Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid non-transparent blocks VPN address

    Scheduled Pinned Locked Moved Cache/Proxy
    8 Posts 2 Posters 920 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      trasher mx
      last edited by

      Hi guys,

      As the title says:

      I have a squid nontransparent proxy working in my localnet (192.168.11.0/24) working good, i also have a VPN IPSEC Tunnel to another location (172.16.0.0/16) if the users from (192.168.11.0/24) tries to reach any address at remote location (172.16.0.0/16) squid shows host remote down.

      Any idea ?

      Some time ago, i use to bypass the network 172.16.0.0/16 when i was using transparent proxy, but after we move to non-transparent the bypass option is not working.

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        By default, squid uses the default gateway so it won't be able to access anything via the VPN. How are your clients accessing the proxy? Are you using WPAD autoconfigure or pushing a group policy to them or just manually setting them? You can usually specify per client what is considered local traffic and therefore direct as opposed to proxied.

        1 Reply Last reply Reply Quote 0
        • T Offline
          trasher mx
          last edited by

          @KOM said in Squid non-transparent blocks VPN address:

          WPAD autoconfigure

          Hi, im using WPAD autoconfigure

          1 Reply Last reply Reply Quote 0
          • KOMK Offline
            KOM
            last edited by

            And what does it have in it? Are you conditionally directing traffic based on network? For example, below is my wpad.dat:

            function FindProxyForURL(url,host)
{
// If the requested website is hosted within the internal network, send direct.
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
        isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
        return "DIRECT";
// Else use the proxy
    return "PROXY 10.10.4.1:3128";
}

            Traffic will only go to the proxy if the destination is not a local domain or RFC918 IP space.

            1 Reply Last reply Reply Quote 0
            • T Offline
              trasher mx
              last edited by

              Hi KOM,

              I've checked and the file was showing:

              function FindProxyForURL(url,host)
              {
              return "PROXY ip_firewall:3128";
              }

              So, maybe thats the problem, i will do the necessary and let you know if worked.

              Thanks for your support.

              1 Reply Last reply Reply Quote 0
              • T Offline
                trasher mx
                last edited by

                Another question, there is a way to validate if the wpad setup is working properly ?

                1 Reply Last reply Reply Quote 0
                • KOMK Offline
                  KOM
                  last edited by

                  Yes. Open your browser and go to wpad.yourdomain.whatever/wpad.dat. Your browser should prompt you to open or download the wpad.dat file.

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    trasher mx
                    last edited by

                    So, i did the changes and it worked.

                    Thanks a lot man!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.