PfSense 2.2: Squid 3.4.10_2 pkg 0.2.6 redirection not working in transparent mode
-
I have the Disable webConfigurator redirect rule checkbox ticked as I have WPAD running on port 80 using the vHosts web server. Unfortunately iPhones etc don't use WPAD so I need transparency mode, but I've left it turned on for now.
I'm using the recent full 2.2 release.
I've just tried putting a pass all rule at the start of my LAN rules to see if that would fix any firewall issue, but it did no good.
Steve
-
2.2 amd64?
-
: uname -a FreeBSD pfsense.scevans.com 10.1-RELEASE-p4 FreeBSD 10.1-RELEASE-p4 #0 36d7dec(releng/10.1)-dirty: Thu Jan 22 15:19:32 CST 2015 root@pfsense-22-i386-builder:/usr/obj.i386/usr/pfSensesrc/src/sys/pfSense_wrap.10.i386 i386 : cat /etc/version 2.2-RELEASEI've just rebooted the firewall with all pf rules reverted to those in /conf.default/config.xml. This should eliminate any firewall rule peculiarities. I'll let you know how that works once it's up.
Thanks,
Steve
-
I have two users on portuguese forum with same version 2.2-RELEASE-i386 and same issue.
Maybe it's related to squid pbi package compilation under i386 system.
-
Interesting.
Given that I see the lack of redirection with nc as well as squid I'm inclined to think this may not be an issue with squid at all, but rather with pf. That'd be quite a fundamental problem for pfSense!
I made THIS post in the Firewalling forum to see if that provides any insight. For now I'm going to see if a minimal pf configuration helps.
Thanks,
Steve
-
With the default firewall rules, squid is still not working in transparent mode.
As you're seeing multiple reports of this, could you please raise a bug report that captures the collective experience.
Thanks,
Steve
-
With the default firewall rules, squid is still not working in transparent mode.
As you're seeing multiple reports of this, could you please raise a bug report that captures the collective experience.
Thanks,
Steve
I'll need to create an i386 virtual machine to get same problem. On all my labs, transparent proxy is working fine.
-
OK, thanks.
I thought the following might be of use to confirm the squid configuration I have installed.
: squid -v Squid Cache: Version 3.4.10 configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd10.1' 'build_alias=i386-portbld-freebsd10.1' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing -Wno-unused-private-field' 'CPP=cpp' 'PKG_CONFIG=pkgconf' --enable-ltdl-convenienceSteve
-
Now here's an oddity. There are two squid binaries installed. Potential for inconsistencies here…
: which squid /usr/local/sbin/squid : /usr/local/sbin/squid -v Squid Cache: Version 3.4.10 configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd10.1' 'build_alias=i386-portbld-freebsd10.1' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing -Wno-unused-private-field' 'CPP=cpp' 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience : /usr/pbi/squid-i386/local/sbin/squid -v Shared object "libmd5.so.0" not found, required by "squid"Steve
-
Now here's an oddity.
This is one of pbi behaviors. same binary, different folder, different results. (Imagine get all it working together :))
And here is the confirmation that pbi build on i386 is outdated
'--disable-ipf-transparent' '--disable-ipfw-transparent'Go to amd64 and it will work :)
Thanks for your feedback
-
Hi Marcelloc,
As I'm running on a Pentium-M on a Watchguard Firebox x750e I'm afraid that I'm constrained somewhat to only running 32 bit. That said, one of the great things about pfSense is it's a great application to run on older hardware, so thanks for keeping the i386 version alive!
How soon might a package update for i386 be forthcoming would you guess?
Thanks again,
Steve
-
Just wait core team to compile it again. The compile args were fixed few weeks ago but only amd64 was rebuild.
-
Just wait core team to compile it again. The compile args were fixed few weeks ago but only amd64 was rebuild.
I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.
-
I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.
Check package config again, it's working on my setup and on my labs.
-
I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.
Check package config again, it's working on my setup and on my labs.
Not sure what's wrong, I am getting the following errors on the system/squid logs.
Squid log:
2015/01/27 13:35:16 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1... 2015/01/27 13:35:17 kid1| sendto FD 24: (1) Operation not permitted 2015/01/27 13:35:17 kid1| ipcCreate: CHILD: hello write test failed 2015/01/27 13:44:36 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1... 2015/01/27 13:44:36 kid1| sendto FD 24: (1) Operation not permitted 2015/01/27 13:44:36 kid1| ipcCreate: CHILD: hello write test failed 2015/01/27 13:54:48 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1... 2015/01/27 13:54:48 kid1| sendto FD 24: (1) Operation not permitted 2015/01/27 13:54:48 kid1| ipcCreate: CHILD: hello write test failed 2015/01/27 13:56:10 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1... 2015/01/27 13:56:10 kid1| sendto FD 24: (1) Operation not permitted 2015/01/27 13:56:10 kid1| ipcCreate: CHILD: hello write test failed 2015/01/29 13:57:45 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1... 2015/01/29 13:57:45 kid1| sendto FD 24: (1) Operation not permitted 2015/01/29 13:57:45 kid1| ipcCreate: CHILD: hello write test failed 2015/01/29 14:08:07 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1... 2015/01/29 14:08:08 kid1| sendto FD 24: (1) Operation not permitted 2015/01/29 14:08:08 kid1| ipcCreate: CHILD: hello write test failed 2015/01/29 14:17:08 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1... 2015/01/29 14:17:08 kid1| sendto FD 24: (1) Operation not permitted 2015/01/29 14:17:08 kid1| ipcCreate: CHILD: hello write test failedSystem log:
Jan 29 12:32:00 pfsense php-fpm[86134]: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was '/tmp/rules.test.packages:37: syntax error /tmp/rules.test.packages:38: syntax error /tmp/rules.test.packages:39: syntax error /tmp/rules.test.packages:40: syntax error' Jan 29 12:32:00 pfsense php-fpm[86134]: /rc.filter_configure_sync: There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc. Jan 29 12:32:03 pfsense php-fpm[86134]: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was '/tmp/rules.test.packages:36: syntax error' Jan 29 12:32:03 pfsense php-fpm[86134]: /rc.filter_configure_sync: There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc.Hope you can help.
Thanks.
-
Problably you've enabled transparent mode but did not selected any interface for interception.
-
I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.
Check package config again, it's working on my setup and on my labs.
Could you please confirm that my experiment using nc works in your setup. This will help determine if the issue is with squid or the firewall.
Thanks,
Steve
-
Just wait core team to compile it again. The compile args were fixed few weeks ago but only amd64 was rebuild.
I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.
Hi Marcelloc,
Any idea when the new package might be available?
Thanks,
Steve
-
No. I'll ping Renato again and ask for a update to 3.4.11
-
Thank you.
Steve
