Squid/SquidGuard NONE/409 and DNS issue
-
I do not have this problem.
To fix you should not rely on just a transparent proxy but use a combination of both transparent proxy and non transparent. A WPAD (try the Unofficial WPAD package) can also be used to for auto configuration. But to test configure a PC/or chrome to use the proxy and see if you still get those errors. -
Some browsers can reach out and use DNS that may be different from the client OS. To prevent this, you should be blocking DNS traffic to anything except pfSense:
Redirecting Client DNS Requests
You will also need to be aware of DoH and DoT and how to block them but one step at a time.
Caching the dynamic web with squid isn't very effective anymore. My hit rates were usually in the 4-7% range which is a waste of time. I ended up just disabling the cache and only using squid as base for squidguard.
I found transparent proxy to be a pain in the ass. Now I use WPAD to allow clients to autodetect squid themselves, and any other devices will have to be configured manually or else they don't get access. Modern wireless devices will allow you to configure a proxy per AP so they don't have to apply it globally.
-
@kom Thanks for the suggestion
I tried the "Redirecting Client DNS Requests" trick, but still many NONE/409 errors.I don't know what WPAD is, guess I will give it a try when I have time.
-
Setting up WPAD Autoconfigure for the Squid Package
It allows an OS to autodetect a proxy. When you use this method, you run squid in explicit mode (non-transparent). This way you don't have to screw around with certs or MitM splicing because everyone involved knows a proxy server is being used. Most OSes and devices support it. Older ones may have to be manually configured to use the proxy but it varies.
-
@kom
However some software may not have support for a proxy so if you block traffic on port 80 and 443 then that program may have connection issues. A simple fix is to just run both, non-transparent for the majority of traffic and a transparent proxy to catch any traffic that is not supported by the WPAD. You may find that the number of programs not supporting a proxy is slowly declining.The Wpad Unofficial package works very well https://github.com/marcelloc/Unofficial-pfSense-packages/tree/master/pkg-wpad
Maybe one day it will be pushed to an official package.
-
-
I tried WPAD, and it worked!
I haven't seen any NONE/409 errors since then and it looks promising!If this error is for non-WPAD, and transparent mode only, it's a bug, don't you think?
-
Do you know how to manually set some of my devices in LAN bypass the proxy? I have a Synology NAS and some other devices to access Internet directly.
Thanks!
-
-
@shawn8888
1 Not sure if it is a bug or just a limitation2 In you wpad you can bypass devices like this
if (isInNet(myIpAddress(), "192.168.1.99", "255.255.255.0")) return "DIRECT"; -
@shawn8888 I put a block rule for tcp 80/443 on LAN above my Allow All rule, then above that I have an allow rule with an alias that holds IPs that I allow to tcp 80/443.
-
-
You mentioned that Transparent HTTP Proxy should be disabled. But in my case, I have to enable it to make proxy working.
-
In order to bypass some of my LAN IPs, I did it as you suggested. But it seems not working? Is there anything wrong in the screenshot below?
-
-
I changed my wpad.dat to this:
function FindProxyForURL(url, host) { if (isInNet(myIpAddress(), "192.168.100.159", "255.255.255.0")) return "DIRECT"; return "PROXY 192.168.100.1:3128"; }But somehow it doesn't bypass the the device I put in there. :(
-
@shawn8888
in squid under
Bypass Proxy for These Source IPs
add your device there -
@ageekhere said in Squid/SquidGuard NONE/409 and DNS issue:
@shawn8888
in squid under
Bypass Proxy for These Source IPs
add your device thereI tried that, not working either. Which makes wonder if I am doing something wrong.
How should I test if a device goes to Internet directly or though a proxy?
Right now, because I set a block web site in SquidGuard, such as youtube.com. So, if I can access google.com but not youtube.com, I assume the proxy is working, because SquidGuard needs Squid to work. If I can access both, then it accesses directly. Is there a better way? -
@shawn8888
You can look at squid real time to see if that device comes up -
Thanks!
So I did all the below, and the bypass finally works:
- setup the rules in LAN like this:
- change the wpad.dat like this:
function FindProxyForURL(url, host) { if (isInNet(myIpAddress(), "192.168.100.159", "255.255.255.0")) || (isInNet(myIpAddress(), "192.168.100.155", "255.255.255.0")) return "DIRECT"; return "PROXY 192.168.100.1:3128"; }- add Bypass Proxy for These Source IPs
-
@shawn8888 Something is wrong with your config. You don't need WPAD if you're still running transparent mode. It's one or the other.
-
@kom
I think if you go direct with the WPAD the transparent proxy will see traffic going directly through port 80/443 and will redirect the traffic through the proxy again. So by adding the bypass in squid it prevents it from being routed through the transparent proxy.If you turn off the transparent proxy and just rely on the WPAD some software may have connection issues.
-
@kom
If I disable transparent mode, then all my devices lost Internet. So honestly, at this point, I don't know if WPAD or transparent mode is working.
However, twitter image/video now works both on my PC and my iPad, and it didn't work before. -
@shawn8888
A way to test if the WPAD is working is temporary turn off the transparent proxy and make sure autoconfig in turn on. If you internet browser uses the proxy then it is working. -
What do you mean "autoconfig"?
I followed the help here:
If I turn off transparent mode and change firefox network settings:
Still no Internet. So I guess WPAD never worked...
-
@shawn8888 What happens when you try to resolve 'wpad' or 'wpad.yourdomain.lol' on your network? Does it come back with the IP address of the server holding the wpad.dat file? IIRC your wpad.dat file to live on an http server or a trusted https server. Any cert errors will stop the wpad file from being read.
