Squid proxy blocks all traffic



  • After 1-2 minutes after choosing "Check to enable the Squid proxy", all traffic is blocked (all websites and connections goes down).

    I run pfsense in transparent mode. I have followed the guide to create categories and so on, so I don't know what causes this.

    Since it blocks all customers traffic, I can't really live debug and have to find the cause of this.
    My only purpose to use Squid is to log all URLs accessed.

    What logs would be best to debug this?



  • I have seen cases where a new squid install doesn't work until you reboot, but that was back in the 2.2 days.  Are the clients on the same subnet as squid?  Are you also using squidguard?  Squid has a realtime tab that shows access.log.  You can also check /var/squid/log or /var/logs/squid (I can't remember which) from console and see access.log and cache.log in their native form as the GUI seems to have an issue when showing cache.log.



  • I only have one big subnet, so Squid should be running on the same one.

    In the log file, I see this (the live view didn't work, it says object moved or something like that):

    1478367507.769      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
    1478367510.769      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
    1478367768.225      2 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
    1478367771.676      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
    1478368208.710      2 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
    1478368212.127      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html
    1478368212.244      1 127.0.0.1 TCP_MISS/301 604 GET cache_object://localhost/active_requests - HIER_DIRECT/127.0.0.1 text/html

    Cache log is like this:
    2016-11-05 18:51:37 [36443] New setting: dbhome: /var/db/squidGuard
    2016-11-05 18:51:37 [36443] destblock Gen missing active content, set inactive
    2016-11-05 18:51:37 [37033] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
    2016-11-05 18:51:37 [37033] New setting: logdir: /var/squidGuard/log
    2016-11-05 18:51:37 [36657] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
    2016-11-05 18:51:37 [37033] New setting: dbhome: /var/db/squidGuard
    2016-11-05 18:51:37 [37033] destblock Gen missing active content, set inactive
    2016-11-05 18:51:37 [37271] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
    2016-11-05 18:51:37 [36657] New setting: logdir: /var/squidGuard/log
    2016-11-05 18:51:37 [36657] New setting: dbhome: /var/db/squidGuard
    2016-11-05 18:51:37 [36657] destblock Gen missing active content, set inactive
    2016-11-05 18:51:37 [37271] New setting: logdir: /var/squidGuard/log
    2016-11-05 18:51:37 [37271] New setting: dbhome: /var/db/squidGuard
    2016-11-05 18:51:37 [37271] destblock Gen missing active content, set inactive
    2016-11-05 18:51:37 [36892] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
    2016-11-05 18:51:37 [36892] New setting: logdir: /var/squidGuard/log
    2016-11-05 18:51:37 [36892] New setting: dbhome: /var/db/squidGuard
    2016-11-05 18:51:37 [36892] destblock Gen missing active content, set inactive
    2016-11-05 18:51:37 [37491] (squidGuard): can't write to logfile /var/log/squidGuard/squidGuard.log
    2016-11-05 18:51:37 [37491] New setting: logdir: /var/squidGuard/log
    2016-11-05 18:51:37 [37491] New setting: dbhome: /var/db/squidGuard
    2016-11-05 18:51:37 [37491] destblock Gen missing active content, set inactive
    2016/11/05 18:51:37| pinger: Initialising ICMP pinger …
    2016/11/05 18:51:49 kid1| Shutdown: NTLM authentication.
    2016/11/05 18:51:49 kid1| Shutdown: Negotiate authentication.
    2016/11/05 18:51:49 kid1| Shutdown: Digest authentication.
    2016/11/05 18:51:49 kid1| Shutdown: Basic authentication.
    CPU Usage: 1.016 seconds = 0.422 user + 0.594 sys
    Maximum Resident Size: 346704 KB
    Page faults with physical i/o: 0



  • Do you have squidguard installed or just squid by itself?



  • Squidguard is installed, I probably selected that because it mentioned url-filter (and it is urls I want to log).



  • Squidguard's default ACL is set to Deny, I believe.  You must change that, or create a new ACL for your users and then



  • Is it the "Allowed Subnets"  in "PackageProxy Server: Access ControlACLs" where I should enter the subnet? It is the same subnet as the entire fw is running on (transparent proxy). By that, I mean that both WAN and LAN side of pfSense is on the same network using static-ips all the way - no local ips or other subnets are involved. Really simple setup, no NAT or anything else. Mostly webservers.

    The help-text under "Allowd Subnets" says this:
    "The proxy interface subnet is already an allowed subnet."

    Edit: But I do see that one of the local LAN ports has been assigned "10.10.10.1" by the system. I have choosen the proxy to listen on both WAN and LAN-ports, so maybe this explains why I have to add my subnet? I'm not actually using that 10.10.10.1 subnet for anything, but I assume the proxyserver uses it for something..



  • Is it the "Allowed Subnets"  in "PackageProxy Server: Access ControlACLs" where I should enter the subnet?

    You only need to modify Allowed Subnets if you're adding extra networks.  You already said you're all on the same network.

    By that, I mean that both WAN and LAN side of pfSense is on the same network using static-ips all the way

    What?  LAN and WAN can't be on the same network.

    I have choosen the proxy to listen on both WAN and LAN-ports

    Why would you do that??  LAN only.

    You didn't address my comments about squidguard.  Have you changed the Common ACL - Target Rules List so that Default access [all] is set to Allow?



  • Under Common ACL, I already had this set:

    [Gen] access
    Default access [all] access

    (Gen is a category I created earlier)

    So it doesn't seem to be the problem.

    "What?  LAN and WAN can't be on the same network."

    Both WAN and LAN devices have the same (public static IPs) network-mask/ip-range. That was what I was thinking about. But I assume that you mean that the interfaces 10.X (on LAN1) is another network.



  • I removed proxy from WAN-interface and now it doesn't crash at least.

    SquidRealtime Stats (SQStat):
    No active connections

    Realtime log shows this:
    Date IP Status Address User Destination
    07.11.2016 20:59:55 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
    07.11.2016 20:59:52 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
    07.11.2016 20:59:49 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
    07.11.2016 20:59:46 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
    07.11.2016 20:59:43 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
    07.11.2016 20:59:40 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
    07.11.2016 20:59:37 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -

    But there isn't logged any URLs or anything..



  • Both WAN and LAN devices have the same (public static IPs) network-mask/ip-range.

    That is a broken configuration.  WAN and LAN must be on different networks.  Usually WAN is public IP space and LAN is private IP space.  You must fix this first before you spend another second troubleshooting squid.



  • We use the firewall to protect webservers/mailservers and other public servers in our data center. Having local IPs for WHM, DirectAdmin etc. and doing NAT would not be that easly possible with many different clients (in addition, it would slow down traffic doing NAT in all directions). That is why we run the fw in transparent mode: It just lets traffic through.

    I know this is not normal in an office settings, where you have mostly local computers and just a few machines allowed in/out of the network. But here we have mostly servers that is ment to be accessed from the Internet. If you for instance rent a server at Amazon, you don't get a local IP.

    I have not seen any other issues with this configuration? Ports are blocked and traffic is blocked if we don't open ports/IPs.



  • When you said you run transparent, I thought you were talking about squid.  It's not every day that I see someone using pfSense bridged like that.

    Perhaps you should start from the beginning.  Uninstall all of those packages.  Confirm that LAN clients have web access.  Then install squid by itself and configure.  Once that works, add squidguard.



  • I have removed everything, I have not installed squidguard. Do I need it to log URLs?

    I have installed squid and ligthSquid. When I visit sqstat, I get this:

    Error (60): Operation timed out

    When I view the Squid access log from ssh, it logs things like this:
    1478551639.697      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
    1478551641.279      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
    1478551645.241      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
    1478551648.247      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
    clog: ERROR: could not write output (Bad address)
    [2.3.2-RELEASE][admin@localdomain]/root:

    I have not configured anything beside basic.



  • I have not installed squidguard. Do I need it to log URLs?

    Everything is logged in squid's access.log.  You use squidguard to filter the URLs.

    I'm thinking that your config is still borked.  You should uninstall the package and then shell in and clean out any cruft.  Follow this guide under the Complete Reset section:

    https://doc.pfsense.org/index.php/Squid_Troubleshooting


Log in to reply