Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Users bypass squid

    Cache/Proxy
    5
    31
    4.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      atn78
      last edited by

      Hi everyone, I use pfSense as a proxy server. I installed squid on it. The problem is tha LAN users can access Internet by puting the address of pfSense server as a gateway then squid does not prompt the login box.
      Thank you for your help

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        @atn78:

        The problem is tha LAN users can access Internet by puting the address of pfSense server as a gateway then squid does not prompt the login box.

        Eeeerm huh?! That'd be the default for anyone, no? Without need to specify any gateway manually.

        1 Reply Last reply Reply Quote 0
        • A
          atn78
          last edited by

          If the gateway is not specified squid prompt for the login and password but if gateway is specified anyone can browse internet.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            I have no idea what you have set up there. pfSense IS the default gateway for everyone on LAN on any normal setup, and will be set as such via DHCP. If you are trying to use pfSense as a proxy appliance and have a different router elsewhere, then yeah that obviously won't work this way.

            1 Reply Last reply Reply Quote 0
            • A
              atn78
              last edited by

              pfSense is used as proxy with two netork cards : one connected to the LAN and the other to the router.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Yeah, you need to fix your real router settings.

                1 Reply Last reply Reply Quote 0
                • A
                  atn78
                  last edited by

                  But I can't stop users from modifiying their network settings.

                  1 Reply Last reply Reply Quote 0
                  • P
                    ProxyMoron
                    last edited by

                    Can you not stop your "Router" from being a router and simply use it as a Modem with PFsense being the router?

                    1 Reply Last reply Reply Quote 0
                    • A
                      atn78
                      last edited by

                      I can't do it. Because the router is provided by ISP and I can't modify configuration.

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        So double NAT instead of producing completely broken network design? Let pfSense WAN get RFC1918 IP on WAN from the ISP router and set up your LAN as normal on a different subnet. What you have produced will never ever work like this if you have no access to modem config.

                        1 Reply Last reply Reply Quote 0
                        • A
                          atn78
                          last edited by

                          WAN address of pfSense is different from LAN address. the first one is 10.100.100.x and the second one is 192.168.0.y.

                          1 Reply Last reply Reply Quote 0
                          • D
                            doktornotor Banned
                            last edited by

                            OK, enough time wasted with guessing. Produce a network diagram, post ipconfig /all or equivalent output from clients that do bypass your proxy and those that do not and post screenshots of your Squid configuration.

                            1 Reply Last reply Reply Quote 0
                            • A
                              atn78
                              last edited by

                              This is the output of ipconfig/all result of a client that bypass the proxy :

                              Suffixe DNS propre à la connexion. . . :
                                Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
                                Adresse physique . . . . . . . . . . . : 28-D2-44-EB-6D-55
                                DHCP activé. . . . . . . . . . . . . . : Non
                                Configuration automatique activée. . . : Oui
                                Adresse IPv6 de liaison locale. . . . .: fe80::5d54:c541:100b:de9c%10(préféré)
                                Adresse IPv4. . . . . . . . . . . . . .: 192.168.0.118(préféré)
                                Masque de sous-réseau. . . . . . . . . : 255.255.255.0
                                Passerelle par défaut. . . . . . . . . : fe80::c5d1:5de3:ba55:d86%10
                                                                    192.168.0.10
                                IAID DHCPv6 . . . . . . . . . . . : 422105668
                                DUID de client DHCPv6. . . . . . . . : 00-01-00-01-1C-7B-A1-4F-38-B1-DB-B3-4A-23
                                Serveurs DNS. . .  . . . . . . . . . . : 8.8.8.8
                                NetBIOS sur Tcpip. . . . . . . . . . . : Activé

                              and this output for the one that doesn't bypass it :

                              Suffixe DNS propre à la connexion. . . :
                                Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
                                Adresse physique . . . . . . . . . . . : 28-D2-44-EB-6D-55
                                DHCP activé. . . . . . . . . . . . . . : Non
                                Configuration automatique activée. . . : Oui
                                Adresse IPv6 de liaison locale. . . . .: fe80::5d54:c541:100b:de9c%10(préféré)
                                Adresse IPv4. . . . . . . . . . . . . .: 192.168.0.119(préféré)
                                Masque de sous-réseau. . . . . . . . . : 255.255.255.0
                                Passerelle par défaut. . . . . . . . . : fe80::c5d1:5de3:ba55:d86%10
                                IAID DHCPv6 . . . . . . . . . . . : 422105668
                                DUID de client DHCPv6. . . . . . . . : 00-01-00-01-1C-7B-A1-4F-38-B1-DB-B3-4A-23
                                Serveurs DNS. . .  . . . . . . . . . . : 8.8.8.8
                                NetBIOS sur Tcpip. . . . . . . . . . . : Activé

                              And the squid configuration in the attachments

                              ![Capture d’écran (3).png](/public/imported_attachments/1/Capture d’écran (3).png)
                              ![Capture d’écran (3).png_thumb](/public/imported_attachments/1/Capture d’écran (3).png_thumb)
                              ![Capture d’écran (4).png](/public/imported_attachments/1/Capture d’écran (4).png)
                              ![Capture d’écran (4).png_thumb](/public/imported_attachments/1/Capture d’écran (4).png_thumb)
                              ![Capture d’écran (5).png](/public/imported_attachments/1/Capture d’écran (5).png)
                              ![Capture d’écran (5).png_thumb](/public/imported_attachments/1/Capture d’écran (5).png_thumb)
                              ![Capture d’écran (6).png](/public/imported_attachments/1/Capture d’écran (6).png)
                              ![Capture d’écran (6).png_thumb](/public/imported_attachments/1/Capture d’écran (6).png_thumb)
                              ![Capture d’écran (7).png](/public/imported_attachments/1/Capture d’écran (7).png)
                              ![Capture d’écran (7).png_thumb](/public/imported_attachments/1/Capture d’écran (7).png_thumb)

                              1 Reply Last reply Reply Quote 0
                              • D
                                doktornotor Banned
                                last edited by

                                And what the heck is 192.168.0.119? I already explicitly stated, multiple times, that you CANNOT have the ISP router and pfSense LAN on the same subnet. Would have hoped that requesting a network diagram might make you realize that your design is broken, but apparently not.

                                1 Reply Last reply Reply Quote 0
                                • A
                                  atn78
                                  last edited by

                                  As I said, the pfSense is "between" the LAN and the ISP router. The pfSense server has two network cards : one that has the ip address 192.168.0.x (LAN) and one that has the ip address 10.100.10.y (WAN address and connected to the ISP router).

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    doktornotor Banned
                                    last edited by

                                    Does not go anywhere, I give up. Still no network diagram.

                                    Having a default gateway configured to the IP of your router is absolutely expected and normally required. It does not result in any bypass of anything expect for utterly broken network designs.

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      atn78
                                      last edited by

                                      This is the network diagram. I thinked I explained it by writing it.

                                      ![LAN internet.png](/public/imported_attachments/1/LAN internet.png)
                                      ![LAN internet.png_thumb](/public/imported_attachments/1/LAN internet.png_thumb)

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        doktornotor Banned
                                        last edited by

                                        Great. Now, did you configure anything on the clients? Because, with the proxy NOT being transparent, I cannot figure out how on earth you imagine the clients to be forced to use it?!?!  (And, BTW, if going through Squid is required, you'll need to block all IPv6.)

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          atn78
                                          last edited by

                                          I attached two screenshots showing interrnet configuration in browsers and the coniguration of network cards.

                                          ![options internet.png](/public/imported_attachments/1/options internet.png)
                                          ![options internet.png_thumb](/public/imported_attachments/1/options internet.png_thumb)
                                          ![carte réseau.png](/public/imported_attachments/1/carte réseau.png)
                                          ![carte réseau.png_thumb](/public/imported_attachments/1/carte réseau.png_thumb)

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            doktornotor Banned
                                            last edited by

                                            Yeah. So, unless you configure the clients manually, they won't use the proxy. Cannot see the "bypass" here. And still do not see the problem and the relation with the gateway.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.