Squid proxy blocks all traffic
-
Is it the "Allowed Subnets" in "PackageProxy Server: Access ControlACLs" where I should enter the subnet? It is the same subnet as the entire fw is running on (transparent proxy). By that, I mean that both WAN and LAN side of pfSense is on the same network using static-ips all the way - no local ips or other subnets are involved. Really simple setup, no NAT or anything else. Mostly webservers.
The help-text under "Allowd Subnets" says this:
"The proxy interface subnet is already an allowed subnet."Edit: But I do see that one of the local LAN ports has been assigned "10.10.10.1" by the system. I have choosen the proxy to listen on both WAN and LAN-ports, so maybe this explains why I have to add my subnet? I'm not actually using that 10.10.10.1 subnet for anything, but I assume the proxyserver uses it for something..
-
Is it the "Allowed Subnets" in "PackageProxy Server: Access ControlACLs" where I should enter the subnet?
You only need to modify Allowed Subnets if you're adding extra networks. You already said you're all on the same network.
By that, I mean that both WAN and LAN side of pfSense is on the same network using static-ips all the way
What? LAN and WAN can't be on the same network.
I have choosen the proxy to listen on both WAN and LAN-ports
Why would you do that?? LAN only.
You didn't address my comments about squidguard. Have you changed the Common ACL - Target Rules List so that Default access [all] is set to Allow?
-
Under Common ACL, I already had this set:
[Gen] access
Default access [all] access(Gen is a category I created earlier)
So it doesn't seem to be the problem.
"What? LAN and WAN can't be on the same network."
Both WAN and LAN devices have the same (public static IPs) network-mask/ip-range. That was what I was thinking about. But I assume that you mean that the interfaces 10.X (on LAN1) is another network.
-
I removed proxy from WAN-interface and now it doesn't crash at least.
SquidRealtime Stats (SQStat):
No active connectionsRealtime log shows this:
Date IP Status Address User Destination
07.11.2016 20:59:55 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
07.11.2016 20:59:52 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
07.11.2016 20:59:49 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
07.11.2016 20:59:46 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
07.11.2016 20:59:43 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
07.11.2016 20:59:40 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -
07.11.2016 20:59:37 127.0.0.1 TCP_MISS/200 cache_object://localhost/active_requests - -But there isn't logged any URLs or anything..
-
Both WAN and LAN devices have the same (public static IPs) network-mask/ip-range.
That is a broken configuration. WAN and LAN must be on different networks. Usually WAN is public IP space and LAN is private IP space. You must fix this first before you spend another second troubleshooting squid.
-
We use the firewall to protect webservers/mailservers and other public servers in our data center. Having local IPs for WHM, DirectAdmin etc. and doing NAT would not be that easly possible with many different clients (in addition, it would slow down traffic doing NAT in all directions). That is why we run the fw in transparent mode: It just lets traffic through.
I know this is not normal in an office settings, where you have mostly local computers and just a few machines allowed in/out of the network. But here we have mostly servers that is ment to be accessed from the Internet. If you for instance rent a server at Amazon, you don't get a local IP.
I have not seen any other issues with this configuration? Ports are blocked and traffic is blocked if we don't open ports/IPs.
-
When you said you run transparent, I thought you were talking about squid. It's not every day that I see someone using pfSense bridged like that.
Perhaps you should start from the beginning. Uninstall all of those packages. Confirm that LAN clients have web access. Then install squid by itself and configure. Once that works, add squidguard.
-
I have removed everything, I have not installed squidguard. Do I need it to log URLs?
I have installed squid and ligthSquid. When I visit sqstat, I get this:
Error (60): Operation timed out
When I view the Squid access log from ssh, it logs things like this:
1478551639.697 0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
1478551641.279 0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
1478551645.241 0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
1478551648.247 0 127.0.0.1 TCP_MISS/200 769 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain
clog: ERROR: could not write output (Bad address)
[2.3.2-RELEASE][admin@localdomain]/root:I have not configured anything beside basic.
-
I have not installed squidguard. Do I need it to log URLs?
Everything is logged in squid's access.log. You use squidguard to filter the URLs.
I'm thinking that your config is still borked. You should uninstall the package and then shell in and clean out any cruft. Follow this guide under the Complete Reset section:
https://doc.pfsense.org/index.php/Squid_Troubleshooting
-
@fireix estou com o mesmo erro. Porém nem tenho cach ativo no squid.
Já reiniciei o pfesene e continua.
