Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid proxy blocks all traffic

    Scheduled Pinned Locked Moved Cache/Proxy
    16 Posts 3 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fireix
      last edited by

      I only have one big subnet, so Squid should be running on the same one.

      In the log file, I see this (the live view didn't work, it says object moved or something like that):

      1478367507.769      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
      1478367510.769      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
      1478367768.225      2 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
      1478367771.676      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
      1478368208.710      2 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
      1478368212.127      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
      1478368212.244      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html

      Cache log is like this:
      2016-11-05 18:51:37 [36443] New setting: dbhome: /var/db/squidGuard
      2016-11-05 18:51:37 [36443] destblock Gen missing active content, set inactive
      2016-11-05 18:51:37 [37033] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
      2016-11-05 18:51:37 [37033] New setting: logdir: /var/squidGuard/log
      2016-11-05 18:51:37 [36657] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
      2016-11-05 18:51:37 [37033] New setting: dbhome: /var/db/squidGuard
      2016-11-05 18:51:37 [37033] destblock Gen missing active content, set inactive
      2016-11-05 18:51:37 [37271] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
      2016-11-05 18:51:37 [36657] New setting: logdir: /var/squidGuard/log
      2016-11-05 18:51:37 [36657] New setting: dbhome: /var/db/squidGuard
      2016-11-05 18:51:37 [36657] destblock Gen missing active content, set inactive
      2016-11-05 18:51:37 [37271] New setting: logdir: /var/squidGuard/log
      2016-11-05 18:51:37 [37271] New setting: dbhome: /var/db/squidGuard
      2016-11-05 18:51:37 [37271] destblock Gen missing active content, set inactive
      2016-11-05 18:51:37 [36892] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
      2016-11-05 18:51:37 [36892] New setting: logdir: /var/squidGuard/log
      2016-11-05 18:51:37 [36892] New setting: dbhome: /var/db/squidGuard
      2016-11-05 18:51:37 [36892] destblock Gen missing active content, set inactive
      2016-11-05 18:51:37 [37491] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
      2016-11-05 18:51:37 [37491] New setting: logdir: /var/squidGuard/log
      2016-11-05 18:51:37 [37491] New setting: dbhome: /var/db/squidGuard
      2016-11-05 18:51:37 [37491] destblock Gen missing active content, set inactive
      2016/11/05 18:51:37| pinger: Initialising ICMP pinger …
      2016/11/05 18:51:49 kid1| Shutdown: NTLM authentication.
      2016/11/05 18:51:49 kid1| Shutdown: Negotiate authentication.
      2016/11/05 18:51:49 kid1| Shutdown: Digest authentication.
      2016/11/05 18:51:49 kid1| Shutdown: Basic authentication.
      CPU Usage: 1.016 seconds = 0.422 user + 0.594 sys
      Maximum Resident Size: 346704 KB
      Page faults with physical i/o: 0

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Do you have squidguard installed or just squid by itself?

        1 Reply Last reply Reply Quote 0
        • F
          fireix
          last edited by

          Squidguard is installed, I probably selected that because it mentioned url-filter (and it is urls I want to log).

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Squidguard's default ACL is set to Deny, I believe.  You must change that, or create a new ACL for your users and then

            1 Reply Last reply Reply Quote 0
            • F
              fireix
              last edited by

              Is it the "Allowed Subnets"  in "PackageProxy Server: Access ControlACLs" where I should enter the subnet? It is the same subnet as the entire fw is running on (transparent proxy). By that, I mean that both WAN and LAN side of pfSense is on the same network using static-ips all the way - no local ips or other subnets are involved. Really simple setup, no NAT or anything else. Mostly webservers.

              The help-text under "Allowd Subnets" says this:
              "The proxy interface subnet is already an allowed subnet."

              Edit: But I do see that one of the local LAN ports has been assigned "10.10.10.1" by the system. I have choosen the proxy to listen on both WAN and LAN-ports, so maybe this explains why I have to add my subnet? I'm not actually using that 10.10.10.1 subnet for anything, but I assume the proxyserver uses it for something..

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Is it the "Allowed Subnets"  in "PackageProxy Server: Access ControlACLs" where I should enter the subnet?

                You only need to modify Allowed Subnets if you're adding extra networks.  You already said you're all on the same network.

                By that, I mean that both WAN and LAN side of pfSense is on the same network using static-ips all the way

                What?  LAN and WAN can't be on the same network.

                I have choosen the proxy to listen on both WAN and LAN-ports

                Why would you do that??  LAN only.

                You didn't address my comments about squidguard.  Have you changed the Common ACL - Target Rules List so that Default access [all] is set to Allow?

                1 Reply Last reply Reply Quote 0
                • F
                  fireix
                  last edited by

                  Under Common ACL, I already had this set:

                  [Gen] access
                  Default access [all] access

                  (Gen is a category I created earlier)

                  So it doesn't seem to be the problem.

                  "What?  LAN and WAN can't be on the same network."

                  Both WAN and LAN devices have the same (public static IPs) network-mask/ip-range. That was what I was thinking about. But I assume that you mean that the interfaces 10.X (on LAN1) is another network.

                  1 Reply Last reply Reply Quote 0
                  • F
                    fireix
                    last edited by

                    I removed proxy from WAN-interface and now it doesn't crash at least.

                    SquidRealtime Stats (SQStat):
                    No active connections

                    Realtime log shows this:
                    Date IP Status Address User Destination
                    07.11.2016 20:59:55 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
                    07.11.2016 20:59:52 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
                    07.11.2016 20:59:49 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
                    07.11.2016 20:59:46 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
                    07.11.2016 20:59:43 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
                    07.11.2016 20:59:40 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
                    07.11.2016 20:59:37 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -

                    But there isn't logged any URLs or anything..

                    K 1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      Both WAN and LAN devices have the same (public static IPs) network-mask/ip-range.

                      That is a broken configuration.  WAN and LAN must be on different networks.  Usually WAN is public IP space and LAN is private IP space.  You must fix this first before you spend another second troubleshooting squid.

                      1 Reply Last reply Reply Quote 0
                      • F
                        fireix
                        last edited by

                        We use the firewall to protect webservers/mailservers and other public servers in our data center. Having local IPs for WHM, DirectAdmin etc. and doing NAT would not be that easly possible with many different clients (in addition, it would slow down traffic doing NAT in all directions). That is why we run the fw in transparent mode: It just lets traffic through.

                        I know this is not normal in an office settings, where you have mostly local computers and just a few machines allowed in/out of the network. But here we have mostly servers that is ment to be accessed from the Internet. If you for instance rent a server at Amazon, you don't get a local IP.

                        I have not seen any other issues with this configuration? Ports are blocked and traffic is blocked if we don't open ports/IPs.

                        1 Reply Last reply Reply Quote 0
                        • KOMK
                          KOM
                          last edited by

                          When you said you run transparent, I thought you were talking about squid.  It's not every day that I see someone using pfSense bridged like that.

                          Perhaps you should start from the beginning.  Uninstall all of those packages.  Confirm that LAN clients have web access.  Then install squid by itself and configure.  Once that works, add squidguard.

                          1 Reply Last reply Reply Quote 0
                          • F
                            fireix
                            last edited by

                            I have removed everything, I have not installed squidguard. Do I need it to log URLs?

                            I have installed squid and ligthSquid. When I visit sqstat, I get this:

                            Error (60): Operation timed out

                            When I view the Squid access log from ssh, it logs things like this:
                            1478551639.697      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
                            1478551641.279      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
                            1478551645.241      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
                            1478551648.247      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
                            clog: ERROR: could not write output (Bad address)
                            [2.3.2-RELEASE][admin@localdomain]/root:

                            I have not configured anything beside basic.

                            1 Reply Last reply Reply Quote 0
                            • KOMK
                              KOM
                              last edited by

                              I have not installed squidguard. Do I need it to log URLs?

                              Everything is logged in squid's access.log.  You use squidguard to filter the URLs.

                              I'm thinking that your config is still borked.  You should uninstall the package and then shell in and clean out any cruft.  Follow this guide under the Complete Reset section:

                              https://doc.pfsense.org/index.php/Squid_Troubleshooting

                              1 Reply Last reply Reply Quote 0
                              • K
                                kasalencar @fireix
                                last edited by

                                @fireix estou com o mesmo erro. Porém nem tenho cach ativo no squid.
                                Já reiniciei o pfesene e continua.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.