How do you handle "proxy.pac" DIRECT in pfsense firewall rules? DNS? Subdomains?

  • Hi,

    I am asking myself how to get als the exceptions working fine in my environment. When I configure something in my proxy.pac file like this:

    * –> DIRECT

    Then my browser will go DIRECT for:


    So my browser will go DIRECT for the domain itself and all subdomains because I configured this with a wildcard (*).

    But this will lead me to the problem that I have to add a firewall rule which allows these destination domains.
    In general it is easy if there is one domain and a subdomain but if there are so many subdomains - I don't know many of them - then I cannot add them all to a pfsense Alias.
    Further the Alias only does a DNS lookup every X seconds an then DNS returs a bunch of IPs. The next time the IPs change. So it could be that my browser gets back other IPs via DNS than the Alias or the Alias is outdated. So at least the connection will not work or not work every time.

    So I have two questions:

    1.) how do you make sure that your "DIRECT" domains will be reached through your firewall?
    2.) Is there a possibility to configure the "DIRECT domains" somewhere in squid so that it is not important what is in the proxy.pac but I cann everything configure in squid itself? And the, of course, squid must not intercept the connection but simply just do a NAT on the source IP and forwarding the traffic to the real server. So the TCP and http and HTTPS Session will be established with the endpoint server and not intercepted by squid. I found some squid config parameters like "allow_direct" but this is only for squid to not forward a request to another proxy server.
    3.) What is your Alias Update interval?


  • Any ideas?

    Are these difficult or stupid questions? If they are stupid then please let me know, too. ;-)

  • not really sure what your trying to say?

    So if i understood correctly You want lets say your webpage which is hosted inside the same LAN as pfsense or sites which wont get filtered.

    Remember you need to edit proxy.pac wpad.dat and wpad.da for all of them to work.

    function FindProxyForURL(url, host) 
        if (isPlainHostName(host) ||
            shExpMatch(host, "*.local") ||
            isInNet(dnsResolve(host), "",  ""))
            return "DIRECT";
            if (isInNet(dnsResolve(host), "",  "" ))
            { return "DIRECT"; }
            if (isInNet(dnsResolve(host), "",  "" ))
            { return "DIRECT"; }
            if (isInNet(dnsResolve(host), "",  "" ))
            { return "DIRECT"; }
            if (isInNet(dnsResolve(host), "",  "" ))
            { return "DIRECT"; }
            if (isInNet(dnsResolve(host), "",  "" ))
            { return "DIRECT"; }
    	if (dnsDomainIs(host, "") || dnsDomainIs(host, ""))
            return "DIRECT";;
         return "PROXY";

    As you can see the site would not work whatso ever I had to add it to all the files above and ALSO add it on alias tab make a rule ABOVE the block the whole LAN for it to work. besides that all the other sites works fine

Log in to reply