PFBlockerNG Can`t ByPass Client *With WPAD

GoldenShark

Hi Guys ,

I have a Configuration with  : Squid + SGuard + WPaD and pFBlockerNG

My Problem is when I connect to Squid WPaD (Squid Proxy Port) , pFBlockerNG can not block IPv4 rules for 80 & 443 ports..

Actually I Solved this problem (changed my general configuration WAN TO WAN) but this time my bypass rules does not working.  : http://i.prntscr.com/a670b5a2fb944fe2972cb42620963484.png

Floating ByPass Alias for Clients :
http://i.prntscr.com/c2a87f94b45f486aaaf7181c1c38c30f.png

Anyone know something about that ?

EDIT PS. : This ByPass rules Includes my some clients (Private clients or servers)

If i will change floating rule like this :  http://i.prntscr.com/24c5fff3423f4d8bbbec5ea51542df6f.png ("any to any" it is working..)
but when I choose single host or alias , not working.  : http://i.prntscr.com/c2a87f94b45f486aaaf7181c1c38c30f.png

Serbest HTTP : " It Means ByPass User Alias"

heper

this isn't the correct forum section for this question.
there is a special packages subsection for this: https://forum.pfsense.org/index.php?board=15.0

as for you questions:
no clue, but dealing with squid is always a pain in the ass ;)

doktornotor

pfBNG will not block anything from Squid (localhost) since the traffic won't ever match.

P.S. Not exactly sure what's "changed my general configuration WAN TO WAN" supposed to mean.

johnpoz

His wan to wan suppose to mean he changed pfblockers auto rule connection to create inbound and outbound rules in floating using wan and wan as inbound??  Agreed be fuzzy on what he changed from to, etc..

While the pfblocker is a slick package - I am not a fan of any sort of auto rule anything.  When I was playing with it, I always just used the aliases and created own rules.. But dok is right on the money (as always) your rule would have to block the firewall as the source, since when your using the proxy that is what is doing the going, not the client.. Client says hey proxy go get me www.something.com for me, and then then send it to me after you got it..

Harvy66

In a nutshell, pFBlockerNG is blocking traffic that goes through PFSense and using a proxy mean the traffic is no longer going through. It's now terminating and originating in PFSense.

GoldenShark

@johnpoz:

His wan to wan suppose to mean he changed pfblockers auto rule connection to create inbound and outbound rules in floating using wan and wan as inbound??  Agreed be fuzzy on what he changed from to, etc..

While the pfblocker is a slick package - I am not a fan of any sort of auto rule anything.  When I was playing with it, I always just used the aliases and created own rules.. But dok is right on the money (as always) your rule would have to block the firewall as the source, since when your using the proxy that is what is doing the going, not the client.. Client says hey proxy go get me www.something.com for me, and then then send it to me after you got it..

So Where is solution ?? :D

@Harvy66:

In a nutshell, pFBlockerNG is blocking traffic that goes through PFSense and using a proxy mean the traffic is no longer going through. It's now terminating and originating in PFSense.

@Harvy66:

In a nutshell, pFBlockerNG is blocking traffic that goes through PFSense and using a proxy mean the traffic is no longer going through. It's now terminating and originating in PFSense.

You're totally right. But I created "any to any * * PASS to Floating" Rules . It could be work.. If i change it Single hostor alias to Any *  *  It wouldn't work.

@doktornotor:

pfBNG will not block anything from Squid (localhost) since the traffic won't ever match.

P.S. Not exactly sure what's "changed my general configuration WAN TO WAN" supposed to mean.

P.S. Not exactly sure what's "changed my general configuration WAN TO WAN" supposed to mean.

It Means : http://prntscr.com/dm41u3
If i can change it like this. It could be work.

But WAN to LAN " NOT WORKING WITH SQUID PROXY"

doktornotor

Uh.

@GoldenShark:

But I created "any to any * * PASS to Floating" Rules . It could be work.. If i change it Single hostor alias to Any *  *  It wouldn't work.

Huh? You are trying to fix non-working blocking by allow anything rules? How on earth could that ever possibly help?!?

GoldenShark

@doktornotor:

Uh.

@GoldenShark:

But I created "any to any * * PASS to Floating" Rules . It could be work.. If i change it Single hostor alias to Any *  *  It wouldn't work.

Huh? You are trying to fix non-working blocking by allow anything rules? How on earth could that ever possibly help?!?

If I can Active this rule : http://prntscr.com/dm46ss

PF BLOCKER ACCEPT IT

If I can change rule like this : http://prntscr.com/dm47fk

PF BLOCKER DOES NOT ACCEPT

I think It is not familiar with Single host or alias source.. "WAN TO WAN"

doktornotor

It does NOT "accept" it because it's not matching the traffic. The source is NOT "FreeClients". The source IP is Squid on pfSense.

Remove that absolutely horrible allow any floating rule, you are killing your firewall functionality with such nonsense.

GoldenShark

@doktornotor:

It does NOT "accept" it because it's not matching the traffic. The source is NOT "FreeClients". The source IP is Squid on pfSense.

Remove that absolutely horrible allow any floating rule, you are killing your firewall functionality with such nonsense.

:D  ;D so how could I match it with my freeclients ???

doktornotor

You don't. Not possible. Put them on a non-proxied VLAN.