PFBlockerNG Can`t ByPass Client *With WPAD



  • Hi Guys ,

    I have a Configuration with  : Squid + SGuard + WPaD and pFBlockerNG

    My Problem is when I connect to Squid WPaD (Squid Proxy Port) , pFBlockerNG can not block IPv4 rules for 80 & 443 ports..

    Actually I Solved this problem (changed my general configuration WAN TO WAN) but this time my bypass rules does not working.  : http://i.prntscr.com/a670b5a2fb944fe2972cb42620963484.png

    Floating ByPass Alias for Clients :
    http://i.prntscr.com/c2a87f94b45f486aaaf7181c1c38c30f.png

    Anyone know something about that ?

    EDIT PS. : This ByPass rules Includes my some clients (Private clients or servers)

    If i will change floating rule like this :  http://i.prntscr.com/24c5fff3423f4d8bbbec5ea51542df6f.png ("any to any" it is working..)
    but when I choose single host or alias , not working.  : http://i.prntscr.com/c2a87f94b45f486aaaf7181c1c38c30f.png

    Serbest HTTP : " It Means ByPass User Alias"



  • this isn't the correct forum section for this question.
    there is a special packages subsection for this: https://forum.pfsense.org/index.php?board=15.0

    as for you questions:
    no clue, but dealing with squid is always a pain in the ass ;)


  • Banned

    pfBNG will not block anything from Squid (localhost) since the traffic won't ever match.

    P.S. Not exactly sure what's "changed my general configuration WAN TO WAN" supposed to mean.


  • Rebel Alliance Global Moderator

    His wan to wan suppose to mean he changed pfblockers auto rule connection to create inbound and outbound rules in floating using wan and wan as inbound??  Agreed be fuzzy on what he changed from to, etc..

    While the pfblocker is a slick package - I am not a fan of any sort of auto rule anything.  When I was playing with it, I always just used the aliases and created own rules.. But dok is right on the money (as always) your rule would have to block the firewall as the source, since when your using the proxy that is what is doing the going, not the client.. Client says hey proxy go get me www.something.com for me, and then then send it to me after you got it..



  • In a nutshell, pFBlockerNG is blocking traffic that goes through PFSense and using a proxy mean the traffic is no longer going through. It's now terminating and originating in PFSense.



  • @johnpoz:

    His wan to wan suppose to mean he changed pfblockers auto rule connection to create inbound and outbound rules in floating using wan and wan as inbound??  Agreed be fuzzy on what he changed from to, etc..

    While the pfblocker is a slick package - I am not a fan of any sort of auto rule anything.  When I was playing with it, I always just used the aliases and created own rules.. But dok is right on the money (as always) your rule would have to block the firewall as the source, since when your using the proxy that is what is doing the going, not the client.. Client says hey proxy go get me www.something.com for me, and then then send it to me after you got it..

    So Where is solution ?? :D

    @Harvy66:

    In a nutshell, pFBlockerNG is blocking traffic that goes through PFSense and using a proxy mean the traffic is no longer going through. It's now terminating and originating in PFSense.

    @Harvy66:

    In a nutshell, pFBlockerNG is blocking traffic that goes through PFSense and using a proxy mean the traffic is no longer going through. It's now terminating and originating in PFSense.

    You're totally right. But I created "any to any * * PASS to Floating" Rules . It could be work.. If i change it Single hostor alias to Any *  *  It wouldn't work.

    @doktornotor:

    pfBNG will not block anything from Squid (localhost) since the traffic won't ever match.

    P.S. Not exactly sure what's "changed my general configuration WAN TO WAN" supposed to mean.

    P.S. Not exactly sure what's "changed my general configuration WAN TO WAN" supposed to mean.

    It Means : http://prntscr.com/dm41u3
    If i can change it like this. It could be work.

    But WAN to LAN " NOT WORKING WITH SQUID PROXY"


  • Banned

    Uh.

    @GoldenShark:

    But I created "any to any * * PASS to Floating" Rules . It could be work.. If i change it Single hostor alias to Any *  *  It wouldn't work.

    Huh? You are trying to fix non-working blocking by allow anything rules? How on earth could that ever possibly help?!?



  • @doktornotor:

    Uh.

    @GoldenShark:

    But I created "any to any * * PASS to Floating" Rules . It could be work.. If i change it Single hostor alias to Any *  *  It wouldn't work.

    Huh? You are trying to fix non-working blocking by allow anything rules? How on earth could that ever possibly help?!?

    If I can Active this rule : http://prntscr.com/dm46ss

    PF BLOCKER ACCEPT IT

    If I can change rule like this : http://prntscr.com/dm47fk

    PF BLOCKER DOES NOT ACCEPT

    I think It is not familiar with Single host or alias source.. "WAN TO WAN"


  • Banned

    It does NOT "accept" it because it's not matching the traffic. The source is NOT "FreeClients". The source IP is Squid on pfSense.

    Remove that absolutely horrible allow any floating rule, you are killing your firewall functionality with such nonsense.



  • @doktornotor:

    It does NOT "accept" it because it's not matching the traffic. The source is NOT "FreeClients". The source IP is Squid on pfSense.

    Remove that absolutely horrible allow any floating rule, you are killing your firewall functionality with such nonsense.

    :D  ;D so how could I match it with my freeclients ???


  • Banned

    You don't. Not possible. Put them on a non-proxied VLAN.