Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFBlockerNG Can`t ByPass Client *With WPAD

    Scheduled Pinned Locked Moved pfBlockerNG
    11 Posts 5 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GoldenShark
      last edited by

      Hi Guys ,

      I have a Configuration with  : Squid + SGuard + WPaD and pFBlockerNG

      My Problem is when I connect to Squid WPaD (Squid Proxy Port) , pFBlockerNG can not block IPv4 rules for 80 & 443 ports..

      Actually I Solved this problem (changed my general configuration WAN TO WAN) but this time my bypass rules does not working.  : http://i.prntscr.com/a670b5a2fb944fe2972cb42620963484.png

      Floating ByPass Alias for Clients :
      http://i.prntscr.com/c2a87f94b45f486aaaf7181c1c38c30f.png

      Anyone know something about that ?

      EDIT PS. : This ByPass rules Includes my some clients (Private clients or servers)

      If i will change floating rule like this :  http://i.prntscr.com/24c5fff3423f4d8bbbec5ea51542df6f.png ("any to any" it is working..)
      but when I choose single host or alias , not working.  : http://i.prntscr.com/c2a87f94b45f486aaaf7181c1c38c30f.png

      Serbest HTTP : " It Means ByPass User Alias"

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        this isn't the correct forum section for this question.
        there is a special packages subsection for this: https://forum.pfsense.org/index.php?board=15.0

        as for you questions:
        no clue, but dealing with squid is always a pain in the ass ;)

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          pfBNG will not block anything from Squid (localhost) since the traffic won't ever match.

          P.S. Not exactly sure what's "changed my general configuration WAN TO WAN" supposed to mean.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            His wan to wan suppose to mean he changed pfblockers auto rule connection to create inbound and outbound rules in floating using wan and wan as inbound??  Agreed be fuzzy on what he changed from to, etc..

            While the pfblocker is a slick package - I am not a fan of any sort of auto rule anything.  When I was playing with it, I always just used the aliases and created own rules.. But dok is right on the money (as always) your rule would have to block the firewall as the source, since when your using the proxy that is what is doing the going, not the client.. Client says hey proxy go get me www.something.com for me, and then then send it to me after you got it..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66
              last edited by

              In a nutshell, pFBlockerNG is blocking traffic that goes through PFSense and using a proxy mean the traffic is no longer going through. It's now terminating and originating in PFSense.

              1 Reply Last reply Reply Quote 0
              • G
                GoldenShark
                last edited by

                @johnpoz:

                His wan to wan suppose to mean he changed pfblockers auto rule connection to create inbound and outbound rules in floating using wan and wan as inbound??  Agreed be fuzzy on what he changed from to, etc..

                While the pfblocker is a slick package - I am not a fan of any sort of auto rule anything.  When I was playing with it, I always just used the aliases and created own rules.. But dok is right on the money (as always) your rule would have to block the firewall as the source, since when your using the proxy that is what is doing the going, not the client.. Client says hey proxy go get me www.something.com for me, and then then send it to me after you got it..

                So Where is solution ?? :D

                @Harvy66:

                In a nutshell, pFBlockerNG is blocking traffic that goes through PFSense and using a proxy mean the traffic is no longer going through. It's now terminating and originating in PFSense.

                @Harvy66:

                In a nutshell, pFBlockerNG is blocking traffic that goes through PFSense and using a proxy mean the traffic is no longer going through. It's now terminating and originating in PFSense.

                You're totally right. But I created "any to any * * PASS to Floating" Rules . It could be work.. If i change it Single hostor alias to Any *  *  It wouldn't work.

                @doktornotor:

                pfBNG will not block anything from Squid (localhost) since the traffic won't ever match.

                P.S. Not exactly sure what's "changed my general configuration WAN TO WAN" supposed to mean.

                P.S. Not exactly sure what's "changed my general configuration WAN TO WAN" supposed to mean.

                It Means : http://prntscr.com/dm41u3
                If i can change it like this. It could be work.

                But WAN to LAN " NOT WORKING WITH SQUID PROXY"

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  Uh.

                  @GoldenShark:

                  But I created "any to any * * PASS to Floating" Rules . It could be work.. If i change it Single hostor alias to Any *  *  It wouldn't work.

                  Huh? You are trying to fix non-working blocking by allow anything rules? How on earth could that ever possibly help?!?

                  1 Reply Last reply Reply Quote 0
                  • G
                    GoldenShark
                    last edited by

                    @doktornotor:

                    Uh.

                    @GoldenShark:

                    But I created "any to any * * PASS to Floating" Rules . It could be work.. If i change it Single hostor alias to Any *  *  It wouldn't work.

                    Huh? You are trying to fix non-working blocking by allow anything rules? How on earth could that ever possibly help?!?

                    If I can Active this rule : http://prntscr.com/dm46ss

                    PF BLOCKER ACCEPT IT

                    If I can change rule like this : http://prntscr.com/dm47fk

                    PF BLOCKER DOES NOT ACCEPT

                    I think It is not familiar with Single host or alias source.. "WAN TO WAN"

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      It does NOT "accept" it because it's not matching the traffic. The source is NOT "FreeClients". The source IP is Squid on pfSense.

                      Remove that absolutely horrible allow any floating rule, you are killing your firewall functionality with such nonsense.

                      1 Reply Last reply Reply Quote 0
                      • G
                        GoldenShark
                        last edited by

                        @doktornotor:

                        It does NOT "accept" it because it's not matching the traffic. The source is NOT "FreeClients". The source IP is Squid on pfSense.

                        Remove that absolutely horrible allow any floating rule, you are killing your firewall functionality with such nonsense.

                        :D  ;D so how could I match it with my freeclients ???

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          You don't. Not possible. Put them on a non-proxied VLAN.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.