Limiter blocks internet access (Squid transparent proxy)

foresthus

Hi there,

I have got the same problem. Version 2.2.4 (64Bit) does not work with transparent proxy anymore. In version 2.1.5 it worked fine. In that version (2.1.5) it was also possible to change the port of squid to a port beneeth 100. This is not working in 2.2.4 aswell.

I guess this must be a bug. ??? :-\

cmutwiwa

7 months later and this issue has not been addressed yet?…not complaining tho', SmallWall has kept me happy so far.
I hope this issue will be addressed tho' would like to use pf.

foresthus

Hello,

after updating to 2.2.5 the bug ist still there. traffic-shaping does not work with proxy in transparent mode.

:-[

JDvD

Ok, I have not tried it with the new version (2.2.5).
I also see in several post that there is a confusion, let's clarify this, the Limiter + Transparent Proxy not work, but, Limiter + Proxy NO-Transparent, work?

I think it's the same problem for all Traffic Shaper.

doktornotor

This entire topic has nothing to do with proxy. Limiters are (still) broken when applied to any NAT firewall rules; this is nothing specific to transparent Squid. On 2.2.x, and I cannot see any difference on 2.3 either. Broken as in dropping traffic -> unusable.

https://redmine.pfsense.org/issues/4326

JDvD

I meant to the subject of title (Limiter + Proxy), but, you have made it clear that it is a generalized problem from the NAT firewall rules. Thank you doktornotor

herymulyo

JAJAJA NO SOLUTION … back to 2.0.3 and fix it

gmar15

finley SOLUTION here

https://forum.pfsense.org/index.php?topic=106640.0

Riroxi

@Alfanetindo:

SOLVED*

I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

IPv4 TCP * * * 3128 * none Rule to allow transparent proxy to work

It worked and the speed limiter still works also.

Hello!

I made some adjusts to this rule, and worked! thx!

Just point the rule to 127.0.0.1, and will work!

Don't forget, the rule must be at top, and the rule with limiter must be below

Some screenshots below to help.

I hope this can help someone. Srry for my bad english.

:)

[EDIT]

Hello Again!

I tested this workaround for a few days and some apps like download managers can bypass limiters. :(

Looking for another temp solution.

Cya!

PROXY_RULE.png_thumb

LIMITER_RULE.png_thumb

LIMITER_DOWN.png_thumb

LIMITER_UP.png_thumb

geovaneg

I suggest, as workaround, that you limit the client bandwidth through squid "Traffic Mgmt" tab, "Per-host throttling" option, on "Proxy server: General settings". For me, it is running ok. Sorry by my bad english too :-)

ohbobva

For years, I've limited Squid (transparent) bandwidth using Squid "delay pools" in "Custom Options" on the "General" tab of Squid's settings. I researched and set this up years ago, and don't remember the details, so you'll need to check Squid's documentation for info on the various options. Here is what I've been using in the "Custom Options" box…

positive_dns_ttl 90 seconds
delay_class 1 3
delay_parameters 1 1572864/1966080 1572864/1966080 524288/655360
quick_abort_min 1024 KB
quick_abort_max 2048 KB
quick_abort_pct 90

If I remember correctly, among other things, this limits the download speed of the browser, but allows some amount of bursting.

More info at http://wiki.squid-cache.org/Features/DelayPools

It looks like this when added to the "Custom Options" box on the "General" tab of Squid's settings in PFSense's GUI...

positive_dns_ttl 90 seconds;delay_class 1 3;delay_parameters 1 1572864/1966080 1572864/1966080 524288/655360;quick_abort_min 1024 KB;quick_abort_max 2048 KB;quick_abort_pct 90

GraKa

Hello,

is the problem, that the Limiters are not working with the transparent proxy solved in pfSense 2.3?
And I mean without any workarounds.

Thanks!

JDvD

@GraKa:

Hello,

is the problem, that the Limiters are not working with the transparent proxy solved in pfSense 2.3?
And I mean without any workarounds.

Thanks!

No yet. Unfortunately…

@gmar15:

finley SOLUTION here

And the gmar15 solution not work for each IP, only makes a single pipe…

alfredopea

Check this issue:

https://redmine.pfsense.org/issues/4325

Just change the transfer rate from megabits to kilobits in you limiters (download/upload) and everything will work fine again.

The problem is with squid 2.7.9+ and ipfw limiters.

Example 1.5 Mbps (1536 Kbps) Download and 1 Mbps (1024 Kbps) limiters:

Hope this help and sorry about my english.

Limiter_Kbps.png_thumb

Firewall_Rule.png_thumb

felipemb

Hi Alfredo,

This solution not worked on 2.3.1 :(

In this video: https://www.youtube.com/watch?v=wcSyGDXkJ9A

How i create queue on interface LAN in 2.3.1?

Thanks for the help!!

elic

Any solution?

Cergoo

2.3.2-RELEASE Limiter+Squid still not working

jbx907

hi guys, some showed me this link and am also have problems, it is mostly with slow site links, facebook youtube opens but slow sites it does not open, im using 2.3.2 latest but still no luck, i have to just give up squid since the limiter already save the bandwidth

shapoval

Working (for me on 2.3.2) by simply adding a LAN rule at the top, Destination, Any, From (other) 3128 to (other) 3128 Custom.

Credit to: Adrea Guglielmini http://guglio.xyz/pfsense-2-3-limiters-and-squid-bugfix/

Cergoo

@shapoval:

Working (for me on 2.3.2) by simply adding a LAN rule at the top, Destination, Any, From (other) 3128 to (other) 3128 Custom.

Credit to: Adrea Guglielmini http://guglio.xyz/pfsense-2-3-limiters-and-squid-bugfix/

It really works. Thank you for your message.