WPAD Setup help [Solved]

aGeekhere

try something like this

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0",  "255.0.0.0") ||
        isInNet(dnsResolve(host), "10.0.2.0",  "255.0.0.0") ||
        isInNet(dnsResolve(host), "10.0.3.0",  "255.0.0.0")) ||

    return "PROXY 10.0.0.0:3128";
}

Not sure with vlans.

lqwwssd

Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.

maverik1

@aGeekHere:

try something like this

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0",  "255.0.0.0") ||
        isInNet(dnsResolve(host), "10.0.2.0",  "255.0.0.0") ||
        isInNet(dnsResolve(host), "10.0.3.0",  "255.0.0.0")) ||

    return "PROXY 10.0.0.0:3128";
}

Not sure with vlans.

Yah, its a bit different. This unfortunately will not work. The 10.0.2.0 and 10.0.3.0 network do not have access to the 10.0.0.0 network.  At the moment I am only focusing on getting this to work with one network and then move from there. This really seems to be an issue with the silly proxy. As stated before, my proxy.pac/wpad.dat/wpad.da is as follows:

FindProxyForURL(url,host)
{
  return "PROXY 10.0.3.1:3128";        
}

I am connected to the 10.0.3.0 network and in squid have enabled  that interface. Transparent  proxy is disabled. Port is 3128. Host override has been configured for wpad on syndicate.com on IP of 10.0.3.1. DSN Forwarder is enabled and on default port (53).  DSN Resolver is disabled.

I can ping wpad.syndicate.com, I can ping 10.0.3.1, I can hit http://wpad.syndicate.com/wpad.dat in browser and am prompted for download. When I configure browser to specifically use that URL I am unable to get to Internet. It's as if traffic isn't being forwarded to the proxy. But I don't understand what it could be.

chris4916

@maverik1:

The problem is I don't if it's possible to have three separate proxy.pac files. I'm hosting thus file on the same server as pfsense with lighttpd.

You should not, IMHO, try to solve such problem as a whole, from scratch because there are too many things you don't know at this stage.
Do it in a different way: build you solution for one single VLAN. Once it works, you can focus on extension to the two other VLANs, either by replication or duplication, depending on your infrastructure.

The potential issue here is not with WPAD but most likely with DNS and web server.
If your web server is not reachable, on one specific address by the 3 VLANs, then it means that you will have 3 different IPs for this server, then you need DNS to send back the right answer.
Or…. you VLANs are not isolated and you can reach some IPs from one VLAN to another.

But this really depends on YOUR infra and doesn't related to WPAD, as far as I understand  8)

aGeekhere

Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.

try enabling the DNS Resolver

KOM

If your firewall rules don't allow those other subnets to talk to your Squid IP address then they'll all fail.  You could try adding a rule on each of your vlans that allows them to talk specifically to your squid IP address & port.

maverik1

@KOM:

If your firewall rules don't allow those other subnets to talk to your Squid IP address then they'll all fail.  You could try adding a rule on each of your vlans that allows them to talk specifically to your squid IP address & port.

That would be a good idea. The problem is that squid is bound to more than one network interface. I've got it working for the most part.

I've done the following:
1. create folder /usr/local/www/wpad
2. create a proxy.pac file. Created symbolic links wpad.dat and wpad.da
3. copy /var/etc/lighty-webConfigurator.conf into the /wpad folder from above. I then modified the conf file specific to each interface. So that

bind to port (default: 80)

server.bind  = "192.168.2.1"  <- one of my subnet's ip.
server.port  = 80

I then changed the name of the conf file so I know which subnet it is for. I have a total of three. Then I started it with the following command.
/usr/local/sbin/lighttpd -f /usr/local/www/wpad/lighty-proxy-wpad_name_of_subnet.conf

4. I created a script under /root that will start them all upon boot
5. I had to create a wpad host override that points to the three interface ips. I don't know if this is good/bad thing. Anyone it is working.

lqwwssd

@aGeekHere:

Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.

try enabling the DNS Resolver

Thx for the reply. Now I tried to setup wpad on pfsense 2.2.4 instead. I configured the DNS resolver instead of DNS forwarder. It gave me the same result when I set the port to 3128 on DNS resolver…  :-\

chris4916

@lqwwssd:

What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.

What do you try to solve? Why would you need to change port used by either DNS forwarder or Resovler?
???
Furthermore, I don't understand what links this aspect (DNS configuration) to WPAD. I'm not saying there is no relationship but ??? saying that I don't understand problem you face.

chris4916

@maverik1:

5. I had to create a wpad host override that points to the three interface ips. I don't know if this is good/bad thing. Anyone it is working.

some thoughts…

I'm not very comfortable with such approach, frankly speaking, because I don't feel pfSense has been designed for such purpose.
i.e., at least if using DNS Resolver or Forwarder which provide very basic DNS features, achieving this is somewhat painful in your design, IMHO.
You try to maintain 3 isolated networks sharing, in parallel, same infrastructure.
This works for services designed to maintain specific configuration per listening interface only. For the remaining part, you need to invent workarounds.

An alternative approach could be to set-up DMZ , or at least dedicated network available to the 3 internal LAN from where shared services will run. This will make your life much easier as you will maintain only one web server,  one proxy.pac

The only tricky part with this proposed approach is for services running on each network. DNS Resolver and Forward can't handle it. You will need either Bind which provides "views" allowing to customize the answer depending on client IP or to deploy one local DNS on each network segment to handle "local" requests.

Of course, what I suggest as potential solution break the concept of central pfSense machine that will provide all services for all subnets. But again, I don't feel pfSense is suitable for such design.

voxeljorz

try it this way (proxy.pac)

function FindProxyForURL(url, host) {

// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "10.0.0.0", "255.255.255.224"))
//this is your gateway address/interface address for the subnet
return "PROXY 10.0.0.1:3128";

if (isInNet(myIpAddress(), "10.0.3.0", "255.255.255.224"))
//this is your gateway address/interface address for the subnet
return "PROXY 10.0.3.1:3128";

if (isInNet(myIpAddress(), "10.0.3.0", "255.255.255.224"))
//this is your gateway address/interface address for the subnet
return "PROXY 10.0.3.1:3128";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 10.0.0.1:3128";

}

doktornotor

@chris4916:

The only tricky part with this proposed approach is for services running on each network. DNS Resolver and Forward can't handle it. You will need either Bind which provides "views" allowing to customize the answer depending on client IP or to deploy one local DNS on each network segment to handle "local" requests.

You might want to see the localise-queries option for DNS forwarder.

killmasta93

Just wanted to add if anyone else had this issue?

with only WPAD

using OpenVPN having the option ticked

Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30).

then it will try to get WPAD even if i disable squid3 it wont work unless i untick on chrome the option  to automatic get proxy settings

Also tried it with L2TP and PPTP(for testing purposes)

chris4916

@killmasta93:

then it will try to get WPAD even if i disable squid3 it wont work unless i untick on chrome the option  to automatic get proxy settings

What do you mean with "it won't work"?
Browser locked and unable to browse?

BTW, even if I try to explain here and there that WPAD is the nice way to solve proxy management because transparent proxy should not be the preferred option, it has some potential drawbacks.
One is that it can be used to "attack" some locations: if your able to introduce DHCP server pushing "your" WPAD, then you will be ale to intercept HTTP flow an introduce MITM :-(
This also means that for network segments not able to benefit from your proxy, you should not push any WPAD related information, neither at DHCP nor DNS level.

For DHCP, this should be quite simple, just don't configure option 252 for this subnet.
For DNS, looking at pfSense implementation, this can be trickier as this requires to not expose some records is request come from specific subnet.

As far as I understand  ;)

killmasta93

sorry for the late reply, So what i mean it wont work i mean more about it wont let me browse. I commented to aGeekHere to see if he had this issue.

I do have WPAD working but with the issue with OpenVPN see picture for example. aGeekHere did say there is a workaround but lets say its a laptop the user moves to a different location and wont let him browse unless he uses firefox so it becomes a hassle.

If I uncheck on internet explorer to auto detect proxy settings the issue is solved but i guess the issue is that WPAD forces the VPN users.

gbreadman

I need help with my configuration coz it isn't working.. what might be the prob? Thanks:

1. Create wpad files, either use Diagnostics: Edit file or use ssh to add the files DONE

vi /usr/local/www/wpad.dat
vi /usr/local/www/wpad.da
vi /usr/local/www/proxy.pac

The code for the 3 files are

function FindProxyForURL(url, host) 
{ 
    return "PROXY 192.168.1.1:3128";
}

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: localdomain
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save DONE

4. Configure DHCP server
Services: DHCP server
Additional BOOTP/DHCP Options DONE

number: 252 type: string value: "http://192.168.1.1/wpad.dat"
number: 252 type: string value: "http://192.168.1.1/wpad.da"
number: 252 type: string value: "http://192.168.1.1/proxy.pac"

5. run some test
a. can the file be download at the following link?

http://wpad.localdomain/wpad.dat
```**NO**

http://wpad.localdomain/wpad.da

http://wpad.localdomain/proxy.pac

http://pfsense.localdomain/wpad.dat

http://pfsense.localdomain/wpad.da

http://pfsense.localdomain/proxy.pac

b. run a nslookup in cmd (windows)

nslookup wpad.localdomain

or try

nslookup pfsense.localdomain

**set pfsense Protocol to http (This is a MUST, it will not work if you do not do this)**
System: Advanced: Admin Access Protocol http **DONE**

**7\. Block lan Destination port 80 and 443 (http, https)**
Firewall: Rules lan

IPv4 TCP * * * 80 - 443 * none

or add **two rules DONE**

EDIT: I tried manually configuring the browser to use the proxy and it works, but not for automatic..
side-problem: Groups ACL isn't working but Common ACL is. LOL

chris4916

The way you tray to handle it is perhaps not the best one.

1 - First you should explain, from the introduction, that you intend to expose proxy.pac file from pfSense web sever.
I'm not sure this is the best idea but if you still want to do this, keep in mind that vhost package is not supported with pfSense 2.3
Then, I didn't check but you should ensure that pfSense web server is configured to handle *.localdomain… if you do want to achieve this the way you currently do it (which I believe is not a good idea)

2 - I also don't like the idea of allowing HTTP on pfSense (which will, BTW, allow access to admin GUI using HTTP) oly because you want to handle proxy.pac on pfSense. If you need to do this, you should configure another occurrence of httpd (can't be done using GUI however. vhost deals with this up to 2.2.6)

3 - The way you configure wpad.localdomain is wrong, IMHO

• you already have, if I understand well, pfSense listening on 192.168.1.1
• wpad.localdomain should rather be an alias rather than host (I don't think however this generate issue you currently face)

4 - what is the purpose of this :
@gbreadman:

Updated change Listen Port to 3128
Enable DNS forwarder
save DONE

I'm confused  :-[  listen port for which service ?  DNS ???

5 - BTW, do you confirm your proxy (that is also running on pfSense is [b]not running in transparent mode?

6 - you don't need to maintain 3 different "proxy.pac" files: one is enough then rather configure logical links, this will keep contents aligned  ;)

7 - if you can't resolve wpad.localdomain, then there is no chance you could access http://wpad.localdomain

8 - perhaps it would be a good idea to introduce some exceptions in your proxy.pac file so that you don't reach proxy when you want to access internal web servers… including pfSense  :)

gbreadman

Thanks for answering… but.. First of all, I'm a n00bie hahaha.
Now, if it didn't seem familiar to you, my post was "quoted" from that of OP's instructions, changing parts to match MY setup,
like changing 'mylocaldomain.local' to 'localdomain' w/c is my domain. (is this correct?)

And about the other configs, I was just immitating OP's setup, like changing DNS FORWARDER port to 3128, and setting pfSense to use HTTP...
They say (even in pfsense docs) that u gotta use HTTP for pfSense to make it work (and docs also warned us about the security)

So to wrap it up: I'm just a n00bie (student) TRYING to follow instructions (to get our project working haha)

If we could properly configure this, that'd be great. THANKS. :)

EDIT: And yes, I turned transparent proxy mode off.

chris4916

@gbreadman:

Now, if it didn't seem familiar to you, my post was "quoted" from that of OP's instructions, changing parts to match MY setup,
like changing 'mylocaldomain.local' to 'localdomain' w/c is my domain. (is this correct?)

humm… is it correct to have a local domain named "localdomain"... ?  I would not say yes  but this is mostlikely not the issue  ;)
And no I didn't realise that I already replied to similar port at the very beginning of this thread  ;D :-[

[quote]And about the other configs, I was just immitating OP's setup, like changing DNS FORWARDER port to 3128, and setting pfSense to use HTTP…
They say (even in pfsense docs) that u gotta use HTTP for pfSense to make it work (and docs also warned us about the security)

I still don't understand the purpose of the "DNS port fowarder to 3128": do you have any pointer or link to any documentation or post?

Even if "pfSense"  (who?) states that in order to have wpad working you need to enable HTTP, I'm 100% convinced this is a rather poor idea, mainly because there is only one single web listener that will handle both wpad and access to pfSense admin. I'm not comfortable with the idea do have clear text password on my LAN when accessing pfSense.

You can configure another web listener  ;)
I did it few month ago for a guy who was obliged to host WPAD on pfSense  8)
vhost package is another good idea but not after 2.2.6  :-X

In order not to waste to much time, focus first on nslookup so that you understand why wpad.localdomain can't be resolved (because this is what is preventing wpad to actually work for you).

gbreadman

@aGeekHere:

The code for the 3 files are

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";
 
    return "PROXY 192.168.1.1:3128";
}

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: mylocaldomain.local
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save

port set to 3128..

The GUI must also be run in HTTP mode, which is less secure. If the GUI is set to use HTTP, never open up access to the GUI over the WAN.

• https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

Any suggestions for this?
Which "another" web listener? ;)

C:\windows\system32>nslookup wpad.localdomain
Server:  pfSense.localdomain
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
*** pfSense.localdomain can't find wpad.localdomain: Non-existent domain

Clues?

PS. Is proxy filtering advisable coz it seems to slow surfing speeds pretty bad