Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid proxy blocks all traffic

    Scheduled Pinned Locked Moved Cache/Proxy
    16 Posts 3 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fireix
      last edited by

      Is it the "Allowed Subnets"  in "PackageProxy Server: Access ControlACLs" where I should enter the subnet? It is the same subnet as the entire fw is running on (transparent proxy). By that, I mean that both WAN and LAN side of pfSense is on the same network using static-ips all the way - no local ips or other subnets are involved. Really simple setup, no NAT or anything else. Mostly webservers.

      The help-text under "Allowd Subnets" says this:
      "The proxy interface subnet is already an allowed subnet."

      Edit: But I do see that one of the local LAN ports has been assigned "10.10.10.1" by the system. I have choosen the proxy to listen on both WAN and LAN-ports, so maybe this explains why I have to add my subnet? I'm not actually using that 10.10.10.1 subnet for anything, but I assume the proxyserver uses it for something..

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Is it the "Allowed Subnets"  in "PackageProxy Server: Access ControlACLs" where I should enter the subnet?

        You only need to modify Allowed Subnets if you're adding extra networks.  You already said you're all on the same network.

        By that, I mean that both WAN and LAN side of pfSense is on the same network using static-ips all the way

        What?  LAN and WAN can't be on the same network.

        I have choosen the proxy to listen on both WAN and LAN-ports

        Why would you do that??  LAN only.

        You didn't address my comments about squidguard.  Have you changed the Common ACL - Target Rules List so that Default access [all] is set to Allow?

        1 Reply Last reply Reply Quote 0
        • F
          fireix
          last edited by

          Under Common ACL, I already had this set:

          [Gen] access
          Default access [all] access

          (Gen is a category I created earlier)

          So it doesn't seem to be the problem.

          "What?  LAN and WAN can't be on the same network."

          Both WAN and LAN devices have the same (public static IPs) network-mask/ip-range. That was what I was thinking about. But I assume that you mean that the interfaces 10.X (on LAN1) is another network.

          1 Reply Last reply Reply Quote 0
          • F
            fireix
            last edited by

            I removed proxy from WAN-interface and now it doesn't crash at least.

            SquidRealtime Stats (SQStat):
            No active connections

            Realtime log shows this:
            Date IP Status Address User Destination
            07.11.2016 20:59:55 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
            07.11.2016 20:59:52 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
            07.11.2016 20:59:49 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
            07.11.2016 20:59:46 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
            07.11.2016 20:59:43 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
            07.11.2016 20:59:40 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
            07.11.2016 20:59:37 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -

            But there isn't logged any URLs or anything..

            K 1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              Both WAN and LAN devices have the same (public static IPs) network-mask/ip-range.

              That is a broken configuration.  WAN and LAN must be on different networks.  Usually WAN is public IP space and LAN is private IP space.  You must fix this first before you spend another second troubleshooting squid.

              1 Reply Last reply Reply Quote 0
              • F
                fireix
                last edited by

                We use the firewall to protect webservers/mailservers and other public servers in our data center. Having local IPs for WHM, DirectAdmin etc. and doing NAT would not be that easly possible with many different clients (in addition, it would slow down traffic doing NAT in all directions). That is why we run the fw in transparent mode: It just lets traffic through.

                I know this is not normal in an office settings, where you have mostly local computers and just a few machines allowed in/out of the network. But here we have mostly servers that is ment to be accessed from the Internet. If you for instance rent a server at Amazon, you don't get a local IP.

                I have not seen any other issues with this configuration? Ports are blocked and traffic is blocked if we don't open ports/IPs.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  When you said you run transparent, I thought you were talking about squid.  It's not every day that I see someone using pfSense bridged like that.

                  Perhaps you should start from the beginning.  Uninstall all of those packages.  Confirm that LAN clients have web access.  Then install squid by itself and configure.  Once that works, add squidguard.

                  1 Reply Last reply Reply Quote 0
                  • F
                    fireix
                    last edited by

                    I have removed everything, I have not installed squidguard. Do I need it to log URLs?

                    I have installed squid and ligthSquid. When I visit sqstat, I get this:

                    Error (60): Operation timed out

                    When I view the Squid access log from ssh, it logs things like this:
                    1478551639.697      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
                    1478551641.279      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
                    1478551645.241      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
                    1478551648.247      0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
                    clog: ERROR: could not write output (Bad address)
                    [2.3.2-RELEASE][admin@localdomain]/root:

                    I have not configured anything beside basic.

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      I have not installed squidguard. Do I need it to log URLs?

                      Everything is logged in squid's access.log.  You use squidguard to filter the URLs.

                      I'm thinking that your config is still borked.  You should uninstall the package and then shell in and clean out any cruft.  Follow this guide under the Complete Reset section:

                      https://doc.pfsense.org/index.php/Squid_Troubleshooting

                      1 Reply Last reply Reply Quote 0
                      • K
                        kasalencar @fireix
                        last edited by

                        @fireix estou com o mesmo erro. Porém nem tenho cach ativo no squid.
                        Já reiniciei o pfesene e continua.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.