Cant access internal resources when using pfsense squid?
-
pfsense squid access.log when going to http://192.168.1.51:8081/home/
These logs come up then nothing… it stops
1431809714.997 20 192.168.1.5 TCP_MISS/200 8451 GET http://192.168.1.51:8081/home/ - DIRECT/192.168.1.51 text/html 1431809715.141 42 192.168.1.5 TCP_MISS/200 22837 GET http://192.168.1.51:8081/images/ico/favicon.ico - DIRECT/192.168.1.51 image/vnd.microsoft.icon 1431809715.160 61 192.168.1.5 TCP_MISS/200 72968 GET http://192.168.1.51:8081/images/ico/favicon-196.png - DIRECT/192.168.1.51 image/png 1431809715.187 46 192.168.1.5 TCP_MISS/200 51256 GET http://192.168.1.51:8081/images/ico/favicon-160.png - DIRECT/192.168.1.51 image/png 1431809715.189 27 192.168.1.5 TCP_MISS/200 21500 GET http://192.168.1.51:8081/images/ico/favicon-96.png - DIRECT/192.168.1.51 image/png 1431809715.208 19 192.168.1.5 TCP_MISS/200 10956 GET http://192.168.1.51:8081/images/ico/favicon-64.png - DIRECT/192.168.1.51 image/png 1431809715.219 29 192.168.1.5 TCP_MISS/200 3767 GET http://192.168.1.51:8081/images/ico/favicon-32.png - DIRECT/192.168.1.51 image/png 1431809715.220 11 192.168.1.5 TCP_MEM_HIT/200 1834 GET http://192.168.1.51:8081/images/ico/favicon-16.png - DIRECT/192.168.1.51 image/png -
I had the same problem https://forum.pfsense.org/index.php?topic=93679.msg520471#msg520471
Thanks to Kom helped me out just bypass it better altogether or make a rule to allow and log it.
-
I had the same problem https://forum.pfsense.org/index.php?topic=93679.msg520471#msg520471
Thanks to Kom helped me out just bypass it better altogether or make a rule to allow and log it.
It's not the same. i really think this is a serious issue that should be addressed
If i'm at a remote location, and I use ssh LocalForward localhost:port 192.168.1.1:3128 (pfsense squid) , I can not access some internal resources (as i detailed in this thread) . however if I do ssh LocalForward localhost:port 192.168.1.15:3128 (synology diskstation squid) I can access all internal resources.
I shouldn't be forced to keep around a second squid end point just to get things to work. What if one day I want to remove the synology, or shut it down for maintenance.
The pfsense is the much more concrete equipment out of the two and will stay around much longer
this issue doesnt just happen through a SSH tunnel. when im on my local lan, and i proxy directly to 192.168.1.1:3128, i get the same issue with access internal resources.
the true seriousness of the issue: if i bypass internal resources from my pfsense squid proxy, how can I access them over the ssh tunnel + squid proxy? I cant, and there is the true problem and why I think this is a serious problem
the second crappy part about this is, i've looked at every debug log I can think of and i'm getting zero help from the logs.
i could just use socks for specific resources that dont work with pfsense squid, but i dont like compromises & workarounds, i like things to work
-
hmm..are you running 2.2.2 pfSense?
-
First it could make sense to access even internal servers relying on Squid (running on pfSense or not, this is another debate) however, for internal servers, purpose will be only cache and anti-virus. I don't think you intend to apply access control and filtering for internal servers isn't it? And given the dynamic aspect of even internal servers, does cache really makes sense?
Anyway, this could be part of your plan and this is definitely your decision.
Second point: am I correct guessing that servers you can't access are all running on ports different from standard HTTP/HTTPS port (i.e. 80, 8080 and 443)?
-
hmm..are you running 2.2.2 pfSense?
Yep
2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015
FreeBSD 10.1-RELEASE-p9with this mobo http://www.supermicro.com/products/motherboard/celeron/x10/x10sba-l.cfm
-
First it could make sense to access even internal servers relying on Squid (running on pfSense or not, this is another debate) however, for internal servers, purpose will be only cache and anti-virus. I don't think you intend to apply access control and filtering for internal servers isn't it? And given the dynamic aspect of even internal servers, does cache really makes sense?
Anyway, this could be part of your plan and this is definitely your decision.
Second point: am I correct guessing that servers you can't access are all running on ports different from standard HTTP/HTTPS port (i.e. 80, 8080 and 443)?
I'll try changing the port to 80/443 and see if it works
-
Also going to try and look at the tornado log files
-
I changed http://192.168.1.51:8081/home/ to http://192.168.1.51:8080/home/ , same issue. PFSense SQUID times out when I try and go to the website. And again SOCKS or Synology SQUID still work fine
-
never was able to figure this one out :'(