WPAD questions and problems
-
Thanks KOM
The proxy is working if i use
http://wpad.mydomain.net/wpad.datin Firefox "Automatic proxy configuration URL"
and test it with http://www.lagado.com/proxy-testwpad.dat:
function FindProxyForURL(url,host) { return "PROXY 192.168.0.1:3128"; } -
The auto-discovery should work if you have a DNS entry for the host WPAD on your local domain, or a DHCP 252 entry in DHCP. On your DNS server, create a WPAD host entry and point it to your pfSense LAN IP address. Then every browser set to automatic discovery should be able to find it since they do a DNS lookup on wpad.YourDomain.foo and then load the wpad.dat file via HTTP from that host.
-
As you can see in my second post the DNS and DHCP entries are already there.
I added now the Firewall rules - if i do that my Internet stops working… (sure Firefox is set to the proxy). -
If you do an nslookup on WPAD, does it resolve to the proxy LAN address?
-
nslookup wpad.mydomain.net:
Server: pfsense.mydomain.net Address: 192.168.0.1 Name: wpad.mydomain.net Address: 192.168.0.1nslookup wpad:
Server: pfsense.mydomain.net Address: 192.168.0.1 Name: wpad Address: 192.168.0.1nslookup wpad.pfsense.mydomain.net:
Server: pfsense.mydomain.net Address: 192.168.0.1 Name: wpad.pfsense.mydomain.net Address: 192.168.0.1But if something would be wrong here why is the proxy working as long as i not block http in the firewall?
-
Because something isn't working. If the browser is set to auto-detect, then it will try to go straight out the gateway. If it can't, then it tries to detect the proxy using WPAD. When you unblock LAN, it can go straight out. When you block LAN, it can't go out so it tries to detect the proxy and use it. This is where your problem is. Either the browser isn't detecting the proxy at all, or it is and the proxy isn't working. Is your WebGUI using HTTP or HTTPS? If I remember, you can't use pfSense under HTTPS to host the WPAD file.
-
you can't use the default lightppd intstance to serve the WPAD file, its tied up to port 80 for serving webconfigurator stuff. You need the second lightppd instance. If you webconfigurator is running on port 80 and not a custom port you won't be able to bind it so you need a custom port for the webconfiguator lightppd instance in order for the second lightppd to server the file on port 80.
whats the output of "ps aux | grep "light"?
-
you can't use the default lightppd intstance to serve the WPAD file
I'm fairly sure that you can, considering that's exactly how I'm doing it and that's how it's documented ;D
From WPAD Autoconfigure for Squid
"Now upload that file to pfSense or another locally accessible web server with scp, or create it using the built-in file editor. The file must go in /usr/local/www/…"
Port 80 isn't "tied up" with WebGUI. It will serve the GUI as the default page, but if you give it an explicit URL then it will serve anything, including wpad.dat.
-
yes, you are right, sorry. I dont allow HTTP to my pfsense box. I'll keep out of it, you carry on….I suspect you are nearly there :)
-
yes, you are right, sorry.
Hey, no problem. I've never let a lack of knowledge or incorrect information stop me from trying to help someone. Even when I am wrong (and I've been wrong in these forums many times), I learn something. It bruises the ego a bit, but you become better for it. Thanks for contributing. A community is only as strong as its members.
-
Step by step…
Forget the wpad for a while.
What i was saying is:
If i enable the firewall rule to block http and use 192.168.0.1:3128 (not wpad) in the browser then the internet stops working.
If i disable the rule then it works again and uses the proxy. -
If you block 80/443 and manually set your browser to use the proxy at the specified address:port and nothing works and you're positive you didn't make a typo, your Squid install is broken. Look in your System log, as well as /var/squid/logs/access.log and cache.log.
Can you please remind me as to what version of pfSense and Squid you are using?
-
Ok, found out something.
The whole time i was just using google for testing.
But this time i used another site and it's just HTTPS (google) that is not working if i enable the firewall rule.
HTTP works with pointing the browser to address:port.
BUT if i set the browser to auto-discovery then also HTTP is not working.pfSense 2.2
squid3 3.4.10_2 pkg 0.2.6 -
Do you run IPv6?
-
IPv6 is none in LAN and WAN.
And the output of ps aux | grep "light" is:
root 17216 0.0 0.3 50796 5888 - S 12Feb15 0:25.97 /usr/local/sbin/lighttpd -f /var/etc/ root 89081 0.0 0.2 40392 4416 - S 12Feb15 0:21.07 /usr/local/sbin/lighttpd -f /var/etc/ root 94646 0.0 1.5 232612 31596 - I 10:10AM 0:00.22 php-fpm: pool lighty (php-fpm) root 49032 0.0 0.1 18884 2356 0 S+ 10:13AM 0:00.00 grep lightAs i said i use the vHost package to host the wpad that i can run the WebGUI over HTTPS
but don't need a certificate for the wpad.Tomorrow when i have time i will make some tests step by step with checking the logs after every step.
But today i have a date and no time ;-) -
Good luck on your date 8) :-*
-
Ok time to get it working.
Blocking https and using the proxy does not work.
This is what happens if the browser is set to the proxy and http and https are blocked in Firewall > Rules > LAN:
http = YES working
https = NO does not work -
You have it set to standard mode (not transparent)? You do NOT have it set to intercept SSL? You have a wpad.dat file accessible via an HTTP server that can be found by a DNS lookup of wpad.yourdomain?
-
I'm just looking to get https working if i block it in the firewall without looking a the wpad (proxy ip/port manually set in the browser).
Transparent HTTP proxy = unchecked
HTTPS/SSL interception = uncheckedSee attachment…
 -
Your settings look good but I notice that squidGuard is in the mix. OK, sometimes these weird issues with squid can be fixed with a reboot, so I would do that first. Next, I would look at /var/log/squid/access.log and see what's happening. Also look at cache.log for any obvious errors. Lastly, I would get rid of squidGuard to make sure it isn't interfering. Mare sure when you're testing to do a force refresh with ctrl-F5 or whatever your browser uses.
