Unofficial E2guardian package for pfSense
-
Hello Marcello
I could not run MultiWan
LAN1 to wan1 and LAN2 to WAN2 firewall rules do not workfor example with squid we could do multiwan with the following Advanced Features-Custom Options (Before Auth)
acl LAN1 src 192.168.1.0/24
tcp_outgoing_address (wan1ip) LAN1
acl LAN1 src 192.168.2.0/24
tcp_outgoing_address (wan2ip) LAN2
I added it to squidparent.conf but it does not work -
Did you reloaded squid parent after config changes?
The squid daemon package installs is the same of squid package, so if you selected automatic parent config and add squid config to squid parent conf file it should work.
-
I tried the same settings did not work
but transparent as e2Guardian active (hhtp and https)
squid non transparent -
While doing pkg add -f https://e-sac.websiteseguro.com/e2g/e2guardian-5.0.2_7.txz, it failed to install.
It says, pkg: Missing dependency 'openssl'
How do we resolve this error ?
-
While doing pkg add -f https://e-sac.websiteseguro.com/e2g/e2guardian-5.0.2_7.txz, it failed to install.
It says, pkg: Missing dependency 'openssl'
How do we resolve this error ?
Follow instructions on the first post.
Add the repo and then install from gui -
While doing pkg add -f https://e-sac.websiteseguro.com/e2g/e2guardian-5.0.2_7.txz, it failed to install.
It says, pkg: Missing dependency 'openssl'
How do we resolve this error ?
Follow instructions on the first post.
Add the repo and then install from guiDo we need to configure WPAD, DNS and DHCP Options ?
PS: Do you have any tutorial on how to configure E2Guardian for http and https filtering like the ones in youtube for squid and squidguard for reference ? Thanks
-
Do we need to configure WPAD, DNS and DHCP Options ?
Only if you want or have a lot of sites on non standard web ports lie 8080,8081, etc..
The transparent proxy on e2guardian works really nice.
PS: Do you have any tutorial on how to configure E2Guardian for http and https filtering like the ones in youtube for squid and squidguard for reference ? Thanks
I have this video on youtube with basic setup instructions. The audio is in portuguese but following the images and a youtube translated cc, I guess you can configure it.
https://www.youtube.com/watch?v=tao1tiXFefk
-
I don't see any firewall rules setup on the video ? Is there a need to create firewall rule to redirect traffic to 8080 and 8081 ?
-
I don't see any firewall rules setup on the video ? Is there a need to create firewall rule to redirect traffic to 8080 and 8081 ?
The package creates automatically for transparent proxy options.
Select the same options I set on the video and take a look on realtime tab.
-
ok thanks Marcelloc
-
Marcelloc, what auth plugins ip address ?
Why are some options have (on) and some are (off) ?
What does on and off means there ?Also I checked on console e2guardian -version, it only show '–enable-sslmitm' and not '--enable-sslmitm=yes', does that mean e2guardian installation does not support SSL traffic interception ?
Running in debug mode…
e2guardian 5.1.0Built with: '--localstatedir=/var' '--with-logdir=/var/log' '--with-piddir=/var/run' '--with-zlib=/usr' '--enable-fancydm' '--disable-clamd' '--disable-commandline' '--with-dgdebug=on' '--enable-dnsauth' '--disable-email' '--enable-icap' '--disable-kavd' '--enable-ntlm' '--enable-sslmitm' '--enable-trickledm' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CXX=c++' 'CXXFLAGS=-pipe -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -g -fstack-protector -fno-strict-aliasing -DLIBICONV_PLUG -std=c++11' 'LDFLAGS= -lssl -lcrypto -fstack-protector' 'LIBS=' 'CPPFLAGS=-I/usr/local/include -DLIBICONV_PLUG' 'CC=cc' 'CFLAGS=-pipe -I/usr/local/include -D__SSLMITM -D__SSLCERT -DLIBICONV_PLUG -g -fstack-protector -fno-strict-aliasing' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
-
Marcelloc, what auth plugins ip address ?
Check groups based on clients IP address.
Why are some options have (on) and some are (off) ?
What does on and off means there ?on and off are the default config options. Check all (on) options to use setup defaults. Most are selected automatically on package install. Any option you select, will be enabled on config files.
Also I checked on console e2guardian -version, it only show '–enable-sslmitm' and not '--enable-sslmitm=yes', does that mean e2guardian installation does not support SSL traffic interception ?
It has traffic interception compiled. Select the CA under daemon tab to enable check certificate sites (splice all feature on squid) and Filter SSL under group options to intercept the connection with MTIM(requires the CA installed on clients browser to work correctly)
-
Marcelloc, is it fine to create the INTERNAL CA using pfsense system/certificate manager/CAs OR should it be done thru console as you have said here https://github.com/e2guardian/e2guardian/wiki/MITM–-Filtering-HTTPS, Generating the necessary SSL certs.
-
Create from GUI (system/certificate manager/CAs). On pfSense, there is no need to create certificates under console.
-
Thanks for confirming.
Another thing is:
1. If I download the shallalist, how will I know that it is done downloaded aside from the message prompt ?
2. In the Group Menu, the is this Pics (option) under Access List , where is that Pics in the ACL ?
PS: Even if I uncheck / disable the E2Guardian in the daemon page, it still shows STARTED / RUNNING on the status/services.
-
Marcelloc,
I have followed your youtube example, I create the CA on pfsense gui, I selected filter ssl sites forging ssl certificate, save, and applied,
but when I visit https sites, I get the following error on my chrome browser. I am using 2.4.3 pfsense version.I even tried install the CA cert on my browser but still the same error.
Your connection is not private
Attackers might be trying to steal your information from forum.pfsense.org (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALIDAutomatically send some system information and page content to Google to help detect dangerous apps and sites.
UPDATE 5.14.2018 3:45pm :
Since I am getting this error above, I tried to shutdown my chrome browser. And I tried again surfing https sites, and it is ok now.
So Marcelloc, does this mean, I need to install the CA certificate on client browsers ? -
Option 1 Select the CA under daemon tab to enable check certificate sites (splice all feature on squid). No certificate is required on client.
Option 2 select option1 and Filter SSL under group options to intercept the connection with MTIM(requires the CA installed on clients browser to work correctly)
-
Option 1 Select the CA under daemon tab to enable check certificate sites (splice all feature on squid). No certificate is required on client.
Option 2 select option1 and Filter SSL under group options to intercept the connection with MTIM(requires the CA installed on clients browser to work correctly)
Yes I have selected the CA under daemon tab. What is option1? I have also selected Filter SSL under group options. I have followed all in your youtube video sample.
However, I have resolved it by installing the CA certificate on client browsers. But I need it to be that I don't need to install the CA cert on the client browsers.
-
You can configure ssl with or without interception. Follow option 1 to only check certificate but do not intercept
Follow option 2 to check certificate and intercept connection.If you do not want to install certificate on client, do not enalbe filter ssl on group options.
-
You can configure ssl with or without interception. Follow option 1 to only check certificate but do not intercept
Follow option 2 to check certificate and intercept connection.If you do not want to install certificate on client, do not enalbe filter ssl on group options.
Like I said, I have done option 2, which is selecting the filter SSL in group options. That is why I wonder what is lacking in what I have followed. I have checked the configurations more than 10 times already.
