WPAD Setup help [Solved]
-
I have updated the first post, I now use the strikethrough to show old settings.
From personal viewpoint, this is not something I use to do because it makes next posts most of the time out of context.
Very strange issue this is now, squidguard is not showing any blocked items for non blocked sites and even if I turn it off or allow all to squidguard I get the same issue (sites not loading correctly, missing content, not loading at all AND very very slow webpage loading times).
Stuck atm (I wounder if it is squid3 that is the issue);
I'm not using Squid on pfSense but reading various threads here and there, it looks like there is a significant amount of problems with Squid on pfSense 2.x
At least, you have clarified that Squidguard is not the issue here, neither WPAD ;)
Now you could perhaps focus on Squid logs… -
reinstalled squid gui components, cleared the cache (one the user computers and squids cache), and now it works :)
Will test it for a few days to see how i go.
;D
[Update]
If i have no issues with it i will write up a how to -
I just want to update something here.
if you are having issues with webpages only half loading (which is what I had), then you must first delete your squid cache then it should fix that issue. -
if you are having issues with webpages only half loading
This can also by symptomatic of an IP6/IP4 preference issue with dual-stack sites.
-
Hi all,
I found an issue where some programs have an issue with the global "automatically detect settings" option (some programs with this issue do not even have a proxy setting setup page) and still want to go through port 80 (I think this could also be what is causing downthemall to only connect to 1 segment because when I open port 80 I can connect to more segments).
So sometimes I have to reopen port 80 to let the traffic through temporary.
I read somewhere that a NAT rule could be created to catch any leftover traffic going to port 80 and redirect it to port 3128.
Tired playing around with a NAT rule
LAN - TCP - LAN address - 80 - WAN address - 80 - 192.168.1.1 - 3128
And in rules i put it at the top.However the traffic is not redirected.
Tested with a troubled program using- no proxy
- automatically detect settings
- And even setting the proxy setting with the port set to 80
Any thoughts on this?
-
2. Disable DNS ResolverUpdated needs to be on3.Configure DNS Service
add new Host OverridesHost: wpad Domain: mylocaldomain.local IP Address: 192.168.1.1 Description: WPAD Autoconfigure Host
save
Updated change Listen Port to 3128
Enable DNS forwarder
saveQuick question, for clarification on the above quote, please:
I currently have DNS Resolver off and DNS forwarder on with the above Host Override configured on the DNS Forwarder.Which one did you apply the Host Override configuration?
Which one did you change to listen on port 3128 (same as Squid3, unless you changed that. I don't think you did, based on your proxy.pac code).
I add the Firewall rules for blocking HTTP and HTTPS and I can't load internet pages. I can still get to local servers. Nothing's being filtered by Squidguard. Or, at least, it's not showing up in the logs. Wondering if that's my problem now.
-
It is the DNS forwarder that needs the Host Override configuration.
-
2. Disable DNS ResolverUpdated needs to be on3.Configure DNS Service
add new Host OverridesHost: wpad Domain: mylocaldomain.local IP Address: 192.168.1.1 Description: WPAD Autoconfigure Host
save
Updated change Listen Port to 3128
Enable DNS forwarder
saveQuick question, for clarification on the above quote, please:
I currently have DNS Resolver off and DNS forwarder on with the above Host Override configured on the DNS Forwarder.Which one did you apply the Host Override configuration?
Which one did you change to listen on port 3128 (same as Squid3, unless you changed that. I don't think you did, based on your proxy.pac code).
I add the Firewall rules for blocking HTTP and HTTPS and I can't load internet pages. I can still get to local servers. Nothing's being filtered by Squidguard. Or, at least, it's not showing up in the logs. Wondering if that's my problem now.
I'm also wondering do I put listen to 3128 in DNS Forwarder or in DNS Resolver?
-
I'm also wondering do I put listen to 3128 in DNS Forwarder or in DNS Resolver?
see above post :)
And while I am here, there is an issue that remains with this setup is that programs that have no proxy settings and want to connect directly will get blocked by the port 80 rule.
If someone has any advice on how to solve this i'll update the first post.
-
If someone has any advice on how to solve this i'll update the first post.
Add a firewall rule(s) to allow specified LAN IPs to connect to specified destination IPs via 80. Put it above the HTTP/S block. Use an alias to hold the LAN IPs of your clients that have apps that don't support proxy, and an alias to hold all the IPs of the servers they need to talk to. That's it.
-
and an alias to hold all the IPs of the servers they need to talk to
The problem is first finding the server that they need to talk to, then updating that rule when they change it. If the destination server is dynamic then you will never know the destination server.
But I guess that is all we can do.
-
But I guess that is all we can do.
Them's the breaks.
-
2. Disable DNS ResolverUpdated needs to be on3.Configure DNS Service
add new Host OverridesHost: wpad Domain: mylocaldomain.local IP Address: 192.168.1.1 Description: WPAD Autoconfigure Host
save
Updated change Listen Port to 3128
Enable DNS forwarder
saveThis is working on my machine but I will like to know if you can help me understand why do you need to enable DNS forwarder and set listening port to 3128. I have pfsense 2.2.4 DNS Resolver is enable by default and DNS forwarder is disable. I have created the host override on DNS resolver for it to work and enable DNS Forwarder service on port 3128.
Also why do you need the host override if dhcp is configured with the ip address and not a domain name? I will appreciate if you help me understand this.
-
Hi enrique.perezrul
Hmm some hard questions there, will do my best, lets start with reading from the wiki
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
WPAD will take the domain name given to the machine, likely assigned by DHCP, and prepend wpad.. If the domain is example.com, it will look for wpad.example.com. This task may be accomplished with the DNS Forwarder/DNS Resolver in pfSense or with another internal DNS server used by client PCs.
why do you need to enable DNS forwarder
Because you need to create a Host Override for the wpad.
…set listening port to 3128
Because I wanted to use port 53 for the DNS Resolver (Will need to look more into why I used port 3128)
Also why do you need the host override if dhcp is configured with the ip address and not a domain name
Some web browsers use DNS to configure them others use dhcp so both are needed.
-
Looking for a well documented guide or video to help configure wpad. Do any exist?
-
Looking for a well documented guide or video to help configure wpad. Do any exist?
With this Post i configurate WPAD, but if you have problems, create your own post. Problems never are the same.
-
Looking for a well documented guide or video to help configure wpad. Do any exist?
Look at the post above yours, specifically the link to WPAD Autoconfigure for Squid.
-
I've checked that out but it's quite vague. For example, I run vlans on pfsense. My guest network is 10.0.0.0/24 and my home lan is 192.168.2.0/24.
In the wpad file what do I need to specify as the proxy address? I have configured pfsense such that guest vlan cannot access home vlan and vice versa. As I do not have a separate box I will have to host the wpad on the pfsense box.
function FindProxyForURL(url,host)
{return "PROXY 192.168.2.1:3128"; What does this need to be to support both vlans?
} -
try this
function FindProxyForURL(url, host) { if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "192.168.1.0", "255.255.255.0")) return "DIRECT"; return "PROXY 192.168.1.1:3128"; }
-
In the wpad file what do I need to specify as the proxy address?
Whatever the IP address is of the interface that Squid is listening on. Usually your LAN NIC.
I have configured pfsense such that guest vlan cannot access home vlan and vice versa.
Add a firewall rule above your vlan blocks that allows the guest vlan to talk to squid.
As I do not have a separate box I will have to host the wpad on the pfsense box.
So do that then. I host wpad.dat and proxy.pac on my pfSense box. Note that it won't work if you have WebGUI running in HTTPS mode.
-
Is there a command or configuration page to see what interface squid is listening on? As mentioned previously I have vlans running. The default LAN is disabled.
Vlan10 is admin
Vlan20 is guest
Vlan30 is homeI configured squid to bind to vlan20 and vlan30.
You mention that if WebGUI is running over https I cannot host the proxy.pac. Can this be overcome by changing the port from 443 to 444?
-
Is there a command or configuration page to see what interface squid is listening on?
Services - Proxy server - General. What's the very first thing you see, starting at the top?
Can this be overcome by changing the port from 443 to 444?
I don't think so. It's not the port that's the problem, it's the protocol.
-
Is there a command or configuration page to see what interface squid is listening on? As mentioned previously I have vlans running. The default LAN is disabled.
…http://findproxyforurl.com/pac-functions/ <- shows some Function to that.
Try this. Where 192.168.0.0 is your network that you want to have direct access.
function FindProxyForURL(url,host){ if (isInNet(myIpAddress(), "192.168.0.1", "255.255.255.0")) return DIRECT; return "PROXY 192.168.10.10:3128"; }
Or Services >> Proxy Server >> General >> Proxy interface(s) and choose your Networks
-
@KOM:
Is there a command or configuration page to see what interface squid is listening on?
Services - Proxy server - General. What's the very first thing you see, starting at the top?
Proxy interfaces shows:
Home -> "for reference only" (192.168.2.0/24)
Guest -> "for reference only" (10.0.0.0/24)So back to my original question regarding the wpad file. Does the "return PROXY" statement need to point to the Home, Guest or both interfaces? I want both subnets going through the proxy.
-
I am trying to configure wpad and am testing it out but haven't got it working.
I have configured the following discovery file:
[2.2.4-RELEASE][root@pfSense.localdomain]/root: cat /usr/local/www/wpad/proxy.pac FindProxyForURL(url,host) { if(isPlainHostName(host)) { return "DIRECT"; } if(isInNet(host,"127.0.0.1","255.255.255.0")) { return "DIRECT"; } return "PROXY 10.0.3.1:3128"; }
ls -la
-rw-r–r-- 1 root wheel 200 Sep 19 17:01 proxy.pac
lrwxr-xr-x 1 root wheel 9 Sep 19 15:06 wpad.da -> proxy.pac
lrwxr-xr-x 1 root wheel 9 Sep 19 15:05 wpad.dat -> proxy.pacI copied and made some changed to lighttpd configuration file and put it in /usr/local/www/wpad. The changes I made were:
server.document-root = "/usr/local/www/wpad/"
server.errorlog = "/var/log/lighty-proxy-wpad.log"Added file types:
".dat" => "application/x-ns-proxy-autoconfig",
".da" => "application/x-ns-proxy-autoconfig",
".pac" => "application/x-ns-proxy-autoconfig",server.bind = "10.0.3.1"
server.port = 80Verified it worked by starting second lighttpd instance:
[2.2.4-RELEASE][root@pfSense.localdomain]/usr/local/www/wpad: ps aux | grep -i "lighttpd"
root 26067 0.0 0.2 13152 6012 - S 4:08PM 0:00.86 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
root 45296 0.0 0.2 13152 4968 - S 5:32PM 0:00.02 /usr/local/sbin/lighttpd -f /usr/local/www/wpad/lighty-proxy-wpad.confI created a hosts override option in DNS Fowarder, configured necessary settings in dhcp "bootp/dhcp" section.
I am able to browse in firefox to 10.0.3.1/wpad and wpad.localdomain/wpad.dat. However, nslookup on wpad.localdomain doesnt work. Not sure if it needs to. I can ping it though.
I have squid3 installed. Its bound to Guest Interface (10.0.3.0/24) on port 3128. Allow users on this interface enabled. Transparent HTTP Proxy is Disabled and so is SSL MiTM. In ACLs tab I entered: 10.0.3.0/24
For testing purposes, I have crated a fw rule that allows anything from this network to pass so I can get internet. When I put in the proxy auto configure url in firefox the internet no longer works.
Any suggestions? This process is very frustrating
-
I am able to browse in firefox to 10.0.3.1/wpad and wpad.localdomain/wpad.dat. However, nslookup on wpad.localdomain doesnt work. Not sure if it needs to. I can ping it though.
I'm not sure your browser will try to load any wpad.* file but rather proxy.* file
WPAD acronym covers the auto discovery stuff while proy.pac (or .dat) describes browser behaviour: what is accessed directly (i.e. local files) vs. what must be accessed through proxy.
If you can resolve this name, I wonder how you can browse it ???
In order not to face all potential problems together, I would suggest, once your proxy.pac file is ready, to test it by manually configuring your browser to load this page. This bypasses the discovery step en ensures, if it works ;), that proxy.pac behaves as expected.
-
I understand how wpad works. I was making sure I had access to it. In FF I have specified http://wpad.syndicate.com/wpad.dat in the Automatic Proxy Configuration URL. It's not working as I am not getting any once doing so. I look at the squid logs and do not see anything from that network. So apparently it's not going through. I don't know where to start troubleshooting from.
I've simplified the proxy.pac to:
FindProxyForURL(url,host) { return "PROXY 10.0.3.1:3128"; }
Don't believe it should be this complicated
-
I look at the squid logs and do not see anything from that network.
Before looking at Squid log, you should start with web server side.
If you don't see any access to thsi web server (for this page), no surprise if it doesn't work.
Of course, this means that, from your browser, you can resolve this URL ;) -
try
http://pfsense.syndicate.com/wpad.dat
Go through post 1 again, let me know how it went.
-
try
http://pfsense.syndicate.com/wpad.dat
Go through post 1 again, let me know how it went.
I've gone through this several times. My setup is a bit different. I have implemented vlans and there is not one main LAN that all the traffic is passing through. The following are my networks which must be passed through proxy.
10.0.0.0/24 Administrative VLAN
10.0.2.0/24 Local User VLAN
10.0.3.0/24 Guest VLANBecause I basically have three separate LANs, I am not sure what the proxy address needs to be. Do I need three? Do I also need three DNS Host Overrides?
http://pfsense.syndicate.com/wpad.dat
This doesn't resolve anything in browser, However, the following three are resolved and I am prompted to download the file.
http://wpad.syndicate.com/wpad.dat http://wpad.syndicate.com/wpad.da http://wpad.syndicate.com/proxy.pac
-
Because I basically have three separate LANs, I am not sure what the proxy address needs to be. Do I need three? Do I also need three DNS Host Overrides?
You need one you can resolve and reach ;)
If your VLAN are isolated, then you need 3 accesses 8) -
If your VLAN are isolated, then you need 3 accesses 8)
The problem is I don't if it's possible to have three separate proxy.pac files. I'm hosting thus file on the same server as pfsense with lighttpd.
-
try something like this
function FindProxyForURL(url, host) { if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "10.0.2.0", "255.0.0.0") || isInNet(dnsResolve(host), "10.0.3.0", "255.0.0.0")) || return "PROXY 10.0.0.0:3128"; }
Not sure with vlans.
-
Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx. -
try something like this
function FindProxyForURL(url, host) { if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "10.0.2.0", "255.0.0.0") || isInNet(dnsResolve(host), "10.0.3.0", "255.0.0.0")) || return "PROXY 10.0.0.0:3128"; }
Not sure with vlans.
Yah, its a bit different. This unfortunately will not work. The 10.0.2.0 and 10.0.3.0 network do not have access to the 10.0.0.0 network. At the moment I am only focusing on getting this to work with one network and then move from there. This really seems to be an issue with the silly proxy. As stated before, my proxy.pac/wpad.dat/wpad.da is as follows:
FindProxyForURL(url,host) { return "PROXY 10.0.3.1:3128"; }
I am connected to the 10.0.3.0 network and in squid have enabled that interface. Transparent proxy is disabled. Port is 3128. Host override has been configured for wpad on syndicate.com on IP of 10.0.3.1. DSN Forwarder is enabled and on default port (53). DSN Resolver is disabled.
I can ping wpad.syndicate.com, I can ping 10.0.3.1, I can hit http://wpad.syndicate.com/wpad.dat in browser and am prompted for download. When I configure browser to specifically use that URL I am unable to get to Internet. It's as if traffic isn't being forwarded to the proxy. But I don't understand what it could be.
-
The problem is I don't if it's possible to have three separate proxy.pac files. I'm hosting thus file on the same server as pfsense with lighttpd.
You should not, IMHO, try to solve such problem as a whole, from scratch because there are too many things you don't know at this stage.
Do it in a different way: build you solution for one single VLAN. Once it works, you can focus on extension to the two other VLANs, either by replication or duplication, depending on your infrastructure.The potential issue here is not with WPAD but most likely with DNS and web server.
If your web server is not reachable, on one specific address by the 3 VLANs, then it means that you will have 3 different IPs for this server, then you need DNS to send back the right answer.
Or…. you VLANs are not isolated and you can reach some IPs from one VLAN to another.But this really depends on YOUR infra and doesn't related to WPAD, as far as I understand 8)
-
Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.try enabling the DNS Resolver
-
If your firewall rules don't allow those other subnets to talk to your Squid IP address then they'll all fail. You could try adding a rule on each of your vlans that allows them to talk specifically to your squid IP address & port.
-
@KOM:
If your firewall rules don't allow those other subnets to talk to your Squid IP address then they'll all fail. You could try adding a rule on each of your vlans that allows them to talk specifically to your squid IP address & port.
That would be a good idea. The problem is that squid is bound to more than one network interface. I've got it working for the most part.
I've done the following:
1. create folder /usr/local/www/wpad
2. create a proxy.pac file. Created symbolic links wpad.dat and wpad.da
3. copy /var/etc/lighty-webConfigurator.conf into the /wpad folder from above. I then modified the conf file specific to each interface. So thatbind to port (default: 80)
server.bind = "192.168.2.1" <- one of my subnet's ip.
server.port = 80I then changed the name of the conf file so I know which subnet it is for. I have a total of three. Then I started it with the following command.
/usr/local/sbin/lighttpd -f /usr/local/www/wpad/lighty-proxy-wpad_name_of_subnet.conf4. I created a script under /root that will start them all upon boot
5. I had to create a wpad host override that points to the three interface ips. I don't know if this is good/bad thing. Anyone it is working. -
Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.try enabling the DNS Resolver
Thx for the reply. Now I tried to setup wpad on pfsense 2.2.4 instead. I configured the DNS resolver instead of DNS forwarder. It gave me the same result when I set the port to 3128 on DNS resolver… :-\