Facebook problem with squid

chiar · Jan 25, 2017, 11:42 AM

hello, i've just installed pfsense with squid + squidguard, and all it's ok. I've a problem with facebook, i can't load the site if i use the proxy. the domain is in white list, i can ping facebook.com, i can do a traceroute (both from pc or from pfsense), but via web, squid return me: error (65) no route to host with the ipv6 of facebook, or some times (60) operation time out.

the browser stay in waiting for www.facebook.com mode.

Can anyone help me?

Thanks.

KOM · Jan 25, 2017, 2:41 PM

Go to Services - Squid Proxy Server - General. Find Resolve DNS IPv4 First and check it, then Save.

chiar · Jan 25, 2017, 3:36 PM

it's already checked

KOM · Jan 25, 2017, 3:57 PM

Are you actually running IPv6 on your network?

rfzh1996 · Jan 25, 2017, 10:42 PM

System -> Advanced -> Networking

You have checked Allow IPv6?

chiar · Jan 26, 2017, 6:10 AM

@KOM:

Are you actually running IPv6 on your network?

no, all lan is ipv4, also the internet connection is ipv4

@rfzh1996:

System -> Advanced -> Networking

You have checked Allow IPv6?

yes and no, i've try with both option, not works.

the dnslookup return me ipv4 and ipv6 address, for google and facebook sites for exemple, but google works without problem, facebook no.

doktornotor · Jan 26, 2017, 8:07 AM

Well broken DNS has nothing to do with Squid.

chiar · Jan 26, 2017, 10:06 AM

@doktornotor:

Well broken DNS has nothing to do with Squid.

the dns is not broken. we have 3 internal dns AD server, and works without problem. without squid facebook is open without problem, with squid no. So i think it's a squid / pfsense problem

doktornotor · Jan 26, 2017, 10:39 AM

If your get AAAA resolved when no IPv6 is available then yes, it is very broken.

chiar · Jan 26, 2017, 11:04 AM

@doktornotor:

If your get AAAA resolved when no IPv6 is available then yes, it is very broken.

mmmm, if you try to use google dns also return ipv4 and ipv6 address. also if use other dns.

BUT, why only with facebook? all sites works, but not facebook.

i've just try to do a nslookup from ssh of pfsense, it's return only ipv4! i've try also telnet facebook.com 443, and return me that is connected. it's seems that works all ok, but not via web

papartsharingan · Jan 26, 2017, 9:29 PM

Hi Chiar,

We have same problem, but in me i can block all the sites when i use proxy at the client side..

but my question here if the client side will change to autodetect setting they can access all. I thought if they change the LAN settings to autodetect they will have no connection?

papartsharingan

chiar · Jan 30, 2017, 10:00 AM

@papartsharingan:

Hi Chiar,

We have same problem, but in me i can block all the sites when i use proxy at the client side..

but my question here if the client side will change to autodetect setting they can access all. I thought if they change the LAN settings to autodetect they will have no connection?

papartsharingan

i can also block websites too. is not a client problem. after some test, i think is a network problem. I've deploy a new vm on my laptop with ad server and all works perfectly. So i need to understand why squid is acting like this.

my squid has 1 wan interface, i've disabled all firewall features (with the flag, and adding a rule all open)

doktornotor · Jan 30, 2017, 10:38 AM

Considering we have ZERO information about your network or broken client, we cannot debug any network issues (which are off-topic in this forum section anyway.)

@chiar:

i've disabled all firewall features (with the flag, and adding a rule all open)

Congrats on ruining your firewall. WTF dude!!! :o ::)

chiar · Jan 31, 2017, 6:03 AM

@doktornotor:

Considering we have ZERO information about your network or broken client, we cannot debug any network issues (which are off-topic in this forum section anyway.)

@chiar:

i've disabled all firewall features (with the flag, and adding a rule all open)

Congrats on ruining your firewall. WTF dude!!! :o ::)

pfsense is NOT my firewall, i use it only for squid and squidguard, i've a cisco asa as firewall. pfsense MUST NOT act like a firewall :)

this morning i will try some changes in pfsense network.

doktornotor · Jan 31, 2017, 8:51 AM

pfSense is not a proxy appliance. Note that "disabling" IPv6 on pfSense will do nothing for the clients that get IPv6 RAs etc. from your real router and so will resolve IPv6 first.

This is not a pfSense issue or Squid issue, at all.

chiar · Jan 31, 2017, 1:37 PM

@doktornotor:

pfSense is not a proxy appliance. Note that "disabling" IPv6 on pfSense will do nothing for the clients that get IPv6 RAs etc. from your real router and so will resolve IPv6 first.

This is not a pfSense issue or Squid issue, at all.

of course. i've resolve the problem adding a second network interface. So the lan is in my lan segment, and the was is in external network.

now works everything (a bit slow, i'm working on it).

it was a network problem definitely.

Thanks to all!