Limiter blocks internet access (Squid transparent proxy)

Ecnerwal

Explicit proxy is fine for my fixed machines that won't be on another network; and it's set up on them, in fact.

Setting up explicit proxy on mobile machines tends to break them when they go elsewhere. The user base not being all that savvy, various possible schemes of network settings to implement explicit proxy here that they would change away from when elsewhere might work for 2% of them. And it would be a pain for that 2%, even - Oh, I switched networks. Now I need to switch network settings. Oh, Joy.

Auto Proxy discovery is a delightfully kludgy old process (netscape - that brings back memories) and not turned on by default for most systems.

So, for effective proxy that actually works for the majority of a mobile user-base, transparent is useful (when it works.)

Your environment may differ.

killmasta93

Also just want to point out that limiter also break NAT Reflection mode for port forwards :-[

JDvD

Has it been solved for the new version 2.2.4?

killmasta93

nah not sure maybe for 2.2.5 :)

I would love to have limiter to work with NAT reflection

Derelict

As far as I know this problem is punted to 2.3, unfortunately.

killmasta93

So on 2.2.2 Limiter does not have any issue with NAT reflection? on 2.2.4 still theres issues

Derelict

I think it's 2.2.X.

Ecnerwal

@JDvD:

Has it been solved for the new version 2.2.4?

I'm having the problem on 2.2.4, so, no.

foresthus

Hi there,

I have got the same problem. Version 2.2.4 (64Bit) does not work with transparent proxy anymore. In version 2.1.5 it worked fine. In that version (2.1.5) it was also possible to change the port of squid to a port beneeth 100. This is not working in 2.2.4 aswell.

I guess this must be a bug. ??? :-\

cmutwiwa

7 months later and this issue has not been addressed yet?…not complaining tho', SmallWall has kept me happy so far.
I hope this issue will be addressed tho' would like to use pf.

foresthus

Hello,

after updating to 2.2.5 the bug ist still there. traffic-shaping does not work with proxy in transparent mode.

:-[

JDvD

Ok, I have not tried it with the new version (2.2.5).
I also see in several post that there is a confusion, let's clarify this, the Limiter + Transparent Proxy not work, but, Limiter + Proxy NO-Transparent, work?

I think it's the same problem for all Traffic Shaper.

doktornotor

This entire topic has nothing to do with proxy. Limiters are (still) broken when applied to any NAT firewall rules; this is nothing specific to transparent Squid. On 2.2.x, and I cannot see any difference on 2.3 either. Broken as in dropping traffic -> unusable.

https://redmine.pfsense.org/issues/4326

JDvD

I meant to the subject of title (Limiter + Proxy), but, you have made it clear that it is a generalized problem from the NAT firewall rules. Thank you doktornotor

herymulyo

JAJAJA NO SOLUTION … back to 2.0.3 and fix it

gmar15

finley SOLUTION here

https://forum.pfsense.org/index.php?topic=106640.0

Riroxi

@Alfanetindo:

SOLVED*

I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

IPv4 TCP * * * 3128 * none Rule to allow transparent proxy to work

It worked and the speed limiter still works also.

Hello!

I made some adjusts to this rule, and worked! thx!

Just point the rule to 127.0.0.1, and will work!

Don't forget, the rule must be at top, and the rule with limiter must be below

Some screenshots below to help.

I hope this can help someone. Srry for my bad english.

:)

[EDIT]

Hello Again!

I tested this workaround for a few days and some apps like download managers can bypass limiters. :(

Looking for another temp solution.

Cya!

PROXY_RULE.png_thumb

LIMITER_RULE.png_thumb

LIMITER_DOWN.png_thumb

LIMITER_UP.png_thumb

geovaneg

I suggest, as workaround, that you limit the client bandwidth through squid "Traffic Mgmt" tab, "Per-host throttling" option, on "Proxy server: General settings". For me, it is running ok. Sorry by my bad english too :-)

ohbobva

For years, I've limited Squid (transparent) bandwidth using Squid "delay pools" in "Custom Options" on the "General" tab of Squid's settings. I researched and set this up years ago, and don't remember the details, so you'll need to check Squid's documentation for info on the various options. Here is what I've been using in the "Custom Options" box…

positive_dns_ttl 90 seconds
delay_class 1 3
delay_parameters 1 1572864/1966080 1572864/1966080 524288/655360
quick_abort_min 1024 KB
quick_abort_max 2048 KB
quick_abort_pct 90

If I remember correctly, among other things, this limits the download speed of the browser, but allows some amount of bursting.

More info at http://wiki.squid-cache.org/Features/DelayPools

It looks like this when added to the "Custom Options" box on the "General" tab of Squid's settings in PFSense's GUI...

positive_dns_ttl 90 seconds;delay_class 1 3;delay_parameters 1 1572864/1966080 1572864/1966080 524288/655360;quick_abort_min 1024 KB;quick_abort_max 2048 KB;quick_abort_pct 90

GraKa

Hello,

is the problem, that the Limiters are not working with the transparent proxy solved in pfSense 2.3?
And I mean without any workarounds.

Thanks!