how to disable squid

mcuddy · Dec 18, 2018, 1:50 PM

pfSense is an awesome firewall, Squid is an awesome filtering proxy. And they work well together. However, I am trying to test another filter with some extra bells and whistles. to do this, I want to disble squid proxy server. Unfortunately every time I turn off the service or uncheck the "Enable Squid Proxy" box, I loose all web traffic. (oddly, ping, DNS Resolution, and tracert seem to work).

I am guessing that there is some setting that Squid turned on when it was installed that routes all web traffic to the proxy port. If I am right, this setting doesn't revert to "pass through" when quid is disabled, turned off, or uninstalled. Can anyone point me to where this setting is so I can run the firewall without the proxy?

I have considered reloading the pfSense software from scratch, but I do not want to risk our firewall being down or our internet being down during business hours...

vallum · Dec 18, 2018, 1:56 PM

@mcuddy I guess you will going to host this new proxy inside your network somewhere, probably in LAN.
on Firewall LAN interface make a rule to accept traffic from your New Proxy.
on your New proxy make default gateway as PFsense IP.
configure New Proxy IP in user machine and this should work.

mcuddy · Dec 18, 2018, 2:36 PM

The new proxy is actually outside of our network. It is a filtering service. We point to their DNS and use certificates. I have set their DNS servers in the DNS Server Settings in System/General. As I understand it, that should be sufficient.

mhab12 · Dec 18, 2018, 2:54 PM

Can you successfully ping IP addresses? Try 8.8.8.8 or 208.67.222.222

You may need to create a default Allow Lan -> Any rule.

vallum · Dec 18, 2018, 2:56 PM

@mcuddy said in how to disable squid:

The new proxy is actually outside of our network. It is a filtering service. We point to their DNS and use certificates. I have set their DNS servers in the DNS Server Settings in System/General. As I understand it, that should be sufficient.

Oh I guess you are exploring OpenDNS , may be cisco umbrella.

mcuddy · Dec 18, 2018, 2:57 PM

Actually, I am exploring a product called securly
Similar to opendns but broader scope of services.

mcuddy · Dec 18, 2018, 3:00 PM

Yes, When I disable the proxy server service, I can still ping 8.8.8.8
I can even ping www.google.com
But when I try to visit with a browser, I get "Connecting" then "No internet connection"

mhab12 · Dec 18, 2018, 3:03 PM

Do you have the Securly DNS servers listed in there now? What happens if you set the pfSense DNS to 208.67.222.222?

vallum · Dec 18, 2018, 3:08 PM

@mcuddy said in how to disable squid:

Actually, I am exploring a product called securly
Similar to opendns but broader scope of services.

You can actually keep squid on. define parent proxy (which will be Securly FQDN and port). I have tested this will work.

in squid add this in advanced , custom integrations:-
cache_peer FQDN_OF_Securly parent PORTNUMBER 0 no-query no-digest
never_direct allow all

mcuddy · Dec 18, 2018, 3:28 PM

@mhab12
Thank you. I missed that troubleshooting step...
With squid, the Securly DNS addresses did get me to the internet. Without, they didn't.
With 208.67.222.222, it works both ways...

It sounds like it may be a problem on thier end, then?

Correction:
the different DNS wasn't the solution... For some reason the Proxy service restarted when I changed the DNS.
If I keep squid service off, it doesn't work.

vallum · Dec 18, 2018, 3:11 PM

@mcuddy said in how to disable squid:

@mhab12
Thank you. I missed that troubleshooting step...
With squid, the Securly DNS addresses did get me to the internet. Without, they didn't.
With 208.67.222.222, it works both ways...

It sounds like it may be a problem on thier end, then?

208.67.222.222 is OpenDNS ...

mhab12 · Dec 18, 2018, 3:11 PM

Either their end or something with the upstream proxy configuration, if that is how they are actually setup. OpenDNS/Umbrella do everything via DNS...not sure of Securly.

mcuddy · Dec 18, 2018, 3:19 PM

the different DNS wasn't the solution... For some reason the Proxy service restarted when I changed the DNS.
If I keep squid service off, it doesn't work.

mcuddy · Dec 18, 2018, 3:27 PM

@vallum

Please clarify - Am I addidng the exact words on your script, or am I putting the Securly Domain Naim and ports (80 and 8080) in to the script?

cache_peer www.securly.com parent 8080 0 no-query no-digest?

vallum · Dec 18, 2018, 3:31 PM

@mcuddy said in how to disable squid:

@vallum

Please clarify - Am I addidng the exact words on your script, or am I putting the Securly Domain Naim and ports (80 and 8080) in to the script?

cache_peer www.securly.com parent 8080 0 no-query no-digest?

you can try with port 80 , did you create IPsec or Gre tunnel with Securly from your location? this is the requirement of CASB based solutions.

mcuddy · Dec 18, 2018, 3:35 PM

@vallum said in how to disable squid:

Psec or Gre

That would be my problem. I did not create a tunnel. All I did was change the dns addresses.

At the moment, I don't know how to add the tunnel, nor the implications of doing it (am I likely to take the internet down while setting it up? etc.) I'll look into it. Do you have any direction here?

vallum · Dec 19, 2018, 6:58 AM

@mcuddy said in how to disable squid:

@vallum said in how to disable squid:

Psec or Gre

That would be my problem. I did not create a tunnel. All I did was change the dns addresses.

Check their documentation for further details

At the moment, I don't know how to add the tunnel, nor the implications of doing it (am I likely to take the internet down while setting it up? etc.) I'll look into it. Do you have any direction here?

You can create IPsec tunnel in pfsense , I don't see any issue with that.
at securly end you need to create tunnel parameters like preshared key and IP address of site, subnet details etc.
Then same information in Pfsense while setting up tunnel.