how to disable squid

vallum

@mcuddy I guess you will going to host this new proxy inside your network somewhere, probably in LAN.
on Firewall LAN interface make a rule to accept traffic from your New Proxy.
on your New proxy make default gateway as PFsense IP.
configure New Proxy IP in user machine and this should work.

mcuddy

The new proxy is actually outside of our network. It is a filtering service. We point to their DNS and use certificates. I have set their DNS servers in the DNS Server Settings in System/General. As I understand it, that should be sufficient.

mhab12

Can you successfully ping IP addresses? Try 8.8.8.8 or 208.67.222.222

You may need to create a default Allow Lan -> Any rule.

vallum

@mcuddy said in how to disable squid:

The new proxy is actually outside of our network. It is a filtering service. We point to their DNS and use certificates. I have set their DNS servers in the DNS Server Settings in System/General. As I understand it, that should be sufficient.

Oh I guess you are exploring OpenDNS , may be cisco umbrella.

mcuddy

Actually, I am exploring a product called securly
Similar to opendns but broader scope of services.

mcuddy

Yes, When I disable the proxy server service, I can still ping 8.8.8.8
I can even ping www.google.com
But when I try to visit with a browser, I get "Connecting" then "No internet connection"

mhab12

Do you have the Securly DNS servers listed in there now? What happens if you set the pfSense DNS to 208.67.222.222?

vallum

@mcuddy said in how to disable squid:

Actually, I am exploring a product called securly
Similar to opendns but broader scope of services.

You can actually keep squid on. define parent proxy (which will be Securly FQDN and port). I have tested this will work.

in squid add this in advanced , custom integrations:-
cache_peer FQDN_OF_Securly parent PORTNUMBER 0 no-query no-digest
never_direct allow all

mcuddy

@mhab12
Thank you. I missed that troubleshooting step...
With squid, the Securly DNS addresses did get me to the internet. Without, they didn't.
With 208.67.222.222, it works both ways...

It sounds like it may be a problem on thier end, then?

Correction:
the different DNS wasn't the solution... For some reason the Proxy service restarted when I changed the DNS.
If I keep squid service off, it doesn't work.

vallum

@mcuddy said in how to disable squid:

@mhab12
Thank you. I missed that troubleshooting step...
With squid, the Securly DNS addresses did get me to the internet. Without, they didn't.
With 208.67.222.222, it works both ways...

It sounds like it may be a problem on thier end, then?

208.67.222.222 is OpenDNS ...

mhab12

Either their end or something with the upstream proxy configuration, if that is how they are actually setup. OpenDNS/Umbrella do everything via DNS...not sure of Securly.

mcuddy

the different DNS wasn't the solution... For some reason the Proxy service restarted when I changed the DNS.
If I keep squid service off, it doesn't work.

mcuddy

@vallum

Please clarify - Am I addidng the exact words on your script, or am I putting the Securly Domain Naim and ports (80 and 8080) in to the script?

cache_peer www.securly.com parent 8080 0 no-query no-digest?

vallum

@mcuddy said in how to disable squid:

@vallum

Please clarify - Am I addidng the exact words on your script, or am I putting the Securly Domain Naim and ports (80 and 8080) in to the script?

cache_peer www.securly.com parent 8080 0 no-query no-digest?

you can try with port 80 , did you create IPsec or Gre tunnel with Securly from your location? this is the requirement of CASB based solutions.

mcuddy

@vallum said in how to disable squid:

Psec or Gre

That would be my problem. I did not create a tunnel. All I did was change the dns addresses.

At the moment, I don't know how to add the tunnel, nor the implications of doing it (am I likely to take the internet down while setting it up? etc.) I'll look into it. Do you have any direction here?

vallum

@mcuddy said in how to disable squid:

@vallum said in how to disable squid:

Psec or Gre

That would be my problem. I did not create a tunnel. All I did was change the dns addresses.

Check their documentation for further details

At the moment, I don't know how to add the tunnel, nor the implications of doing it (am I likely to take the internet down while setting it up? etc.) I'll look into it. Do you have any direction here?

You can create IPsec tunnel in pfsense , I don't see any issue with that.
at securly end you need to create tunnel parameters like preshared key and IP address of site, subnet details etc.
Then same information in Pfsense while setting up tunnel.