Squid/SquidGuard NONE/409 and DNS issue
-
My proxy now works on explicit mode.
I turned off "Transparent HTTP Proxy" and "HTTPS/SSL Interception".
I also turned off the lan rules, which you suggest for wpad bypass some devices earlier.
This allows all LAN devices to go Internet directly by default, right? All my LAN devices can access Internet at this moment.
- I tested on my iPad to set wifi manually use proxy at IP:3128. It worked. the only thing not working so far is speedtest.net go button. It stays at connecting forever.
- I tested my PC.
firefox, set proxy in option:
I find that only http websites get blocked by squidguard. And https blocked websites can passthrough. Is it because https websites are bypassed due to "HTTPS/SSL Interception" being off?
I also tried Chrome and set the proxy like this:
It's funny that Chrome can not only see squidguard blocks http websites, but also https ones!
speedtest.net go button still not working.
Another thing doesn't work is the local websites. It gives me Access Denied error:
So I guess the explicit mode works, but I still need wpad or transparent working so I don't have to deal with the clients...
-
@shawn8888 Lots to unpack here.
This allows all LAN devices to go Internet directly by default, right?
You didn't show your complete LAN rule set so I don't know but I can assume the last rule is the default Allow All rule. Btw you can do the block with just one rule by making a port alias called WebPorts that contains 80,443.
I tested on my iPad to set wifi manually use proxy at IP:3128. It worked. the only thing not working so far is speedtest.net go button.
No idea about that but it seems to be a common thing with speedtests and proxies.
I tested my PC. firefox, set proxy in option
I notice you didn't set the https proxy or check the checkbox to use the same proxy for ftp and https. You need to do one or the other.
I find that only http websites get blocked by squidguard.
Get squid working first before you worry about that. Disable squidguard until you have squid working.
Is it because https websites are bypassed due to "HTTPS/SSL Interception" being off?
That might be because you didn't set the https proxy.
Another thing doesn't work is the local websites.
Either use the site's LAN IP address, or use split DNS to resolve your domain to its LAN IP instead of its public IP.
-
You are right! After I "check the checkbox to use the same proxy for ftp and https" Firefox works the same as Chrome for https websites.
If squid doesn't work for certain websites like speedtest.net, how to set them as exceptions?
The local website is an oddball:
The ping shows the dns is solved as a local IP, 192.168.100.155
But no matter dns or ip, it all shows as Access Denied by squid. And it only not working for this tt-rss site, other local websites with the same domain but different ports are OK:
Working ones:
http://syn1.mydomain.com:5000/
http://syn1.mydomain.com:8080/
http://syn1.mydomain.com:5076/NOT Working:
http://syn1.mydomain.com:181/tt-rss/
http://192.168.100.155:181/tt-rss/Logs:
-
@shawn8888 Squid only works with ports that are part of its safe_ports list. You can't just go to any port. In pfSense, you can find this under Services - Squid proxy - ACLs - Squid Allowed Ports.
-
@kom
I added port 181 below and tt-rss finally works! Thanks again!
Squid Allowed Ports -> ACL SafePorts -
@shawn8888 Now you can start trying to get wpad working, then squidguard.
-
@kom
I will give it a couple of days to see if most of the problems can be solved in explicit mode before testing wpad again.
Thanks! -
@shawn8888 WPAD solves the problem of having to manually configure proxy setting on every device so it's kind of important to get it working. You can also push a proxy via DHCP option 252. I would do both, and don't forget to add your block rule on LAN to prevent people from going around the proxy.
-
After a week testing, I can confirm that NONE/409 issue is gone with the explicit mode. It seems that the issue only happens with the transparent mode.
WPAD is still a hit and miss. I will test it more later. Right now I set all the devices need to go through squid manually.
-
@shawn8888 @shawn8888 You can always try the Wpad Unofficial package https://github.com/marcelloc/Unofficial-pfSense-packages/tree/master/pkg-wpad
-
-
@shawn8888 I don't see any error. Did you look for the menu?
-
@kom
The install command, the last one, finishes in less than a second
I cannot find wpad in "Installed Packages" or any change on the menu. -
@shawn8888 first follow this step https://github.com/marcelloc/Unofficial-pfSense-packages
You have to first enable Unofficial pfSense packages
-
I ran the command in ssh. No change. Then I reboot pfsense. still the same. I don't know what I did wrong.
fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial_25.conf -
@shawn8888 https://forum.netgate.com/topic/116163/unofficial-wpad-package-for-pfsense-software?_=1620716861139
-
Well seems like I am not the only one in the neighborhood having the same issue, at least with dynamic websites, under a transparent proxy with MITM Splice All. In documentation they should mention the consequences of having this setup with dynamic https websites. The idea that pass is that it should work without any issue, if configured as mention, but its not true, at all.
-
curious as to if there was ever a fix or a solution to this. I do have a bunch of NON/409 errors for various websites with Transparent Proxy configured. The solution is either to turn off the proxy and lose reporting or enable true MITM mode but for certain vlans where I can install the certificate thereby losing the effectiveness of the reporting
-
@michmoor I end up with a non transparent proxy, using an auto config proxy deployed through pfsense DHCP option 252, and that auto proxy config hosted in one Microsoft IIS, with a bunch of my pfsense IP gateways where squid is placed/responding.
On MacOS's I had to enable auto config proxy. Since than I didnt had any more issues. Squid cannot handle HTTPS well under transparent proxys.
Thinking in using a transparent proxy on pfsense through squid still gives me nightmares when I think about it....
-
@shawn8888 have you tried to creat a NAT rule to force all users to use the firewall for DNS?
Like this ??
After it doesn't matter what the devices try to use the firewall choses the DNS just change it to what your DNS server is and forget about it.
