WPAD Setup help [Solved]

aGeekhere

reinstalled squid gui components, cleared the cache (one the user computers and squids cache), and now it works :)

Will test it for a few days to see how i go.

;D

[Update]
If i have no issues with it i will write up a how to

aGeekhere

I just want to update something here.
if you are having issues with webpages only half loading (which is what I had), then you must first delete your squid cache then it should fix that issue.

KOM

if you are having issues with webpages only half loading

This can also by symptomatic of an IP6/IP4 preference issue with dual-stack sites.

aGeekhere

Hi all,

I found an issue where some programs have an issue with the global "automatically detect settings" option (some programs with this issue do not even have a proxy setting setup page) and still want to go through port 80 (I think this could also be what is causing downthemall to only connect to 1 segment because when I open port 80 I can connect to more segments).

So sometimes I have to reopen port 80 to let the traffic through temporary.

I read somewhere that a NAT rule could be created to catch any leftover traffic going to port 80 and redirect it to port 3128.

Tired playing around with a NAT rule
LAN - TCP - LAN address - 80 - WAN address - 80 - 192.168.1.1 - 3128
And in rules i put it at the top.

However the traffic is not redirected.
Tested with a troubled program using

• no proxy
• automatically detect settings
• And even setting the proxy setting with the port set to 80

Any thoughts on this?

User43617

@aGeekHere:

2. Disable DNS Resolver Updated needs to be on

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: mylocaldomain.local
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save

Quick question, for clarification on the above quote, please:
I currently have DNS Resolver off and DNS forwarder on with the above Host Override configured on the DNS Forwarder.

Which one did you apply the Host Override configuration?

Which one did you change to listen on port 3128 (same as Squid3, unless you changed that.  I don't think you did, based on your proxy.pac code).

I add the Firewall rules for blocking HTTP and HTTPS and I can't load internet pages.  I can still get to local servers.  Nothing's being filtered by Squidguard.  Or, at least, it's not showing up in the logs.  Wondering if that's my problem now.

aGeekhere

It is the DNS forwarder that needs the Host Override configuration.

irajames

@User43617:

@aGeekHere:

2. Disable DNS Resolver Updated needs to be on

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: mylocaldomain.local
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save

Quick question, for clarification on the above quote, please:
I currently have DNS Resolver off and DNS forwarder on with the above Host Override configured on the DNS Forwarder.

Which one did you apply the Host Override configuration?

Which one did you change to listen on port 3128 (same as Squid3, unless you changed that.  I don't think you did, based on your proxy.pac code).

I add the Firewall rules for blocking HTTP and HTTPS and I can't load internet pages.  I can still get to local servers.  Nothing's being filtered by Squidguard.  Or, at least, it's not showing up in the logs.  Wondering if that's my problem now.

I'm also wondering do I put listen to 3128 in DNS Forwarder or in DNS Resolver?

aGeekhere

I'm also wondering do I put listen to 3128 in DNS Forwarder or in DNS Resolver?

see above post :)

And while I am here, there is an issue that remains with this setup is that programs that have no proxy settings and want to connect directly will get blocked by the port 80 rule.

If someone has any advice on how to solve this i'll update the first post.

KOM

If someone has any advice on how to solve this i'll update the first post.

Add a firewall rule(s) to allow specified LAN IPs to connect to specified destination IPs via 80.  Put it above the HTTP/S block.  Use an alias to hold the LAN IPs of your clients that have apps that don't support proxy, and an alias to hold all the IPs of the servers they need to talk to.  That's it.

aGeekhere

and an alias to hold all the IPs of the servers they need to talk to

The problem is first finding the server that they need to talk to, then updating that rule when they change it. If the destination server is dynamic then you will never know the destination server.

But I guess that is all we can do.

KOM

But I guess that is all we can do.

Them's the breaks.

enrique.perezrul

@aGeekHere:

2. Disable DNS Resolver Updated needs to be on

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: mylocaldomain.local
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save

This is working on my machine but I will like to know if you can help me understand why do you need to enable DNS forwarder and set listening port to 3128. I have pfsense 2.2.4 DNS Resolver is enable by default and DNS forwarder is disable. I have created the host override on DNS resolver for it to work and enable DNS Forwarder service on port 3128.

Also why do you need the host override if dhcp is configured with the ip address and not a domain name? I will appreciate if you help me understand this.

aGeekhere

Hi enrique.perezrul

Hmm some hard questions there, will do my best, lets start with reading from the wiki

https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

WPAD will take the domain name given to the machine, likely assigned by DHCP, and prepend wpad.. If the domain is example.com, it will look for wpad.example.com. This task may be accomplished with the DNS Forwarder/DNS Resolver in pfSense or with another internal DNS server used by client PCs.

why do you need to enable DNS forwarder

Because you need to create a Host Override for the wpad.

…set listening port to 3128

Because I wanted to use port 53 for the DNS Resolver (Will need to look more into why I used port 3128)

Also why do you need the host override if dhcp is configured with the ip address and not a domain name

Some web browsers use DNS to configure them others use dhcp so both are needed.

maverik1

Looking for a well documented guide or video to help configure wpad. Do any exist?

chavarriaa

@maverik1:

Looking for a well documented guide or video to help configure wpad. Do any exist?

With this Post i configurate WPAD, but if you have problems, create your own post. Problems never are the same.

KOM

Looking for a well documented guide or video to help configure wpad. Do any exist?

Look at the post above yours, specifically the link to WPAD Autoconfigure for Squid.

maverik1

I've checked that out but it's quite vague. For example, I run vlans on pfsense. My guest network is 10.0.0.0/24 and my home lan is 192.168.2.0/24.

In the wpad file what do I need to specify as the proxy address?  I have configured pfsense such that guest vlan cannot access home vlan and vice versa. As I do not have a separate box I will have to host the wpad on the pfsense box.

function FindProxyForURL(url,host)
{

return "PROXY 192.168.2.1:3128";  What does this need to be to support both vlans?
}

aGeekhere

try this

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

    return "PROXY 192.168.1.1:3128";
}

KOM

In the wpad file what do I need to specify as the proxy address?

Whatever the IP address is of the interface that Squid is listening on.  Usually your LAN NIC.

I have configured pfsense such that guest vlan cannot access home vlan and vice versa.

Add a firewall rule above your vlan blocks that allows the guest vlan to talk to squid.

As I do not have a separate box I will have to host the wpad on the pfsense box.

So do that then.  I host wpad.dat and proxy.pac on my pfSense box.  Note that it won't work if you have WebGUI running in HTTPS mode.

maverik1

Is there a command or configuration page to see what interface squid is listening on? As mentioned previously I have vlans running. The default LAN is disabled.

Vlan10 is admin
Vlan20 is guest
Vlan30 is home

I configured squid to bind to vlan20 and vlan30.

You mention that if WebGUI is running over https I cannot host the proxy.pac. Can this be overcome by changing the port from 443 to 444?