Crazy to setup pfsense 2.3.3+squid+squidguard+wpad

jopeme

Hello.
Hello.
I'm testing version 2.3.3 of pfsense and I want to use it as a proxy cache with squid + squidguard + wpad, but I can not get it to work. My network schema is as follows and my idea is that all the vlan go through squid and can filter the traffic and also that they are not seen between them.:

At the moment I have managed that from my lan I can only navigate if I configure the proxy 10.0.0.1 and port 3128. These are my rules. When it works from my lan I will continue with the vlan:

Now I want to not have to configure the ip and port in the browsers. For this I have configured wpad and the automatic configuration in browsers. If I write http://wpad.mydomain.lan/proxy.pac I can download the file, but I can not go to the internet. This is my proxy.pac file:

function FindProxyForURL(url, host) {

// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
  if (isInNet(myIpAddress(), "10.0.0.0", "255.255.255.0"))
      //this is your gateway address/interface address for the subnet
  return "PROXY 10.0.0.1:3128";

if (isInNet(myIpAddress(), "10.0.102.0", "255.255.255.0"))
      //this is your gateway address/interface address for the subnet
  return "PROXY 10.0.102.1:3128";

if (isInNet(myIpAddress(), "10.0.103.0", "255.255.255.0"))
      //this is your gateway address/interface address for the subnet
  return "PROXY 10.0.103.1:3128";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
  return "PROXY 10.0.0.1:3128";

}

Any idea?
Thanks a lot.

aGeekhere

start from here https://forum.pfsense.org/index.php?topic=112335.0

jopeme

Hello again.
I followed the instructions step by step and I see that if I put proxy in the browser I navigate through squid, but if I use the autoconfiguring proxy option, it does not exit through squid. These are my rules on the lan:

My lan rules:

• • • LAN Address 80 * * Anti-Lockout Rule

IPv4 TCP/UDP * * 127.0.0.1 53 (DNS) * none NAT Redireccion DNS

IPv4 TCP * * * 80 - 443 * none

This is my proxy.pac:

function FindProxyForURL(url, host)
{
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0",  "255.255.255.0"))
        return "DIRECT";

return "PROXY 10.0.0.1:3128";
}

Any idea?
Thanks a lot.

jopeme

I forgot to select transparent proxy in squid and in doing so I see that I can go to the internet using squid both if I select autoconfiguring and if I select without proxy. It's very stranger!

doktornotor

Huh… There's no need for WPAD or any proxy configuration on clients when the proxy is transparent. Nothing strange about it.

jopeme

Then I have not understood what aGeekHere means when he writes: "I found that we can use both a transperrent proxy for port 80 and a wpad for 443 https content, the wpad will be setup to use port 80 and 443. The transperrent proxy is going to catch every thing that the wpad misses, enable transperrent proxy in squid once you have the wpad setup."

I want all my traffic to go through squid and use wpad to not have to configure anything on client computers, in my lan and my vlans.

jopeme

At this point it works. I have rebooted the machine and now it works. I imagine that in some step I had to restart and I did not.
Now i'm going to check on vlan102.

Regards.

aGeekhere

Hi jopeme, glad that you have got it working.

With using a transparent proxy with WPAD.

You can just use the wpad and block port 80 and 443, however programs which do not have a proxy configuration will be blocked so you would need to create a pass rule for each program getting blocked. Using the transparent proxy for port 80 traffic removes that trouble. Though you will still need to create a pass rules for 443 traffic.

Using a wpad for 443 traffic is better then using SSL Man In the Middle Filtering because you do not need to install a certificate on each device and second SSL Man In the Middle Filtering can break things (like some websites and program updates).

There is one error with firefox you must select Auto-detect proxy settings for this network and NOT Use system proxy settings.

I forgot to select transparent proxy in squid and in doing so I see that I can go to the internet using squid both if I select autoconfiguring and if I select without proxy. It's very stranger!

if using windows you need to go to Control Panel internet options, connections, lan settings and click automatically detect settings.

hope this helps

jopeme

Is it necessary to configure clients in the advanced configuration of tcpip DNS with the domain configured in pfsense for example localdomain.local?
If I do not add it does not work correctly and i think this does not make much sense to me since if you have to configure it on all clients this is not worth using wpad.

aGeekhere

Is it necessary to configure clients in the advanced configuration of tcpip DNS with the domain configured in pfsense for example localdomain.local?

?

jopeme

Sorry for my english. This picture show you i want to say:

If i use default configuration on my windows clients i can not go out to internet.

aGeekhere

I just have obtain a ip address automatically, did not need to set anything in advance TCP/IP settings.

jopeme

It's very stranger. :-[ :-[

Please could you tell me if my lan rules and wpad.dat,wpad.da, proxy.pac are right?

[img]http://www.servyarte.com/reglaslan.jpg

PROXY.PAC

function FindProxyForURL(url, host)
{
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0",  "255.255.255.0"))
        return "DIRECT";
    return "PROXY 10.0.0.1:3128";
}

And for my vlan are right this rules, because from this vlan i cannot get wpad if i type in browsers http://wpad.localdomain.local/wpad it not solve.

aGeekhere

reread the DNS firewall rule section (make the rule on top)

Interface = LAN
Protocol = TCP/UDP
Source ports = *
Dest address = *
Dest ports = 53
NAT IP = 127.0.0.1
NAT Ports = 53
Description = Redirect DNS
LAN TCP/UDP * * * 53 127.0.0.1 53 Redirect DNS

no firewall rule is needed for 3128 ??? not sure on vlan

Change wpad to

PROXY.PAC

function FindProxyForURL(url, host)
{
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0",  "255.0.0.0"))
        return "DIRECT";
    return "PROXY 10.0.0.1:3128";
}

Not sure on VLAN as i have never set one up.

jopeme

Now I am testing from a vlan and I have detected that if I do not activate the third rule then from a client I can not download the http: //wpad.localdomain.local/proxy.pac, but if I activate the rule then if I can download the proxy.pac.

Also works fine if I do nslookup wpad.localdomain.local and responds:
C: \ Users \ Computers \ nslookup wpad.localdomain.local
Server: fproxy.localdomain.local
Address: 10.0.0.1

Name: wpad.localdomain.local
Address: 10.0.0.1

Any idea?

aGeekhere

It looks like the 3rd rule blocks the vlan form connecting to the router which has the wpad.

jopeme

Nobody knows how I can solve it?

Thanks.

maverik1

Did you manage to get it working? I have vlans configured on my network. Like others have mentioned, if you are wanting to use wpad, then you should disable transparent proxy.

Two of my vlans are for mobile wifi and I do not pass wpad to them. It is very difficult to set up as you have to input the proxy information manually. Also some apps do not work very well with it.  So these are the only two that I pass through transparent proxy.  The others grab wpad because I have specified in the browser to auto detect settings.

jopeme

Finally for the wifi interface I will not use neither squid nor wpad. What instructions did you follow to configure wpad ?. Could you show me your configuration for the vlan? Thank you

maverik1

This is a link to a tutorial I used to set up WPAD. It is fairly straight forward. Basically you setup a web server on pfsense to server the wpad to your different vlans. I do not have any firewall rules to port 3128, only to the webserver on the specified port.

https://nguvu.org/pfsense/pfSense-WPAD-PAC-proxy-configuration-guide/

Here is what my wpad.da/proxy.pac looks like:

function FindProxyForURL(url,host)
{

         if(dnsDomainIs(host, ".mydomain.com")) {

            return "DIRECT";

        }  else if (isInNet(myIpAddress(),"10.0.0.0","255.255.255.0")) {     // Admin Net

            return "PROXY 10.0.0.1:3128; DIRECT";

        }  else if (isInNet(myIpAddress(),"10.0.2.0","255.255.255.0")) {     // User Net

            return "PROXY 10.0.2.1:3128; DIRECT";

        } else if (isInNet(myIpAddress(),"10.0.3.0","255.255.255.0")) {     //Guest Net

            return "PROXY 10.0.3.1:3128";

        } else {

          return "DIRECT";

       }

}

Under Services -> Squid Proxy Server, make sure Enable Squid Proxy is checked, also make sure that the vlans you want to use the proxy are selected. The proxy port should be 3128.