Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Crazy to setup pfsense 2.3.3+squid+squidguard+wpad

    Cache/Proxy
    5
    27
    9403
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jopeme last edited by

      Hello.
      Hello.
      I'm testing version 2.3.3 of pfsense and I want to use it as a proxy cache with squid + squidguard + wpad, but I can not get it to work. My network schema is as follows and my idea is that all the vlan go through squid and can filter the traffic and also that they are not seen between them.:

      At the moment I have managed that from my lan I can only navigate if I configure the proxy 10.0.0.1 and port 3128. These are my rules. When it works from my lan I will continue with the vlan:

      Now I want to not have to configure the ip and port in the browsers. For this I have configured wpad and the automatic configuration in browsers. If I write http://wpad.mydomain.lan/proxy.pac I can download the file, but I can not go to the internet. This is my proxy.pac file:

      function FindProxyForURL(url, host) {

      // If the IP address of the local machine is within a defined
      // subnet, send to a specific proxy.
        if (isInNet(myIpAddress(), "10.0.0.0", "255.255.255.0"))
            //this is your gateway address/interface address for the subnet
        return "PROXY 10.0.0.1:3128";

      if (isInNet(myIpAddress(), "10.0.102.0", "255.255.255.0"))
            //this is your gateway address/interface address for the subnet
        return "PROXY 10.0.102.1:3128";

      if (isInNet(myIpAddress(), "10.0.103.0", "255.255.255.0"))
            //this is your gateway address/interface address for the subnet
        return "PROXY 10.0.103.1:3128";

      // DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
        return "PROXY 10.0.0.1:3128";

      }

      Any idea?
      Thanks a lot.

      1 Reply Last reply Reply Quote 0
      • A
        aGeekhere last edited by

        start from here https://forum.pfsense.org/index.php?topic=112335.0

        1 Reply Last reply Reply Quote 0
        • J
          jopeme last edited by

          Hello again.
          I followed the instructions step by step and I see that if I put proxy in the browser I navigate through squid, but if I use the autoconfiguring proxy option, it does not exit through squid. These are my rules on the lan:

          My lan rules:

              • LAN Address 80 * * Anti-Lockout Rule

          IPv4 TCP/UDP * * 127.0.0.1 53 (DNS) * none NAT Redireccion DNS

          IPv4 TCP * * * 80 - 443 * none

          This is my proxy.pac:

          function FindProxyForURL(url, host)
          {
              if (isPlainHostName(host) ||
                  shExpMatch(host, "*.local") ||
                  isInNet(dnsResolve(host), "10.0.0.0",  "255.255.255.0"))
                  return "DIRECT";

          return "PROXY 10.0.0.1:3128";
          }

          Any idea?
          Thanks a lot.

          1 Reply Last reply Reply Quote 0
          • J
            jopeme last edited by

            I forgot to select transparent proxy in squid and in doing so I see that I can go to the internet using squid both if I select autoconfiguring and if I select without proxy. It's very stranger!

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned last edited by

              Huh… There's no need for WPAD or any proxy configuration on clients when the proxy is transparent. Nothing strange about it.

              1 Reply Last reply Reply Quote 0
              • J
                jopeme last edited by

                Then I have not understood what aGeekHere means when he writes: "I found that we can use both a transperrent proxy for port 80 and a wpad for 443 https content, the wpad will be setup to use port 80 and 443. The transperrent proxy is going to catch every thing that the wpad misses, enable transperrent proxy in squid once you have the wpad setup."

                I want all my traffic to go through squid and use wpad to not have to configure anything on client computers, in my lan and my vlans.

                1 Reply Last reply Reply Quote 0
                • J
                  jopeme last edited by

                  At this point it works. I have rebooted the machine and now it works. I imagine that in some step I had to restart and I did not.
                  Now i'm going to check on vlan102.

                  Regards.

                  1 Reply Last reply Reply Quote 0
                  • A
                    aGeekhere last edited by

                    Hi jopeme, glad that you have got it working.

                    With using a transparent proxy with WPAD.

                    You can just use the wpad and block port 80 and 443, however programs which do not have a proxy configuration will be blocked so you would need to create a pass rule for each program getting blocked. Using the transparent proxy for port 80 traffic removes that trouble. Though you will still need to create a pass rules for 443 traffic.

                    Using a wpad for 443 traffic is better then using SSL Man In the Middle Filtering because you do not need to install a certificate on each device and second SSL Man In the Middle Filtering can break things (like some websites and program updates).

                    There is one error with firefox you must select Auto-detect proxy settings for this network and NOT Use system proxy settings.

                    I forgot to select transparent proxy in squid and in doing so I see that I can go to the internet using squid both if I select autoconfiguring and if I select without proxy. It's very stranger!

                    if using windows you need to go to Control Panel internet options, connections, lan settings and click automatically detect settings.

                    hope this helps

                    1 Reply Last reply Reply Quote 0
                    • J
                      jopeme last edited by

                      Is it necessary to configure clients in the advanced configuration of tcpip DNS with the domain configured in pfsense for example localdomain.local?
                      If I do not add it does not work correctly and i think this does not make much sense to me since if you have to configure it on all clients this is not worth using wpad.

                      1 Reply Last reply Reply Quote 0
                      • A
                        aGeekhere last edited by

                        Is it necessary to configure clients in the advanced configuration of tcpip DNS with the domain configured in pfsense for example localdomain.local?

                        ?

                        1 Reply Last reply Reply Quote 0
                        • J
                          jopeme last edited by

                          Sorry for my english. This picture show you i want to say:

                          If i use default configuration on my windows clients i can not go out to internet.

                          1 Reply Last reply Reply Quote 0
                          • A
                            aGeekhere last edited by

                            I just have obtain a ip address automatically, did not need to set anything in advance TCP/IP settings.

                            1 Reply Last reply Reply Quote 0
                            • J
                              jopeme last edited by

                              It's very stranger. :-[ :-[

                              Please could you tell me if my lan rules and wpad.dat,wpad.da, proxy.pac are right?

                              [img]http://www.servyarte.com/reglaslan.jpg

                              PROXY.PAC

                              function FindProxyForURL(url, host)
                              {
                                  if (isPlainHostName(host) ||
                                      shExpMatch(host, "*.local") ||
                                      isInNet(dnsResolve(host), "10.0.0.0",  "255.255.255.0"))
                                      return "DIRECT";
                                  return "PROXY 10.0.0.1:3128";
                              }

                              And for my vlan are right this rules, because from this vlan i cannot get wpad if i type in browsers http://wpad.localdomain.local/wpad it not solve.

                              1 Reply Last reply Reply Quote 0
                              • A
                                aGeekhere last edited by

                                reread the DNS firewall rule section (make the rule on top)

                                Interface = LAN
                                Protocol = TCP/UDP
                                Source ports = *
                                Dest address = *
                                Dest ports = 53
                                NAT IP = 127.0.0.1
                                NAT Ports = 53
                                Description = Redirect DNS
                                LAN TCP/UDP * * * 53 127.0.0.1 53 Redirect DNS

                                no firewall rule is needed for 3128 ??? not sure on vlan

                                Change wpad to

                                PROXY.PAC

                                function FindProxyForURL(url, host)
                                {
                                    if (isPlainHostName(host) ||
                                        shExpMatch(host, "*.local") ||
                                        isInNet(dnsResolve(host), "10.0.0.0",  "255.0.0.0"))
                                        return "DIRECT";
                                    return "PROXY 10.0.0.1:3128";
                                }

                                Not sure on VLAN as i have never set one up.

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jopeme last edited by

                                  Now I am testing from a vlan and I have detected that if I do not activate the third rule then from a client I can not download the http: //wpad.localdomain.local/proxy.pac, but if I activate the rule then if I can download the proxy.pac.

                                  Also works fine if I do nslookup wpad.localdomain.local and responds:
                                  C: \ Users \ Computers \ nslookup wpad.localdomain.local
                                  Server: fproxy.localdomain.local
                                  Address: 10.0.0.1

                                  Name: wpad.localdomain.local
                                  Address: 10.0.0.1

                                  Any idea?

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    aGeekhere last edited by

                                    It looks like the 3rd rule blocks the vlan form connecting to the router which has the wpad.

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      jopeme last edited by

                                      Nobody knows how I can solve it?

                                      Thanks.

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        maverik1 last edited by

                                        Did you manage to get it working? I have vlans configured on my network. Like others have mentioned, if you are wanting to use wpad, then you should disable transparent proxy.

                                        Two of my vlans are for mobile wifi and I do not pass wpad to them. It is very difficult to set up as you have to input the proxy information manually. Also some apps do not work very well with it.  So these are the only two that I pass through transparent proxy.  The others grab wpad because I have specified in the browser to auto detect settings.

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          jopeme last edited by

                                          Finally for the wifi interface I will not use neither squid nor wpad. What instructions did you follow to configure wpad ?. Could you show me your configuration for the vlan? Thank you

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            maverik1 last edited by

                                            This is a link to a tutorial I used to set up WPAD. It is fairly straight forward. Basically you setup a web server on pfsense to server the wpad to your different vlans. I do not have any firewall rules to port 3128, only to the webserver on the specified port.

                                            https://nguvu.org/pfsense/pfSense-WPAD-PAC-proxy-configuration-guide/

                                            Here is what my wpad.da/proxy.pac looks like:

                                            
                                            function FindProxyForURL(url,host)
                                            {
                                            
                                                     if(dnsDomainIs(host, ".mydomain.com")) {
                                            
                                                        return "DIRECT";
                                            
                                                    }  else if (isInNet(myIpAddress(),"10.0.0.0","255.255.255.0")) {     // Admin Net
                                            
                                                        return "PROXY 10.0.0.1:3128; DIRECT";
                                            
                                                    }  else if (isInNet(myIpAddress(),"10.0.2.0","255.255.255.0")) {     // User Net
                                            
                                                        return "PROXY 10.0.2.1:3128; DIRECT";
                                            
                                                    } else if (isInNet(myIpAddress(),"10.0.3.0","255.255.255.0")) {     //Guest Net
                                            
                                                        return "PROXY 10.0.3.1:3128";
                                            
                                                    } else {
                                            
                                                      return "DIRECT";
                                            
                                                   }
                                            
                                            }
                                            

                                            Under Services -> Squid Proxy Server, make sure Enable Squid Proxy is checked, also make sure that the vlans you want to use the proxy are selected. The proxy port should be 3128.

                                            1 Reply Last reply Reply Quote 0
                                            • J
                                              jopeme last edited by

                                              What is your DNS host overrides settings. I have rules to force DNS server is pfsense for each interfaces. And what is this configuration un www server?

                                              bind to proxy address and port

                                              server.bind  = "0.0.0.0"
                                              server.port  = 80

                                              Thanks a lot for your help.

                                              1 Reply Last reply Reply Quote 0
                                              • M
                                                maverik1 last edited by

                                                I've attached a screenshot of the host override for wapd. It is fairly straightforward.

                                                This is what I have in my conf file. My web server is on 192.168.50.1. So you will need to change this for your settings.

                                                bind to port (default: 80)

                                                server.bind  = "192.168.50.1"
                                                server.port  = 80


                                                1 Reply Last reply Reply Quote 0
                                                • marcelloc
                                                  marcelloc last edited by

                                                  Did you tried wpad Unofficial package? I guess it's much easier to setup then manual file changes.

                                                  1 Reply Last reply Reply Quote 0
                                                  • J
                                                    jopeme last edited by

                                                    I tried several weeks ago. But i don't know what step is wrong or missing for me if you have in mind that i use vlans and i forcé pfsense is DNS  server and proxy.

                                                    1 Reply Last reply Reply Quote 0
                                                    • marcelloc
                                                      marcelloc last edited by

                                                      @jopeme:

                                                      I tried several weeks ago. But i don't know what step is wrong or missing for me if you have in mind that i use vlans and i forcé pfsense is DNS  server and proxy.

                                                      The package will work fine for this setup. You can create different wpad script for each interface.

                                                      1 Reply Last reply Reply Quote 0
                                                      • J
                                                        jopeme last edited by

                                                        So I guess I'll have to change my settings right now as follows:
                                                        Customer 1 on vlan102
                                                        Ip 10.0.102.2/24
                                                        Gateway: 10.0.102.1
                                                        DNS: 10.0.102.1

                                                        Customer 2 in vlan103
                                                        Ip 10.0.103.2/24
                                                        Gateway: 10.0.103.1
                                                        DNS: 10.0.103.1

                                                        The DNS should be for example the ip of the LAN 10.0.0.1 if I am not mistaken.
                                                        And I set up in PFSENSE the rules for DNS requests to redirect them to the LAN and allow HTTP traffic to the LAN that is going to serve the WPAD.
                                                        I'm right?

                                                        Thanks.

                                                        1 Reply Last reply Reply Quote 0
                                                        • J
                                                          jopeme last edited by

                                                          Hello again.

                                                          Finally I installed the Unofficial wpad and I configured the dns resolver, but I can not get the wpad file. Probably because of my rules. If I write the url in a client http: //wpad.mydomain.local/proxy.pac
                                                          Is not able to download it. nslookup command Works fine and i get ip address of the lan.
                                                          From a vlan these are my rules.What is wrong with them?

                                                          1 Reply Last reply Reply Quote 0
                                                          • First post
                                                            Last post

                                                          Products

                                                          • Platform Overview
                                                          • TNSR
                                                          • pfSense Plus
                                                          • Appliances

                                                          Services

                                                          • Training
                                                          • Professional Services

                                                          Support

                                                          • Subscription Plans
                                                          • Contact Support
                                                          • Product Lifecycle
                                                          • Documentation

                                                          News

                                                          • Media Coverage
                                                          • Press
                                                          • Events

                                                          Resources

                                                          • Blog
                                                          • FAQ
                                                          • Find a Partner
                                                          • Resource Library
                                                          • Security Information

                                                          Company

                                                          • About Us
                                                          • Careers
                                                          • Partners
                                                          • Contact Us
                                                          • Legal
                                                          Our Mission

                                                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                          Subscribe to our Newsletter

                                                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                          © 2021 Rubicon Communications, LLC | Privacy Policy