WPAD Setup help [Solved]

maverik1

Is there a command or configuration page to see what interface squid is listening on? As mentioned previously I have vlans running. The default LAN is disabled.

Vlan10 is admin
Vlan20 is guest
Vlan30 is home

I configured squid to bind to vlan20 and vlan30.

You mention that if WebGUI is running over https I cannot host the proxy.pac. Can this be overcome by changing the port from 443 to 444?

KOM

Is there a command or configuration page to see what interface squid is listening on?

Services - Proxy server - General.  What's the very first thing you see, starting at the top?

Can this be overcome by changing the port from 443 to 444?

I don't think so.  It's not the port that's the problem, it's the protocol.

chavarriaa

@maverik1:

Is there a command or configuration page to see what interface squid is listening on? As mentioned previously I have vlans running. The default LAN is disabled.
…

http://findproxyforurl.com/pac-functions/ <- shows some Function to that.

Try this. Where 192.168.0.0 is your network that you want to have direct access.

function FindProxyForURL(url,host){
if (isInNet(myIpAddress(), "192.168.0.1", "255.255.255.0"))
    return DIRECT;

return "PROXY 192.168.10.10:3128";
}

Or Services >> Proxy Server >> General >> Proxy interface(s) and choose your Networks

maverik1

@KOM:

Is there a command or configuration page to see what interface squid is listening on?

Services - Proxy server - General.  What's the very first thing you see, starting at the top?

Proxy interfaces shows:
Home    -> "for reference only" (192.168.2.0/24)
Guest    -> "for reference only"  (10.0.0.0/24)

So back to my original question regarding the wpad file. Does the "return PROXY" statement need to point to the Home, Guest or both interfaces? I want both subnets going through the proxy.

maverik1

I am trying to configure wpad and am testing it out but haven't got it working.

I have configured the following discovery file:

[2.2.4-RELEASE][root@pfSense.localdomain]/root: cat /usr/local/www/wpad/proxy.pac
FindProxyForURL(url,host)
{
  if(isPlainHostName(host))
  {
    return "DIRECT";
  }

  if(isInNet(host,"127.0.0.1","255.255.255.0"))
  {
    return "DIRECT";
  }

  return "PROXY 10.0.3.1:3128";        

}

ls -la
-rw-r–r--  1 root  wheel  200 Sep 19 17:01 proxy.pac
lrwxr-xr-x  1 root  wheel    9 Sep 19 15:06 wpad.da -> proxy.pac
lrwxr-xr-x  1 root  wheel    9 Sep 19 15:05 wpad.dat -> proxy.pac

I copied and made some changed to lighttpd configuration file and put it in /usr/local/www/wpad. The changes I made were:

server.document-root = "/usr/local/www/wpad/"
server.errorlog = "/var/log/lighty-proxy-wpad.log"

Added file types:
".dat"          =>      "application/x-ns-proxy-autoconfig",
".da"          =>      "application/x-ns-proxy-autoconfig",
".pac"          =>      "application/x-ns-proxy-autoconfig",

server.bind = "10.0.3.1"
server.port = 80

Verified it worked by starting second lighttpd instance:
[2.2.4-RELEASE][root@pfSense.localdomain]/usr/local/www/wpad: ps aux | grep -i "lighttpd"
root  26067  0.0  0.2 13152  6012  -  S    4:08PM  0:00.86 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
root  45296  0.0  0.2 13152  4968  -  S    5:32PM  0:00.02 /usr/local/sbin/lighttpd -f /usr/local/www/wpad/lighty-proxy-wpad.conf

I created a hosts override option in DNS Fowarder, configured necessary settings in dhcp "bootp/dhcp" section.

I am able to browse in firefox to 10.0.3.1/wpad and wpad.localdomain/wpad.dat. However, nslookup on wpad.localdomain doesnt work. Not sure if it needs to. I can ping it though.

I have squid3 installed. Its bound to Guest Interface (10.0.3.0/24) on port 3128. Allow users on this interface enabled. Transparent HTTP Proxy is Disabled and so is SSL MiTM. In ACLs tab I entered: 10.0.3.0/24

For testing purposes, I have crated a fw rule that allows anything from this network to pass so I can get internet. When I put in the proxy auto configure url in firefox the internet no longer works.

Any suggestions? This process is very frustrating

chris4916

@maverik1:

I am able to browse in firefox to 10.0.3.1/wpad and wpad.localdomain/wpad.dat. However, nslookup on wpad.localdomain doesnt work. Not sure if it needs to. I can ping it though.

I'm not sure your browser will try to load any wpad.* file but rather proxy.* file

WPAD acronym covers the auto discovery stuff while proy.pac (or .dat) describes browser behaviour: what is accessed directly (i.e. local files) vs. what must be accessed through proxy.

If you can resolve this name, I wonder how you can browse it  ???

In order not to face all potential problems together, I would suggest, once your proxy.pac file is ready, to test it by manually configuring your browser to load this page. This bypasses the discovery step en ensures, if it works  ;), that proxy.pac behaves as expected.

maverik1

I understand how wpad works. I was making sure I had access to it. In FF I have specified http://wpad.syndicate.com/wpad.dat in the Automatic Proxy Configuration URL.  It's not working as I am not getting any once doing so. I look at the squid logs and do not see anything from that network. So apparently it's not going through. I don't know where to start troubleshooting from.

I've simplified the proxy.pac to:

FindProxyForURL(url,host)
{

  return "PROXY 10.0.3.1:3128";        

}

Don't believe it should be this complicated

chris4916

@maverik1:

I look at the squid logs and do not see anything from that network.

Before looking at Squid log, you should start with web server side.
If you don't see any access to thsi web server (for this page), no surprise if it doesn't work.
Of course, this means that, from your browser, you can resolve this URL  ;)

aGeekhere

try

http://pfsense.syndicate.com/wpad.dat

Go through post 1 again, let me know how it went.

maverik1

@aGeekHere:

try

http://pfsense.syndicate.com/wpad.dat

Go through post 1 again, let me know how it went.

I've gone through this several times. My setup is a bit different. I have implemented vlans and there is not one main LAN that all the traffic is passing through. The following are my networks which must be passed through proxy.

10.0.0.0/24  Administrative VLAN
10.0.2.0/24  Local User VLAN
10.0.3.0/24  Guest VLAN

Because I basically have three separate LANs, I am not sure what the proxy address needs to be. Do I need three? Do I also need three DNS Host Overrides?

http://pfsense.syndicate.com/wpad.dat

This doesn't resolve anything in browser, However, the following three are resolved and I am prompted to download the file.

http://wpad.syndicate.com/wpad.dat
http://wpad.syndicate.com/wpad.da
http://wpad.syndicate.com/proxy.pac

chris4916

@maverik1:

Because I basically have three separate LANs, I am not sure what the proxy address needs to be. Do I need three? Do I also need three DNS Host Overrides?

You need one you can resolve and reach  ;)
If your VLAN are isolated, then you need 3 accesses  8)

maverik1

If your VLAN are isolated, then you need 3 accesses  8)

The problem is I don't if it's possible to have three separate proxy.pac files. I'm hosting thus file on the same server as pfsense with lighttpd.

aGeekhere

try something like this

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0",  "255.0.0.0") ||
        isInNet(dnsResolve(host), "10.0.2.0",  "255.0.0.0") ||
        isInNet(dnsResolve(host), "10.0.3.0",  "255.0.0.0")) ||

    return "PROXY 10.0.0.0:3128";
}

Not sure with vlans.

lqwwssd

Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.

maverik1

@aGeekHere:

try something like this

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0",  "255.0.0.0") ||
        isInNet(dnsResolve(host), "10.0.2.0",  "255.0.0.0") ||
        isInNet(dnsResolve(host), "10.0.3.0",  "255.0.0.0")) ||

    return "PROXY 10.0.0.0:3128";
}

Not sure with vlans.

Yah, its a bit different. This unfortunately will not work. The 10.0.2.0 and 10.0.3.0 network do not have access to the 10.0.0.0 network.  At the moment I am only focusing on getting this to work with one network and then move from there. This really seems to be an issue with the silly proxy. As stated before, my proxy.pac/wpad.dat/wpad.da is as follows:

FindProxyForURL(url,host)
{
  return "PROXY 10.0.3.1:3128";        
}

I am connected to the 10.0.3.0 network and in squid have enabled  that interface. Transparent  proxy is disabled. Port is 3128. Host override has been configured for wpad on syndicate.com on IP of 10.0.3.1. DSN Forwarder is enabled and on default port (53).  DSN Resolver is disabled.

I can ping wpad.syndicate.com, I can ping 10.0.3.1, I can hit http://wpad.syndicate.com/wpad.dat in browser and am prompted for download. When I configure browser to specifically use that URL I am unable to get to Internet. It's as if traffic isn't being forwarded to the proxy. But I don't understand what it could be.

chris4916

@maverik1:

The problem is I don't if it's possible to have three separate proxy.pac files. I'm hosting thus file on the same server as pfsense with lighttpd.

You should not, IMHO, try to solve such problem as a whole, from scratch because there are too many things you don't know at this stage.
Do it in a different way: build you solution for one single VLAN. Once it works, you can focus on extension to the two other VLANs, either by replication or duplication, depending on your infrastructure.

The potential issue here is not with WPAD but most likely with DNS and web server.
If your web server is not reachable, on one specific address by the 3 VLANs, then it means that you will have 3 different IPs for this server, then you need DNS to send back the right answer.
Or…. you VLANs are not isolated and you can reach some IPs from one VLAN to another.

But this really depends on YOUR infra and doesn't related to WPAD, as far as I understand  8)

aGeekhere

Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.

try enabling the DNS Resolver

KOM

If your firewall rules don't allow those other subnets to talk to your Squid IP address then they'll all fail.  You could try adding a rule on each of your vlans that allows them to talk specifically to your squid IP address & port.

maverik1

@KOM:

If your firewall rules don't allow those other subnets to talk to your Squid IP address then they'll all fail.  You could try adding a rule on each of your vlans that allows them to talk specifically to your squid IP address & port.

That would be a good idea. The problem is that squid is bound to more than one network interface. I've got it working for the most part.

I've done the following:
1. create folder /usr/local/www/wpad
2. create a proxy.pac file. Created symbolic links wpad.dat and wpad.da
3. copy /var/etc/lighty-webConfigurator.conf into the /wpad folder from above. I then modified the conf file specific to each interface. So that

bind to port (default: 80)

server.bind  = "192.168.2.1"  <- one of my subnet's ip.
server.port  = 80

I then changed the name of the conf file so I know which subnet it is for. I have a total of three. Then I started it with the following command.
/usr/local/sbin/lighttpd -f /usr/local/www/wpad/lighty-proxy-wpad_name_of_subnet.conf

4. I created a script under /root that will start them all upon boot
5. I had to create a wpad host override that points to the three interface ips. I don't know if this is good/bad thing. Anyone it is working.

lqwwssd

@aGeekHere:

Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.

try enabling the DNS Resolver

Thx for the reply. Now I tried to setup wpad on pfsense 2.2.4 instead. I configured the DNS resolver instead of DNS forwarder. It gave me the same result when I set the port to 3128 on DNS resolver…  :-\