4. Crazy to setup pfsense 2.3.3+squid+squidguard+wpad

Crazy to setup pfsense 2.3.3+squid+squidguard+wpad

  • J

    Hello.
    Hello.
    I'm testing version 2.3.3 of pfsense and I want to use it as a proxy cache with squid + squidguard + wpad, but I can not get it to work. My network schema is as follows and my idea is that all the vlan go through squid and can filter the traffic and also that they are not seen between them.:

    At the moment I have managed that from my lan I can only navigate if I configure the proxy 10.0.0.1 and port 3128. These are my rules. When it works from my lan I will continue with the vlan:

    Now I want to not have to configure the ip and port in the browsers. For this I have configured wpad and the automatic configuration in browsers. If I write http://wpad.mydomain.lan/proxy.pac I can download the file, but I can not go to the internet. This is my proxy.pac file:

    function FindProxyForURL(url, host) {

    // If the IP address of the local machine is within a defined
    // subnet, send to a specific proxy.
      if (isInNet(myIpAddress(), "10.0.0.0", "255.255.255.0"))
          //this is your gateway address/interface address for the subnet
      return "PROXY 10.0.0.1:3128";

    if (isInNet(myIpAddress(), "10.0.102.0", "255.255.255.0"))
          //this is your gateway address/interface address for the subnet
      return "PROXY 10.0.102.1:3128";

    if (isInNet(myIpAddress(), "10.0.103.0", "255.255.255.0"))
          //this is your gateway address/interface address for the subnet
      return "PROXY 10.0.103.1:3128";

    // DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
      return "PROXY 10.0.0.1:3128";

    }

    Any idea?
    Thanks a lot.

    0
  • A

    start from here https://forum.pfsense.org/index.php?topic=112335.0

    0
  • J

    Hello again.
    I followed the instructions step by step and I see that if I put proxy in the browser I navigate through squid, but if I use the autoconfiguring proxy option, it does not exit through squid. These are my rules on the lan:

    My lan rules:

        • LAN Address 80 * * Anti-Lockout Rule

    IPv4 TCP/UDP * * 127.0.0.1 53 (DNS) * none NAT Redireccion DNS

    IPv4 TCP * * * 80 - 443 * none

    This is my proxy.pac:

    function FindProxyForURL(url, host)
    {
        if (isPlainHostName(host) ||
            shExpMatch(host, "*.local") ||
            isInNet(dnsResolve(host), "10.0.0.0",  "255.255.255.0"))
            return "DIRECT";

    return "PROXY 10.0.0.1:3128";
    }

    Any idea?
    Thanks a lot.

    0
  • J

    I forgot to select transparent proxy in squid and in doing so I see that I can go to the internet using squid both if I select autoconfiguring and if I select without proxy. It's very stranger!

    0
  • D
    Banned

    Huh… There's no need for WPAD or any proxy configuration on clients when the proxy is transparent. Nothing strange about it.

    0
  • J

    Then I have not understood what aGeekHere means when he writes: "I found that we can use both a transperrent proxy for port 80 and a wpad for 443 https content, the wpad will be setup to use port 80 and 443. The transperrent proxy is going to catch every thing that the wpad misses, enable transperrent proxy in squid once you have the wpad setup."

    I want all my traffic to go through squid and use wpad to not have to configure anything on client computers, in my lan and my vlans.

    0
  • J

    At this point it works. I have rebooted the machine and now it works. I imagine that in some step I had to restart and I did not.
    Now i'm going to check on vlan102.

    Regards.

    0
  • A

    Hi jopeme, glad that you have got it working.

    With using a transparent proxy with WPAD.

    You can just use the wpad and block port 80 and 443, however programs which do not have a proxy configuration will be blocked so you would need to create a pass rule for each program getting blocked. Using the transparent proxy for port 80 traffic removes that trouble. Though you will still need to create a pass rules for 443 traffic.

    Using a wpad for 443 traffic is better then using SSL Man In the Middle Filtering because you do not need to install a certificate on each device and second SSL Man In the Middle Filtering can break things (like some websites and program updates).

    There is one error with firefox you must select Auto-detect proxy settings for this network and NOT Use system proxy settings.

    I forgot to select transparent proxy in squid and in doing so I see that I can go to the internet using squid both if I select autoconfiguring and if I select without proxy. It's very stranger!

    if using windows you need to go to Control Panel internet options, connections, lan settings and click automatically detect settings.

    hope this helps

    0
  • J

    Is it necessary to configure clients in the advanced configuration of tcpip DNS with the domain configured in pfsense for example localdomain.local?
    If I do not add it does not work correctly and i think this does not make much sense to me since if you have to configure it on all clients this is not worth using wpad.

    0
  • A

    Is it necessary to configure clients in the advanced configuration of tcpip DNS with the domain configured in pfsense for example localdomain.local?

    ?

    0
  • J

    Sorry for my english. This picture show you i want to say:

    If i use default configuration on my windows clients i can not go out to internet.

    0
  • A

    I just have obtain a ip address automatically, did not need to set anything in advance TCP/IP settings.

    0
  • J

    It's very stranger. :-[ :-[

    Please could you tell me if my lan rules and wpad.dat,wpad.da, proxy.pac are right?

    [img]http://www.servyarte.com/reglaslan.jpg

    PROXY.PAC

    function FindProxyForURL(url, host)
    {
        if (isPlainHostName(host) ||
            shExpMatch(host, "*.local") ||
            isInNet(dnsResolve(host), "10.0.0.0",  "255.255.255.0"))
            return "DIRECT";
        return "PROXY 10.0.0.1:3128";
    }

    And for my vlan are right this rules, because from this vlan i cannot get wpad if i type in browsers http://wpad.localdomain.local/wpad it not solve.

    0
  • A

    reread the DNS firewall rule section (make the rule on top)

    Interface = LAN
    Protocol = TCP/UDP
    Source ports = *
    Dest address = *
    Dest ports = 53
    NAT IP = 127.0.0.1
    NAT Ports = 53
    Description = Redirect DNS
    LAN TCP/UDP * * * 53 127.0.0.1 53 Redirect DNS

    no firewall rule is needed for 3128 ??? not sure on vlan

    Change wpad to

    PROXY.PAC

    function FindProxyForURL(url, host)
    {
        if (isPlainHostName(host) ||
            shExpMatch(host, "*.local") ||
            isInNet(dnsResolve(host), "10.0.0.0",  "255.0.0.0"))
            return "DIRECT";
        return "PROXY 10.0.0.1:3128";
    }

    Not sure on VLAN as i have never set one up.

    0
  • J

    Now I am testing from a vlan and I have detected that if I do not activate the third rule then from a client I can not download the http: //wpad.localdomain.local/proxy.pac, but if I activate the rule then if I can download the proxy.pac.

    Also works fine if I do nslookup wpad.localdomain.local and responds:
    C: \ Users \ Computers \ nslookup wpad.localdomain.local
    Server: fproxy.localdomain.local
    Address: 10.0.0.1

    Name: wpad.localdomain.local
    Address: 10.0.0.1

    Any idea?

    0
  • A

    It looks like the 3rd rule blocks the vlan form connecting to the router which has the wpad.

    0
  • J

    Nobody knows how I can solve it?

    Thanks.

    0
  • M

    Did you manage to get it working? I have vlans configured on my network. Like others have mentioned, if you are wanting to use wpad, then you should disable transparent proxy.

    Two of my vlans are for mobile wifi and I do not pass wpad to them. It is very difficult to set up as you have to input the proxy information manually. Also some apps do not work very well with it.  So these are the only two that I pass through transparent proxy.  The others grab wpad because I have specified in the browser to auto detect settings.

    0
  • J

    Finally for the wifi interface I will not use neither squid nor wpad. What instructions did you follow to configure wpad ?. Could you show me your configuration for the vlan? Thank you

    0
  • M

    This is a link to a tutorial I used to set up WPAD. It is fairly straight forward. Basically you setup a web server on pfsense to server the wpad to your different vlans. I do not have any firewall rules to port 3128, only to the webserver on the specified port.

    https://nguvu.org/pfsense/pfSense-WPAD-PAC-proxy-configuration-guide/

    Here is what my wpad.da/proxy.pac looks like:

    
function FindProxyForURL(url,host)
{

         if(dnsDomainIs(host, ".mydomain.com")) {

            return "DIRECT";

        }  else if (isInNet(myIpAddress(),"10.0.0.0","255.255.255.0")) {     // Admin Net

            return "PROXY 10.0.0.1:3128; DIRECT";

        }  else if (isInNet(myIpAddress(),"10.0.2.0","255.255.255.0")) {     // User Net

            return "PROXY 10.0.2.1:3128; DIRECT";

        } else if (isInNet(myIpAddress(),"10.0.3.0","255.255.255.0")) {     //Guest Net

            return "PROXY 10.0.3.1:3128";

        } else {

          return "DIRECT";

       }

}

    Under Services -> Squid Proxy Server, make sure Enable Squid Proxy is checked, also make sure that the vlans you want to use the proxy are selected. The proxy port should be 3128.

    0
  • J

    What is your DNS host overrides settings. I have rules to force DNS server is pfsense for each interfaces. And what is this configuration un www server?

    bind to proxy address and port

    server.bind  = "0.0.0.0"
    server.port  = 80

    Thanks a lot for your help.

    0
  • M

    I've attached a screenshot of the host override for wapd. It is fairly straightforward.

    This is what I have in my conf file. My web server is on 192.168.50.1. So you will need to change this for your settings.

    bind to port (default: 80)

    server.bind  = "192.168.50.1"
    server.port  = 80


    0

  • Did you tried wpad Unofficial package? I guess it's much easier to setup then manual file changes.

    0
  • J

    I tried several weeks ago. But i don't know what step is wrong or missing for me if you have in mind that i use vlans and i forcé pfsense is DNS  server and proxy.

    0

  • @jopeme:

    I tried several weeks ago. But i don't know what step is wrong or missing for me if you have in mind that i use vlans and i forcé pfsense is DNS  server and proxy.

    The package will work fine for this setup. You can create different wpad script for each interface.

    0
  • J

    So I guess I'll have to change my settings right now as follows:
    Customer 1 on vlan102
    Ip 10.0.102.2/24
    Gateway: 10.0.102.1
    DNS: 10.0.102.1

    Customer 2 in vlan103
    Ip 10.0.103.2/24
    Gateway: 10.0.103.1
    DNS: 10.0.103.1

    The DNS should be for example the ip of the LAN 10.0.0.1 if I am not mistaken.
    And I set up in PFSENSE the rules for DNS requests to redirect them to the LAN and allow HTTP traffic to the LAN that is going to serve the WPAD.
    I'm right?

    Thanks.

    0
  • J

    Hello again.

    Finally I installed the Unofficial wpad and I configured the dns resolver, but I can not get the wpad file. Probably because of my rules. If I write the url in a client http: //wpad.mydomain.local/proxy.pac
    Is not able to download it. nslookup command Works fine and i get ip address of the lan.
    From a vlan these are my rules.What is wrong with them?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy