Clueless about install

EricGus

Trying to setup pfsense 2.3.2_1 as a proxy for several subnets while only altering the pc client's proxy settings (no changing of gateway). I installed squid+squidguard. It should globally blacklist ALL and use only a whitelist.
As stated, I have several subnets to pass through it (ie, 10.1.* with gw 10.1.1.1.  and 192.168.* with gw 192.168.1.1).  The clients are currently going through an OLD forefront tmg server which I can look at for existing whitelist, etc.
Lan connection is static but wan is currently set to dhcp (2 nics).

Because I'm also behind a corporate proxy, the pfsense outbound WAN connection needs to be routed through it. 
Can anyone give tips, point me in the right direction, ???

Thanks!
Gus

KOM

Which particular part are you having trouble with?

EricGus

Passing on the requests out the wan interface on to the corporate proxy is the main issue at this point I believe.

Here's my config..

interface setup: (via shell)
LAN vmx0 xx.xx.192.228/22
WAN vmx1 xx.xx.196.240/22    WAN uplink gateway xx.xx.196.1

Advanced setup:
networking: allow ipv6 - yes
misc: proxy url- proxy.corporatesiteproxy.xxxx.com
proxy port- 8080
username/password: blank.. no authentication needed.

general setup:
hostname - labsvmsense
domain - blah.xxxx.com
dns1 - xx.64.64.54  GW_LAN - lan - xx.xx.196.1
dns2 - xx.64.64.53  GW_LAN - wan - xx.xx.196.1

squid: enabled.  keep settings, LAN, Allow users on interface, resolve dns ipv4 first
proxy interface(s): LAN
proxy port: 3128
local cache: heap lfuda
acl: allowed subnets-  xx.xxx.184.0/22    (test client on this subnet with proxy set to labsvmsense.xxxx.com:3128)

SquidGuard: disabled

everything else is default to the best of my recollection.

It's now resolving and working for intranet traffic but is taking almost 10 seconds before a site appears.
It will not show anything internet.

Due to corporate policy, I cannot ping, tracert, nslookup, etc anything internet (ie, ping google.com fails from a regular pc through the corporate proxy).

in order for pkg manager to get pfsense updates, I did a setenv to the root's .cshrc file which points to the same proxy as specified in the first few lines of this msg.

On the old forefront server, there's a section in the Networking called Web Chaining which says basically to forward all traffic on to the corporate proxy address.  That's the part that I think I'm missing with pfsense.

KOM

Is there a reason you couldn't just set the client proxy to be the corporate one and cut out the squid middle man?

EricGus

There's certainly departments that are denied nternet access except for the whitelisted URLs.

KOM

Fair enough.

It troubles me that pfSense can't even get through your corporate proxy to get its packages.  What are you using for DNS with pfSense?  Can you resolve proxy.corporatesiteproxy.xxxx.com via Diagnostics - DNS Lookup?

EricGus

corporate dns. yes, the corporate proxy resolves.  It appears everything is working on the intranet side.. it's like pfsense is missing a part of the config that tells it to pass on to the corporate proxy.  Originally, the workstations/clients point to the corporate proxy (or the old forefront tmg server) via the internetExplorer/systemwide proxy setting but I've wish to point those systems to pfsense, have it filter for whitelist, then pass on the acceptable requests to the corp proxy.

doktornotor

Hmmm, kinda confused here. Messing with the pfSense's proxy settings here will do nothing for the clients. It will only proxy the HTTP/FTP traffic from the firewall itself. You should configure an upstream proxy in Squid (the Remote Cache tab).

KOM

OK, does the corporate proxy need to be told to allow your current pfSense WAN IP to access it?

EricGus

it shouldn't since it's in the same normal allowable range.  If I had assigned that WAN ip to a standard system and set the proxy to the corporate then it'd go through just fine… and it'd go through without user authentication as well. 
I didn't have the remote cache setup so that is now done (general options = allow miss (also tried adding no tproxy); heirachy=parent, default method).

That was the catch.  ;D  standard http traffic is now working. https is not, so I'll enable and setup Squid-General section 'SSL Man In the Middle Filtering' and let you know..

update: Imported my corporate trusted root cert, set the port to be the same as standard traffic (3128) and that was a no-go. accepted the default 3129 and that still didn't work.

clients have always been setup to use the same proxy/port for http/https and I currently have the test workstation set to point to the single port.

doktornotor

No, you cannot have the same port for HTTP and HTTPS.