialized Authentication Scheme 'digest'
                                          2015/01/16 09:19:43| Startup: Initialized Authentication Scheme 'negotiate'
                                          2015/01/16 09:19:43| Startup: Initialized Authentication Scheme 'ntlm'
                                          2015/01/16 09:19:43| Startup: Initialized Authentication.
                                          2015/01/16 09:19:43| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
                                          2015/01/16 09:19:43| Processing: http_port 192.168.1.1:3128
                                          2015/01/16 09:19:43| Processing: http_port 127.0.0.1:3128 intercept
                                          2015/01/16 09:19:43| Starting Authentication on port 127.0.0.1:3128
                                          2015/01/16 09:19:43| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
                                          2015/01/16 09:19:43| Processing: icp_port 0
                                          2015/01/16 09:19:43| Processing: dns_v4_first off
                                          2015/01/16 09:19:43| Processing: pid_filename /var/run/squid/squid.pid
                                          2015/01/16 09:19:43| Processing: cache_effective_user proxy
                                          2015/01/16 09:19:43| Processing: cache_effective_group proxy
                                          2015/01/16 09:19:43| Processing: error_default_language en
                                          2015/01/16 09:19:43| Processing: icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
                                          2015/01/16 09:19:43| Processing: visible_hostname Wholesale-florida.com
                                          2015/01/16 09:19:43| Processing: cache_mgr sales@wholesale-florida.com
                                          2015/01/16 09:19:43| Processing: access_log /var/squid/logs/access.log
                                          2015/01/16 09:19:43| Processing: cache_log /var/squid/logs/cache.log
                                          2015/01/16 09:19:43| Processing: cache_store_log none
                                          2015/01/16 09:19:43| Processing: netdb_filename /var/squid/logs/netdb.state
                                          2015/01/16 09:19:43| Processing: pinger_enable on
                                          2015/01/16 09:19:43| Processing: pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
                                          2015/01/16 09:19:43| Processing: logfile_rotate 0
                                          2015/01/16 09:19:43| Processing: debug_options rotate=0
                                          2015/01/16 09:19:43| Processing: shutdown_lifetime 3 seconds
                                          2015/01/16 09:19:43| Processing: acl localnet src  192.168.0.0/16
                                          2015/01/16 09:19:43| Processing: uri_whitespace strip
                                          2015/01/16 09:19:43| Processing: acl dynamic urlpath_regex cgi-bin ?
                                          2015/01/16 09:19:43| Processing: cache deny dynamic
                                          2015/01/16 09:19:43| Processing: cache_mem 8 MB
                                          2015/01/16 09:19:43| Processing: maximum_object_size_in_memory 32 KB
                                          2015/01/16 09:19:43| Processing: memory_replacement_policy heap GDSF
                                          2015/01/16 09:19:43| Processing: cache_replacement_policy heap LFUDA
                                          2015/01/16 09:19:43| Processing: cache_dir ufs /var/squid/cache 100 16 256
                                          2015/01/16 09:19:43| Processing: minimum_object_size 0 KB
                                          2015/01/16 09:19:43| Processing: maximum_object_size 4 KB
                                          2015/01/16 09:19:43| Processing: offline_mode off
                                          2015/01/16 09:19:43| Processing: cache_swap_low 90
                                          2015/01/16 09:19:43| Processing: cache_swap_high 95
                                          2015/01/16 09:19:43| Processing: cache allow all
                                          2015/01/16 09:19:43| Processing: acl allsrc src all
                                          2015/01/16 09:19:43| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535
                                          2015/01/16 09:19:43| Processing: acl sslports port 443 563
                                          2015/01/16 09:19:43| Processing: acl purge method PURGE
                                          2015/01/16 09:19:43| Processing: acl connect method CONNECT
                                          2015/01/16 09:19:43| Processing: acl HTTP proto HTTP
                                          2015/01/16 09:19:43| Processing: acl HTTPS proto HTTPS
                                          2015/01/16 09:19:43| Processing: http_access allow manager localhost
                                          2015/01/16 09:19:43| Processing: http_access deny manager
                                          2015/01/16 09:19:43| Processing: http_access allow purge localhost
                                          2015/01/16 09:19:43| Processing: http_access deny purge
                                          2015/01/16 09:19:43| Processing: http_access deny !safeports
                                          2015/01/16 09:19:43| Processing: http_access deny CONNECT !sslports
                                          2015/01/16 09:19:43| Processing: request_body_max_size 0 KB
                                          2015/01/16 09:19:43| Processing: delay_pools 1
                                          2015/01/16 09:19:43| Processing: delay_class 1 2
                                          2015/01/16 09:19:43| Processing: delay_parameters 1 -1/-1 -1/-1
                                          2015/01/16 09:19:43| Processing: delay_initial_bucket_level 100
                                          2015/01/16 09:19:43| Processing: delay_access 1 allow allsrc
                                          2015/01/16 09:19:43| Processing: http_access allow localnet
                                          2015/01/16 09:19:43| Processing: http_access deny allsrc
                                          2015/01/16 09:19:43| Initializing https proxy context

                                          Dell 2950 g3 server
                                          Intel(R) Xeon(R) CPU E5430 @ 2.66GHz
                                          Current: 2000 MHz, Max: 2667 MHz
                                          8 CPUs: 2 package(s) x 4 core(s)
                                          8152 MiB and 600meg 10k drive
                                          Pfsense 2.4 .. Hoping to get the phpvirtualbox going again.

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            Cino
                                            last edited by

                                            @Tikimotel:

                                            
                                            forward_for "on" # (default, send client IP info in forward for header)
                                            forward_for "off" # (tickbox, Disable X-forward option, always respond with "unknown", some forum sites don't like this option!)
                                            forward_for "transparant" # (do not touch anything, more private?)
                                            forward_for "delete" # (remove the header info entirely)
                                            forward_for "truncate" # (single, last, client IP info in the forward for header)
                                            
                                            

                                            @marcelloc i'm going to try and added this to the GUI… I think its something I can handle :-)

                                            Edit: https://github.com/pfsense/pfsense-packages/pull/789

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.