Transparent proxy+limiting not working.



  • with limiting ng manually set proxy it works smoothly. But when I make it transparent with limiting it wont work. If I remove the limiter it works.

    Using pf 2.3.2. Does anyone else experiencing this?



  • I have no idea if this works but I've posted it before:

    http://guglio.xyz/pfsense-2-3-limiters-and-squid-bugfix/

    Please try it and let us know.



  • Thanks mate. Will try it out



  • Still not working in transparent mode.  Setting the proxy maunally it works. Strange this works on previous relases 2.0.x. thanks for your rep[ly anyway  found a better solution that will limit any traffic except squid cache objects. using captive portal limiter.



  • I don't ever run a transparent proxy (less hassles with explicit) so I couldn't really try this myself.  Sorry for wasting your time.  It would have been nice if it had worked.



  • maybe it's the squid config configuration. When there's a time to kill will try the squid 3.5.3 that works before, could be on squid side.Yes explicite mode is a lot better it gives better HITS than transparent on squid 3.5.19 from pfsense repo.



  • explicite mode is a lot better it gives better HITS than transparent

    Strange.  The access method should have no bearing on the cache performance.  They're not related at all.  All web traffic goes through squid regardless, it's just whether or not the client knows he's being proxied.



  • @KOM:

    Strange.  The access method should have no bearing on the cache performance.  They're not related at all.  All web traffic goes through squid regardless, it's just whether or not the client knows he's being proxied.

    Made few adjustments in the squid config, explicit and transparent modes now returns almost same hit(tested  youtube video). USing captive limiter on explicit mode it has no effect while on transparent mode it works setting  1 mbps and 3mbps limit.

    –Edit
    Experimenting further, made a limiter in floating rules to the default gateway (lan limiting will break, no internet access as tested last night) some very interesting outcome. In explicit mode now it will limit uncache objects while in transparent mode both cache and uncache are limited. The Firewall limiter will take effect and captive portal limiter will be discarded.. In transparent mode the captive portal limiter will take the control(correct me in this if I am wrong).

    NOTE: As we know allowing captive user to explicitly use the proxy will make them bypass the proxy authentication. Here's some work around to avoid this.
    change the default proxy to port from 3128 to something else not used in pfsense. disable via and  X-Forwarded Header to hide the proxy details though some hard users could still get the proxy port by packet sniffing it still better than nothing. Then add something to PFTW like this "rdr on em2 inet proto tcp from any to 8.8.8.8 port = http -> 10.10.20.1 port 8123" where em2 captive portal NIC, 8.8.8.8:80 is the dummy proxy that will be redirected to our incognito proxy 10.10.20.1:8123. Now if captive portal users want to explicitly use the proxy give 8.8.8.8:80 instead of the real proxy or use that on wpad to avoid users bypass portal authentication.



  • @KOM:

    I don't ever run a transparent proxy (less hassles with explicit) so I couldn't really try this myself.  Sorry for wasting your time.  It would have been nice if it had worked.

    Well…using WPAD no need to run transparent mode but I have had sometimes issues with some government websites that need to run transparent mode for some odd reason

    Also limiters Break NAT reflection also keep that in mind.