Transparent proxy not working after upgrade to 2.2
-
Hello,
for me after the 2.1.5 to 2.2 version, the captive portal not worked.
I added an new Rules in Firewall to accept 8002 port and it's works.
-
for me after the 2.1.5 to 2.2 version, the captive portal not worked.
Captive portal itself(better start a new thread) or Squid integration with captive portal?
-
Hi,
My name is fred and I am sorry if I write in your post but but I did not find how to start a discussion
I have a problem with pfsense installation script was ok but now I cannot access to the box anymore. What can I do? Is it possible to reset the box?You can write me directly fredbovyeirl@gmail.com
The in advance and sorry again
Fred -
although it's not a squid issue, I've tried to use netcat to listen to the same port as squid and I don't receive any traffic
this is what I get with pfctl while trying to connect to google.com from a client(192.168.1.9)
rdr on fxp0 inet proto tcp from any to ! (fxp0) port = http -> 127.0.0.1 port 3128 pass in quick on fxp0 proto tcp from any to ! (fxp0) port = 3128 flags S/SA keep state fxp0 tcp 127.0.0.1:3128 (173.194.40.3:80) <- 192.168.1.9:55613 CLOSED:SYN_SENTHi Brandhor,
Have you got anywhere with this?
I started a similar thread pfSense 2.2: Squid 3.4.10_2 pkg 0.2.6 redirection not working in transparent mode before spotting you had the same issue.
You'll see below that I did exactly the same as you (great minds think alike) and came to the same conclusion.
To prove the point that the redirected transparent connection is not getting through to squid, I stopped the squid process and then ran the following on the pfSense console.
: nc -l 3128I then telnetted to pfsense from my laptop and a connection was established and characters passed.
$ telnet 10.5.1.1 3128 Trying 10.5.1.1... Connected to pfsense.scevans.com. Escape character is '^]'. hello: nc -Dl 3128 helloI repeated trying to telnet to port 80 on news.bbc.co.uk which should have been directed by the redirect, and no connection was made.
Steve
It was later in this thread that Marcelloc commented on the compile settings I'd got from squid.
Now here's an oddity.
This is one of pbi behaviors. same binary, different folder, different results. (Imagine get all it working together :))
And here is the confirmation that pbi build on i386 is outdated
'--disable-ipf-transparent' '--disable-ipfw-transparent'Go to amd64 and it will work :)
Thanks for your feedback
Seeing that there was a firewall related compile time option I decided to wait for the squid update, but alas when that came the behaviour was unchanged.
Trying to understand what was going on I started another thread Order of rule application for redirects to which there has been no response.
Keen to hear where you are with this issue.
Thanks,
Steve
-
I haven't tried again since I got an mpls line upgrade and now I route all the traffic through another pfsense via openvpn
-
Hi Steve / all
Although it's my first post I can confirm that I have the same issue with the transparent proxy not processing requests. This was a clean 64 bit 2.2 install on an APU4 appliance.
Chris
-
After update to 2.2 and some fixes, seems that squid is working, but transparent mode is not available. If I configure a client to navigate through port 3128, proxy filters connection, but in transparent mode proxy doesn't listen. May be config error? Any rule to add in 2.2 not needed in 2.1?
I've x86 version and 2.1 was working like a charm.
Thx.
FIRST LINES OF squid.conf - is correct to entries with http_port at 3128?
# Do not edit manually ! http_port 192.168.0.254:3128 http_port 127.0.0.1:3128 transparent icp_port 0 -
I get the same configuration and the same problem: in transparent mode the connection doesn't work. No squid log available.
First lines of squid.conf are the same:
http_port (laninterface):3128 http_port 127.0.0.1:3138 interceptMaybe it is a routing (tcp *:80 to 127.0.0.1:3138) problem?
-
I get the same configuration and the same problem: in transparent mode the connection doesn't work. No squid log available.
First lines of squid.conf are the same:
http_port (laninterface):3128 http_port 127.0.0.1:3138 interceptMaybe it is a routing (tcp *:80 to 127.0.0.1:3138) problem?
Yes, it seems only a routing problem. But this redirection (tcp *:80 to 127.0.0.1:3138) should be done by squid itself checking transparent proxy option. I've tested squid on 3128 and it's working fine, but port 80 comunications aren't redirected. Any ideas?
Thx
-
I get the same configuration and the same problem: in transparent mode the connection doesn't work. No squid log available.
First lines of squid.conf are the same:
http_port (laninterface):3128 http_port 127.0.0.1:3138 interceptMaybe it is a routing (tcp *:80 to 127.0.0.1:3138) problem?
Yes, it seems only a routing problem. But this redirection (tcp *:80 to 127.0.0.1:3138) should be done by squid itself checking transparent proxy option. I've tested squid on 3128 and it's working fine, but port 80 comunications aren't redirected. Any ideas?
Thx
from what I remember from my tests it's a firewall issue, if you manually try to create a nat rule that redirects outgoing connections to the firewall address(either 127.0.0.1 or the LAN one) it doesn't work
the only thing I can think of is that maybe it's a driver issue with some nics since pfsense 2.2 uses freebsd 10, my lan nic is an intel 82801BA/BAM/CA/CAM (device id 2449) and is listed as fxp0 on pfsense -
I had these errors on my squid log:
2015/03/18 12:54:28 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1... 2015/03/18 12:54:28 kid1| commBind: Cannot bind socket FD 18 to 192.168.2.1:800: (13) Permission denied 2015/03/18 12:54:28 kid1| commBind: Cannot bind socket FD 19 to 192.168.16.1:800: (13) Permission denied FATAL: Unable to open HTTP Socket Squid Cache (Version 3.4.10): Terminated abnormally.Using sockstats I didn't have nothing on the 800 port. I lurked around and I found the solution on the Bugtracker of pfSense [1]. Run this command on console or add it to System/Advanced/Tunables
sysctl net.inet.ip.portrange.reservedhigh=0[1] https://redmine.pfsense.org/issues/4196
