Squid3 not setting transparent mode in 2.2
-
squid: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 27: acl localnet src 10.0.0.0/24 0.0.16.0/0.00036537033108885
This localnet is the problem. Did it happened once? After checking all squid config tabs and saving does it wrorg on config file?
The config file keeps getting messed up every time the gui saves it. I even stopped the service and manually changed the line in the file to just read
acl localnet src 10.0.0.0/24
but as soon as you re-save from the gui it puts it right back to that strange localnet. I thought maybe that second network it adds in is some kind of binary combination using AND or XOR of my 2 interfaces, but I can't make the math work out.
I have squid listening on 2 interfaces:
LAN at 10.0.0.0/24
OpenVPNserver at 10.9.86.0/24It's been awhile since I've done complex ACL combining for cisco certifications, but no matter what I tried I couldn't make the math work to combine those subnets to anything close to 0.0.16.0/0.00036537033108885
-
I did some more playing and have a bit more data. Turns out squid doesn't actually run well with that localnet in the acl. You can get it to start intermittently, but it's not reliable. I also determined that the 0.0.16.0/0.00036537033108885 it's defining is 100% from my extra (OPT3 tied to ovpns1) interface I had been binding to squid. If I remove the LAN interface and just have OPT3 it's still there, minus the normal 10.0.0.0/24. I thought maybe the reason it came up with that strange localnet was OPT3 has no IP address configuration, but I added a /24 address on it and squid still came up with the same strange localnet in the config.
The whole reason that interface exists is I used to have a 20 Mbps upload speed so while mobile it was actually worthwhile to connect via VPN and browse the web through my proxy. I moved and have a paltry 896 Kbps upload, so I just took that interface out of the squid config. With just the LAN interface it works as expected.
So it's not bothering me anymore, but I'm still curious if someone can determine why it was behaving as it was.
-
The allow subnet option and php function is the since squid2 package. You can add local subnets on acl tab and then unckeck allow local subnets option, then save.
-
The allow subnet option and php function is the since squid2 package. You can add local subnets on acl tab and then unckeck allow local subnets option, then save.
That's the whole problem though. If I don't check the allow users on interface box, squid doesn't modify the pf rules to make the transparent proxy work.
-
Even if you add localsubnets on acl?
-
Even if you add localsubnets on acl?
Right. I've been using squid transparently for years, well before that automatic checkbox was around, so I've always had the appropriate networks in the manual ACL. After the upgrade when squid wouldn't start and I saw that error in the log, I want worried at all since the manual ACL was already there. It wasn't until I had time to troubleshoot it that I realized the automatic option seemed to control whether or not squid would make the appropriate modifcations to the pf rules.
-
The code will need a fix to check resulting acl cidrs.
-
Thanks for all the replies! I've gotten it working for what I need and I'm just using it at home, so it's not too big of a deal to me.
-
can someone make a n00b guide for getting squid3 running on 2.2?
specifically, a transparent proxy with adblocking.
-
I just messed around with ad blocking yesterday. But I didn't use squid3 for it, I used an /etc/hosts file addition.
- make a directory somewhere convenient, I used: mkdir /usr/local/www/adblock_hosts
- in a ssh on pfSense, install wget: pkg install wget
- cd /usr/local/www/adblock_hosts
- wget http://winhelp2002.mvps.org/hosts.txt
- in pfSense webconfigurator gui -> Services -> DNS Forwarder -> Advanced, add addn-hosts=/usr/local/www/adblock_hosts/hosts.txt
Optional:
- set up a cron job to occasionally (e.g. once a month) update the hosts file
However, what I found was quite a few sites stopped working. Lots of sites obviously rely on an ad being served before they progress on to the next stage (e.g. serving me the video I requested). So I scrapped the idea. I then went and created my own my_hosts.txt with just a few entries to try it out, google-analytics stuff and a couple of ad servers, a dozen lines in total for now. And then put that dnsmasq addn-hosts line with my_hosts.txt.
