Crazy to setup pfsense 2.3.3+squid+squidguard+wpad
-
I forgot to select transparent proxy in squid and in doing so I see that I can go to the internet using squid both if I select autoconfiguring and if I select without proxy. It's very stranger!
-
Huh… There's no need for WPAD or any proxy configuration on clients when the proxy is transparent. Nothing strange about it.
-
Then I have not understood what aGeekHere means when he writes: "I found that we can use both a transperrent proxy for port 80 and a wpad for 443 https content, the wpad will be setup to use port 80 and 443. The transperrent proxy is going to catch every thing that the wpad misses, enable transperrent proxy in squid once you have the wpad setup."
I want all my traffic to go through squid and use wpad to not have to configure anything on client computers, in my lan and my vlans.
-
At this point it works. I have rebooted the machine and now it works. I imagine that in some step I had to restart and I did not.
Now i'm going to check on vlan102.Regards.
-
Hi jopeme, glad that you have got it working.
With using a transparent proxy with WPAD.
You can just use the wpad and block port 80 and 443, however programs which do not have a proxy configuration will be blocked so you would need to create a pass rule for each program getting blocked. Using the transparent proxy for port 80 traffic removes that trouble. Though you will still need to create a pass rules for 443 traffic.
Using a wpad for 443 traffic is better then using SSL Man In the Middle Filtering because you do not need to install a certificate on each device and second SSL Man In the Middle Filtering can break things (like some websites and program updates).
There is one error with firefox you must select Auto-detect proxy settings for this network and NOT Use system proxy settings.
I forgot to select transparent proxy in squid and in doing so I see that I can go to the internet using squid both if I select autoconfiguring and if I select without proxy. It's very stranger!
if using windows you need to go to Control Panel internet options, connections, lan settings and click automatically detect settings.
hope this helps
-
Is it necessary to configure clients in the advanced configuration of tcpip DNS with the domain configured in pfsense for example localdomain.local?
If I do not add it does not work correctly and i think this does not make much sense to me since if you have to configure it on all clients this is not worth using wpad. -
Is it necessary to configure clients in the advanced configuration of tcpip DNS with the domain configured in pfsense for example localdomain.local?
?
-
Sorry for my english. This picture show you i want to say:
If i use default configuration on my windows clients i can not go out to internet.
-
I just have obtain a ip address automatically, did not need to set anything in advance TCP/IP settings.
-
It's very stranger. :-[ :-[
Please could you tell me if my lan rules and wpad.dat,wpad.da, proxy.pac are right?
[img]http://www.servyarte.com/reglaslan.jpg
PROXY.PAC
function FindProxyForURL(url, host)
{
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.255.255.0"))
return "DIRECT";
return "PROXY 10.0.0.1:3128";
}And for my vlan are right this rules, because from this vlan i cannot get wpad if i type in browsers http://wpad.localdomain.local/wpad it not solve.
-
reread the DNS firewall rule section (make the rule on top)
Interface = LAN
Protocol = TCP/UDP
Source ports = *
Dest address = *
Dest ports = 53
NAT IP = 127.0.0.1
NAT Ports = 53
Description = Redirect DNS
LAN TCP/UDP * * * 53 127.0.0.1 53 Redirect DNSno firewall rule is needed for 3128 ??? not sure on vlan
Change wpad to
PROXY.PAC
function FindProxyForURL(url, host)
{
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0"))
return "DIRECT";
return "PROXY 10.0.0.1:3128";
}Not sure on VLAN as i have never set one up.
-
Now I am testing from a vlan and I have detected that if I do not activate the third rule then from a client I can not download the http: //wpad.localdomain.local/proxy.pac, but if I activate the rule then if I can download the proxy.pac.
Also works fine if I do nslookup wpad.localdomain.local and responds:
C: \ Users \ Computers \ nslookup wpad.localdomain.local
Server: fproxy.localdomain.local
Address: 10.0.0.1Name: wpad.localdomain.local
Address: 10.0.0.1Any idea?
-
It looks like the 3rd rule blocks the vlan form connecting to the router which has the wpad.
-
Nobody knows how I can solve it?
Thanks.
-
Did you manage to get it working? I have vlans configured on my network. Like others have mentioned, if you are wanting to use wpad, then you should disable transparent proxy.
Two of my vlans are for mobile wifi and I do not pass wpad to them. It is very difficult to set up as you have to input the proxy information manually. Also some apps do not work very well with it. So these are the only two that I pass through transparent proxy. The others grab wpad because I have specified in the browser to auto detect settings.
-
Finally for the wifi interface I will not use neither squid nor wpad. What instructions did you follow to configure wpad ?. Could you show me your configuration for the vlan? Thank you
-
This is a link to a tutorial I used to set up WPAD. It is fairly straight forward. Basically you setup a web server on pfsense to server the wpad to your different vlans. I do not have any firewall rules to port 3128, only to the webserver on the specified port.
https://nguvu.org/pfsense/pfSense-WPAD-PAC-proxy-configuration-guide/
Here is what my wpad.da/proxy.pac looks like:
function FindProxyForURL(url,host) { if(dnsDomainIs(host, ".mydomain.com")) { return "DIRECT"; } else if (isInNet(myIpAddress(),"10.0.0.0","255.255.255.0")) { // Admin Net return "PROXY 10.0.0.1:3128; DIRECT"; } else if (isInNet(myIpAddress(),"10.0.2.0","255.255.255.0")) { // User Net return "PROXY 10.0.2.1:3128; DIRECT"; } else if (isInNet(myIpAddress(),"10.0.3.0","255.255.255.0")) { //Guest Net return "PROXY 10.0.3.1:3128"; } else { return "DIRECT"; } }Under Services -> Squid Proxy Server, make sure Enable Squid Proxy is checked, also make sure that the vlans you want to use the proxy are selected. The proxy port should be 3128.
-
-
-
Did you tried wpad Unofficial package? I guess it's much easier to setup then manual file changes.
