Squid/SquidGuard NONE/409 and DNS issue
-
My goal:
- User access control. (Which clients can/cannot access sites during a time range)
- User access report. LightSquid works great for me.
My settings:
- Latest version of pfSense and Squid/SquidGuard/LightSquid.
- Splice All; Enable SSL filtering; Transparent mode; Basic SquidGuard settings
Problem symptoms:
Some sites would randomly stop loading. It shows NONE/409 in access log.Firefox error:
Chrome error:
pfSense shows the error in real time log:
After days of troubleshooting and I finally find this article from the official support site:
Sites not loading with splice / Error 409 in access log
https://docs.netgate.com/pfsense/en/latest/troubleshooting/squid.htmlIt says this is a DNS issue:
sites which employ round-robin DNS or other DNS optimizations can cause squid to block or drop connections those sites unintentionally.
The solution is to have the clients use the firewall as their DNS server, so that both squid and clients use the same DNS source and the results will match.
I followed the solution, but my client uses the pfSense firewall IP as the gateway and DNS. So the client and pfSense box use the same DNS and it should NOT create any mismatch issues!
Things I have tried:
a. I put only one DNS entry 8.8.8.8 in “System -> General Setup”. And I put 8.8.8.8 in Squid -> Use Alternate DNS. No luck
b. I disabled local cache, Cleared the cache. Not working.
c. I also put the troublesome domains to a “Target categories” whitelist; Not working.Currently, the only way to solve the problem is:
a. wait for a few minutes, up to an hour, it may come back. but then some other links broke again; or
b. bypass the client or stop Squid completely. But this will lose the url control and report feature of Squid.I ran out of ideas. I really love the user control and report features of Squid, but this random 409 error is driving me nuts. Is this a bug? Can I somehow bypass this 409 error?
Please help! Much appriciated!
-
@shawn8888
I don't see any solution to this bug, which makes Squid totally useless. A lot of websites broke randomly because of this.
I uninstalled Squid... -
I just upgraded pfSense to 2.5 and all the packages, and this issue still persist.
Sigh... -
I found this:
host_verify_strict
http://www.squid-cache.org/Doc/config/host_verify_strict/How can I set this option on/off in pfSense?
-
Did you find a solution to this?
I have my clients using the pfsense firewall as their DNS server, but I still see 409 responses from squid
As you described, simply waiting a while and trying again does solve the problem but it seems that this shouldn’t be necessary
-
@dbx
There is no solution for this from what I've read.
I gave up on squid. And sadly, I haven't found an alternative. -
For me the idea of a transparent proxy seemed ideal, especially being able to filter content that my kids devices are able to access
Niggles like this make the experience feel like I’m a full time sysadmin at home, when really after some initial config it ought to just work
Simple things like clicking links from a google search on a mobile device not working turns a quiet 5 mins browsing into a headache
It certainly isn’t transparent anyway. Short of ditching the firewall completely and going direct to the World Wide Web are there any config changes we may not have thought of? I guess you the one you linked to above can’t be applied manually in squid.conf of similar?
-
@dbx
I did try the option "host_verify_strict" on and off. I put it in Advanced Feature -> Customer Options
It does NOT fixe the 409 problem.I guess because this 409 doesn't happen 100% for all websites, so the developers don't care, even though they know it's a bug and they put it in the docs and call it a DNS/security issue and don't want to fix it.
-
Is there anyway to use SSL filtering in pfsense without having this issue?
I've tried to point the DNS to the same server as @shawn8888 did, but with no success too.
Could it be solved with non transparent proxy? -
I do not have this problem.
To fix you should not rely on just a transparent proxy but use a combination of both transparent proxy and non transparent. A WPAD (try the Unofficial WPAD package) can also be used to for auto configuration. But to test configure a PC/or chrome to use the proxy and see if you still get those errors. -
Some browsers can reach out and use DNS that may be different from the client OS. To prevent this, you should be blocking DNS traffic to anything except pfSense:
Redirecting Client DNS Requests
You will also need to be aware of DoH and DoT and how to block them but one step at a time.
Caching the dynamic web with squid isn't very effective anymore. My hit rates were usually in the 4-7% range which is a waste of time. I ended up just disabling the cache and only using squid as base for squidguard.
I found transparent proxy to be a pain in the ass. Now I use WPAD to allow clients to autodetect squid themselves, and any other devices will have to be configured manually or else they don't get access. Modern wireless devices will allow you to configure a proxy per AP so they don't have to apply it globally.
-
@kom Thanks for the suggestion
I tried the "Redirecting Client DNS Requests" trick, but still many NONE/409 errors.I don't know what WPAD is, guess I will give it a try when I have time.
-
Setting up WPAD Autoconfigure for the Squid Package
It allows an OS to autodetect a proxy. When you use this method, you run squid in explicit mode (non-transparent). This way you don't have to screw around with certs or MitM splicing because everyone involved knows a proxy server is being used. Most OSes and devices support it. Older ones may have to be manually configured to use the proxy but it varies.
-
@kom
However some software may not have support for a proxy so if you block traffic on port 80 and 443 then that program may have connection issues. A simple fix is to just run both, non-transparent for the majority of traffic and a transparent proxy to catch any traffic that is not supported by the WPAD. You may find that the number of programs not supporting a proxy is slowly declining.The Wpad Unofficial package works very well https://github.com/marcelloc/Unofficial-pfSense-packages/tree/master/pkg-wpad
Maybe one day it will be pushed to an official package.
-
-
I tried WPAD, and it worked!
I haven't seen any NONE/409 errors since then and it looks promising!If this error is for non-WPAD, and transparent mode only, it's a bug, don't you think?
-
Do you know how to manually set some of my devices in LAN bypass the proxy? I have a Synology NAS and some other devices to access Internet directly.
Thanks!
-
-
@shawn8888
1 Not sure if it is a bug or just a limitation2 In you wpad you can bypass devices like this
if (isInNet(myIpAddress(), "192.168.1.99", "255.255.255.0")) return "DIRECT";
-
@shawn8888 I put a block rule for tcp 80/443 on LAN above my Allow All rule, then above that I have an allow rule with an alias that holds IPs that I allow to tcp 80/443.
-
-
You mentioned that Transparent HTTP Proxy should be disabled. But in my case, I have to enable it to make proxy working.
-
In order to bypass some of my LAN IPs, I did it as you suggested. But it seems not working? Is there anything wrong in the screenshot below?
-
-
I changed my wpad.dat to this:
function FindProxyForURL(url, host) { if (isInNet(myIpAddress(), "192.168.100.159", "255.255.255.0")) return "DIRECT"; return "PROXY 192.168.100.1:3128"; }
But somehow it doesn't bypass the the device I put in there. :(
-
@shawn8888
in squid under
Bypass Proxy for These Source IPs
add your device there -
@ageekhere said in Squid/SquidGuard NONE/409 and DNS issue:
@shawn8888
in squid under
Bypass Proxy for These Source IPs
add your device thereI tried that, not working either. Which makes wonder if I am doing something wrong.
How should I test if a device goes to Internet directly or though a proxy?
Right now, because I set a block web site in SquidGuard, such as youtube.com. So, if I can access google.com but not youtube.com, I assume the proxy is working, because SquidGuard needs Squid to work. If I can access both, then it accesses directly. Is there a better way? -
@shawn8888
You can look at squid real time to see if that device comes up -
Thanks!
So I did all the below, and the bypass finally works:
- setup the rules in LAN like this:
- change the wpad.dat like this:
function FindProxyForURL(url, host) { if (isInNet(myIpAddress(), "192.168.100.159", "255.255.255.0")) || (isInNet(myIpAddress(), "192.168.100.155", "255.255.255.0")) return "DIRECT"; return "PROXY 192.168.100.1:3128"; }
- add Bypass Proxy for These Source IPs
-
@shawn8888 Something is wrong with your config. You don't need WPAD if you're still running transparent mode. It's one or the other.
-
@kom
I think if you go direct with the WPAD the transparent proxy will see traffic going directly through port 80/443 and will redirect the traffic through the proxy again. So by adding the bypass in squid it prevents it from being routed through the transparent proxy.If you turn off the transparent proxy and just rely on the WPAD some software may have connection issues.
-
@kom
If I disable transparent mode, then all my devices lost Internet. So honestly, at this point, I don't know if WPAD or transparent mode is working.
However, twitter image/video now works both on my PC and my iPad, and it didn't work before. -
@shawn8888
A way to test if the WPAD is working is temporary turn off the transparent proxy and make sure autoconfig in turn on. If you internet browser uses the proxy then it is working. -
What do you mean "autoconfig"?
I followed the help here:
If I turn off transparent mode and change firefox network settings:
Still no Internet. So I guess WPAD never worked...
-
@shawn8888 What happens when you try to resolve 'wpad' or 'wpad.yourdomain.lol' on your network? Does it come back with the IP address of the server holding the wpad.dat file? IIRC your wpad.dat file to live on an http server or a trusted https server. Any cert errors will stop the wpad file from being read.
-
@kom
I think I have followed all the steps on doc page.
Ping/dns is fine, and I can download the wpad.dat file from the browser.One question though:
If the transparent mode works, why do you need wpad? Is that because transparent mode is bugy? -
@shawn8888
To set auto config in windows go to
Control Panel - Internet Properties - connections - LAN settings and select Automatically detect settings.Make sure programs are set to Use system proxy settings.
Test with chrome for now as firefox in the past had an outstanding bug with auto configuring a proxy which i am not sure if it was fixed."If the transparent mode works, why do you need wpad? Is that because transparent mode is bugy?"
From memory transparent proxy can break certificates resulting in a failed connection, though someone with more knowledge would have to confirm the technical details.
Also in your WPAD add to the top
if (shExpMatch(host, "ENTER YOUR PFSENSE DOMAIN HERE")) return "DIRECT";
use https://app.thorsen.pm/proxyforurl for testing the WPAD for errors
-
Thank you guys for the endless help. I haven't given up because of you!
My Internet properties look good.
Chrome also points to Auto detect.
My wpad.dat now looks like below and the proxy tester didn't complain
I also tested on my iPhone, iPad, same as my PC. As soon as I disable transparent mode, Internet drops.
I checked my iOS -> wifi -> HTTP PROXY -> Configure Proxy -> Automatic
All my devices can download the wpad.dat file from the browser:
http://192.168.100.1/wpad.datfunction FindProxyForURL(url,host) { if (shExpMatch(host, "pfsense.mydomain.com")) return "DIRECT"; if (isInNet(myIpAddress(), "192.168.100.155", "255.255.255.0")) return "DIRECT"; return "PROXY 192.168.100.1:3128"; }
-
@shawn8888
I think i see the issueUnder Additional BOOTP/DHCP Options change to
252 String "http://192.168.1.1/wpad.dat" 252 String "http://192.168.1.1/wpad.da" 252 String "http://192.168.1.1/proxy.pac"
Under DNS ResolverGeneral Settings Host Overrides add
wpad YourPfsenseDomain 192.168.1.1 wpad
https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-wpad.html?highlight=wpad
"A WPAD host may be supplied via DHCP numbered option 252 (string value containing the entire URL to the WPAD file) or DNS, which is easy to do with the built-in DNS forwarder."
Make sure you get the correct YourPfsenseDomaid, something like pfsensedomain.local
You can check in windows by using cmd and look for Connection - specific DNS suffix -
@ageekhere
no luck.
From what I read, you only need DHCP or dns resolver. I tried both, and still the same.
Even though I am complete newbie about wireshark, I gave it a shot. And I cannot even find string "wpad" in the logs. -
@shawn8888 Try Resetting the States, Diagnostics States Reset States.
Also try restarting your pc and router. -
@shawn8888 Transparent mode isn't buggy per se, it's just that you have to consider other things when using it. You're trying to intercept a data stream that is trying to prevent you from doing so. You either need to install a trusted cert on every device that will use your transparent proxy to void MitM browser errors when using Splice/Bump, or no certs and you use Splice All. If transparent mode works for you then use that but I find explicit mode has less hassles.
Are you sure that your proxy works? What happens if you manually set a browser to use it?
-
@ageekhere
I reboot pfSense and client pc. wpad is still not working.@KOM
"Splice All" is recommended in order to use squidguard, which is the main reason I use squid for.My proxy ONLY works at Transparent mode.
I have tried turning off Transparent mode and setting proxy manually (set IP and port 3128) on my PC. But it seems that a lot of things are not working. For example, I can open speedteset.net, but when I hit "go" button, it never starts. -
@shawn8888 When running in explicit mode, how does it not work exactly? What browser error are you getting? Squid normally just works right out of the box.
-
@kom
What do you mean by "explicit mode"?
Does that mean:
Disable both "Transparent mode" and "Enable SSL filtering.", and manually set clients to use ip:3128 as proxy? -
@shawn8888 Yes. Explicit means not transparent, no SSL interception. Clients can be manually set or use WPAD once you determine squid is working properly.