Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WPAD Setup help [Solved]

    Scheduled Pinned Locked Moved Cache/Proxy
    78 Posts 14 Posters 31.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aGeekhere
      last edited by

      reinstalled squid gui components, cleared the cache (one the user computers and squids cache), and now it works :)

      Will test it for a few days to see how i go.

      ;D

      [Update]
      If i have no issues with it i will write up a how to

      Never Fear, A Geek is Here!

      1 Reply Last reply Reply Quote 0
      • A
        aGeekhere
        last edited by

        I just want to update something here.
        if you are having issues with webpages only half loading (which is what I had), then you must first delete your squid cache then it should fix that issue.

        Never Fear, A Geek is Here!

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          if you are having issues with webpages only half loading

          This can also by symptomatic of an IP6/IP4 preference issue with dual-stack sites.

          1 Reply Last reply Reply Quote 0
          • A
            aGeekhere
            last edited by

            Hi all,

            I found an issue where some programs have an issue with the global "automatically detect settings" option (some programs with this issue do not even have a proxy setting setup page) and still want to go through port 80 (I think this could also be what is causing downthemall to only connect to 1 segment because when I open port 80 I can connect to more segments).

            So sometimes I have to reopen port 80 to let the traffic through temporary.

            I read somewhere that a NAT rule could be created to catch any leftover traffic going to port 80 and redirect it to port 3128.

            Tired playing around with a NAT rule
            LAN - TCP - LAN address - 80 - WAN address - 80 - 192.168.1.1 - 3128
            And in rules i put it at the top.

            However the traffic is not redirected.
            Tested with a troubled program using

            • no proxy
            • automatically detect settings
            • And even setting the proxy setting with the port set to 80

            Any thoughts on this?

            Never Fear, A Geek is Here!

            1 Reply Last reply Reply Quote 0
            • U
              User43617
              last edited by

              @aGeekHere:

              2. Disable DNS Resolver Updated needs to be on

              3.Configure DNS Service
              add new Host Overrides

              
              Host: wpad
              Domain: mylocaldomain.local
              IP Address: 192.168.1.1
              Description: WPAD Autoconfigure Host
              
              

              save
              Updated change Listen Port to 3128
              Enable DNS forwarder
              save

              Quick question, for clarification on the above quote, please:
              I currently have DNS Resolver off and DNS forwarder on with the above Host Override configured on the DNS Forwarder.

              Which one did you apply the Host Override configuration?

              Which one did you change to listen on port 3128 (same as Squid3, unless you changed that.  I don't think you did, based on your proxy.pac code).

              I add the Firewall rules for blocking HTTP and HTTPS and I can't load internet pages.  I can still get to local servers.  Nothing's being filtered by Squidguard.  Or, at least, it's not showing up in the logs.  Wondering if that's my problem now.

              1 Reply Last reply Reply Quote 0
              • A
                aGeekhere
                last edited by

                It is the DNS forwarder that needs the Host Override configuration.

                Never Fear, A Geek is Here!

                1 Reply Last reply Reply Quote 0
                • irajamesI
                  irajames
                  last edited by

                  @User43617:

                  @aGeekHere:

                  2. Disable DNS Resolver Updated needs to be on

                  3.Configure DNS Service
                  add new Host Overrides

                  
                  Host: wpad
                  Domain: mylocaldomain.local
                  IP Address: 192.168.1.1
                  Description: WPAD Autoconfigure Host
                  
                  

                  save
                  Updated change Listen Port to 3128
                  Enable DNS forwarder
                  save

                  Quick question, for clarification on the above quote, please:
                  I currently have DNS Resolver off and DNS forwarder on with the above Host Override configured on the DNS Forwarder.

                  Which one did you apply the Host Override configuration?

                  Which one did you change to listen on port 3128 (same as Squid3, unless you changed that.  I don't think you did, based on your proxy.pac code).

                  I add the Firewall rules for blocking HTTP and HTTPS and I can't load internet pages.  I can still get to local servers.  Nothing's being filtered by Squidguard.  Or, at least, it's not showing up in the logs.  Wondering if that's my problem now.

                  I'm also wondering do I put listen to 3128 in DNS Forwarder or in DNS Resolver?

                  1 Reply Last reply Reply Quote 0
                  • A
                    aGeekhere
                    last edited by

                    I'm also wondering do I put listen to 3128 in DNS Forwarder or in DNS Resolver?

                    see above post :)

                    And while I am here, there is an issue that remains with this setup is that programs that have no proxy settings and want to connect directly will get blocked by the port 80 rule.

                    If someone has any advice on how to solve this i'll update the first post.

                    Never Fear, A Geek is Here!

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      If someone has any advice on how to solve this i'll update the first post.

                      Add a firewall rule(s) to allow specified LAN IPs to connect to specified destination IPs via 80.  Put it above the HTTP/S block.  Use an alias to hold the LAN IPs of your clients that have apps that don't support proxy, and an alias to hold all the IPs of the servers they need to talk to.  That's it.

                      1 Reply Last reply Reply Quote 0
                      • A
                        aGeekhere
                        last edited by

                        and an alias to hold all the IPs of the servers they need to talk to

                        The problem is first finding the server that they need to talk to, then updating that rule when they change it. If the destination server is dynamic then you will never know the destination server.

                        But I guess that is all we can do.

                        Never Fear, A Geek is Here!

                        1 Reply Last reply Reply Quote 0
                        • KOMK
                          KOM
                          last edited by

                          But I guess that is all we can do.

                          Them's the breaks.

                          1 Reply Last reply Reply Quote 0
                          • E
                            enrique.perezrul
                            last edited by

                            @aGeekHere:

                            2. Disable DNS Resolver Updated needs to be on

                            3.Configure DNS Service
                            add new Host Overrides

                            
                            Host: wpad
                            Domain: mylocaldomain.local
                            IP Address: 192.168.1.1
                            Description: WPAD Autoconfigure Host
                            
                            

                            save
                            Updated change Listen Port to 3128
                            Enable DNS forwarder
                            save

                            This is working on my machine but I will like to know if you can help me understand why do you need to enable DNS forwarder and set listening port to 3128. I have pfsense 2.2.4 DNS Resolver is enable by default and DNS forwarder is disable. I have created the host override on DNS resolver for it to work and enable DNS Forwarder service on port 3128.

                            Also why do you need the host override if dhcp is configured with the ip address and not a domain name? I will appreciate if you help me understand this.

                            1 Reply Last reply Reply Quote 0
                            • A
                              aGeekhere
                              last edited by

                              Hi enrique.perezrul

                              Hmm some hard questions there, will do my best, lets start with reading from the wiki

                              https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

                              WPAD will take the domain name given to the machine, likely assigned by DHCP, and prepend wpad.. If the domain is example.com, it will look for wpad.example.com. This task may be accomplished with the DNS Forwarder/DNS Resolver in pfSense or with another internal DNS server used by client PCs.

                              why do you need to enable DNS forwarder

                              Because you need to create a Host Override for the wpad.

                              …set listening port to 3128

                              Because I wanted to use port 53 for the DNS Resolver (Will need to look more into why I used port 3128)

                              Also why do you need the host override if dhcp is configured with the ip address and not a domain name

                              Some web browsers use DNS to configure them others use dhcp so both are needed.

                              Never Fear, A Geek is Here!

                              1 Reply Last reply Reply Quote 0
                              • M
                                maverik1
                                last edited by

                                Looking for a well documented guide or video to help configure wpad. Do any exist?

                                1 Reply Last reply Reply Quote 0
                                • C
                                  chavarriaa
                                  last edited by

                                  @maverik1:

                                  Looking for a well documented guide or video to help configure wpad. Do any exist?

                                  With this Post i configurate WPAD, but if you have problems, create your own post. Problems never are the same.

                                  1 Reply Last reply Reply Quote 0
                                  • KOMK
                                    KOM
                                    last edited by

                                    Looking for a well documented guide or video to help configure wpad. Do any exist?

                                    Look at the post above yours, specifically the link to WPAD Autoconfigure for Squid.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      maverik1
                                      last edited by

                                      I've checked that out but it's quite vague. For example, I run vlans on pfsense. My guest network is 10.0.0.0/24 and my home lan is 192.168.2.0/24.

                                      In the wpad file what do I need to specify as the proxy address?  I have configured pfsense such that guest vlan cannot access home vlan and vice versa. As I do not have a separate box I will have to host the wpad on the pfsense box.

                                      function FindProxyForURL(url,host)
                                      {

                                      return "PROXY 192.168.2.1:3128";  What does this need to be to support both vlans?
                                      }

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        aGeekhere
                                        last edited by

                                        try this

                                        function FindProxyForURL(url, host) 
                                        { 
                                            if (isPlainHostName(host) ||
                                                shExpMatch(host, "*.local") ||
                                                isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
                                                return "DIRECT";
                                        
                                            return "PROXY 192.168.1.1:3128";
                                        }
                                        

                                        Never Fear, A Geek is Here!

                                        1 Reply Last reply Reply Quote 0
                                        • KOMK
                                          KOM
                                          last edited by

                                          In the wpad file what do I need to specify as the proxy address?

                                          Whatever the IP address is of the interface that Squid is listening on.  Usually your LAN NIC.

                                          I have configured pfsense such that guest vlan cannot access home vlan and vice versa.

                                          Add a firewall rule above your vlan blocks that allows the guest vlan to talk to squid.

                                          As I do not have a separate box I will have to host the wpad on the pfsense box.

                                          So do that then.  I host wpad.dat and proxy.pac on my pfSense box.  Note that it won't work if you have WebGUI running in HTTPS mode.

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            maverik1
                                            last edited by

                                            Is there a command or configuration page to see what interface squid is listening on? As mentioned previously I have vlans running. The default LAN is disabled.

                                            Vlan10 is admin
                                            Vlan20 is guest
                                            Vlan30 is home

                                            I configured squid to bind to vlan20 and vlan30.

                                            You mention that if WebGUI is running over https I cannot host the proxy.pac. Can this be overcome by changing the port from 443 to 444?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.