Squid/SquidGuard NONE/409 and DNS issue

KOM

@shawn8888 Squid only works with ports that are part of its safe_ports list. You can't just go to any port. In pfSense, you can find this under Services - Squid proxy - ACLs - Squid Allowed Ports.

shawn8888

@kom
I added port 181 below and tt-rss finally works! Thanks again!
Squid Allowed Ports -> ACL SafePorts

KOM

@shawn8888 Now you can start trying to get wpad working, then squidguard.

shawn8888

@kom
I will give it a couple of days to see if most of the problems can be solved in explicit mode before testing wpad again.
Thanks!

KOM

@shawn8888 WPAD solves the problem of having to manually configure proxy setting on every device so it's kind of important to get it working. You can also push a proxy via DHCP option 252. I would do both, and don't forget to add your block rule on LAN to prevent people from going around the proxy.

shawn8888

After a week testing, I can confirm that NONE/409 issue is gone with the explicit mode. It seems that the issue only happens with the transparent mode.

WPAD is still a hit and miss. I will test it more later. Right now I set all the devices need to go through squid manually.

aGeekhere

@shawn8888 @shawn8888 You can always try the Wpad Unofficial package https://github.com/marcelloc/Unofficial-pfSense-packages/tree/master/pkg-wpad

shawn8888

@ageekhere

It doesn't install. :(

KOM

@shawn8888 I don't see any error. Did you look for the menu?

shawn8888

@kom
The install command, the last one, finishes in less than a second
I cannot find wpad in "Installed Packages" or any change on the menu.

aGeekhere

@shawn8888 first follow this step https://github.com/marcelloc/Unofficial-pfSense-packages

You have to first enable Unofficial pfSense packages

shawn8888

@ageekhere

I ran the command in ssh. No change. Then I reboot pfsense. still the same. I don't know what I did wrong.

fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial_25.conf

aGeekhere

@shawn8888 https://forum.netgate.com/topic/116163/unofficial-wpad-package-for-pfsense-software?_=1620716861139

SipriusPT

Well seems like I am not the only one in the neighborhood having the same issue, at least with dynamic websites, under a transparent proxy with MITM Splice All. In documentation they should mention the consequences of having this setup with dynamic https websites. The idea that pass is that it should work without any issue, if configured as mention, but its not true, at all.

michmoor

curious as to if there was ever a fix or a solution to this. I do have a bunch of NON/409 errors for various websites with Transparent Proxy configured. The solution is either to turn off the proxy and lose reporting or enable true MITM mode but for certain vlans where I can install the certificate thereby losing the effectiveness of the reporting

SipriusPT

@michmoor I end up with a non transparent proxy, using an auto config proxy deployed through pfsense DHCP option 252, and that auto proxy config hosted in one Microsoft IIS, with a bunch of my pfsense IP gateways where squid is placed/responding.

On MacOS's I had to enable auto config proxy. Since than I didnt had any more issues. Squid cannot handle HTTPS well under transparent proxys.

Thinking in using a transparent proxy on pfsense through squid still gives me nightmares when I think about it....

JonathanLee

@shawn8888 have you tried to creat a NAT rule to force all users to use the firewall for DNS?

Like this ??

After it doesn't matter what the devices try to use the firewall choses the DNS just change it to what your DNS server is and forget about it.

JonathanLee

@jonathanlee make a alias with DNS ports

JonathanLee

@jonathanlee also set WPAD up on the firewall

proggggger

maybe a bit late answer but i also find such problem. And little exploring gives me a good solution.

(We a talking about Transparent Proxy + Splice all SSL mode)

So, first of all, the reason of such problem is one different addresses returned by DNS server

So, first of all Proxy should use the same DNS server as clients, so best way to do it is to use our firewall as DNS server (DNS Resolver turned on), so by DHCP we are setting primary DNS address of our firewall, also will be good to redirect all DNS requests to firewall address and block DoH (here article about DNS redirection "Redirecting Client DNS Requests"

And after this step lot of people says that it does not help, but why? the answer is simple, DNS RoundRobin, we are getting random ip address fore some websites even if we are using cache you can simply check it, if nslookup (for example for google.com, or twitch.tv or some other site which is not working) gives every time different address you will get 409 error.

So how to fix this part? we need to go to DNS Resolver settings, open custom options and add rrest-roundrobin:no which disables randomization of DNS entries. (it should be disabled by default but on pfsense looks like it's enabled)