WPAD doesn't work



  • Hello,

    My goal is to use pfSense for URL filtering (Squid + SquidGuard) without using the transparent mode (I want to use the WPAD method).

    I followed this guide (and additional information elsewhere): https://docs.netgate.com/pfsense/en/latest/cache-proxy/wpad-autoconfigure-for-squid.html

    I use a SG-3100. The WPAD files must be in the SG-3100 as I don't have other machines.

    System / General Setup
    Hostname: pfSense
    Domain: localdomain
    DNS Servers: 8.8.8.8

    System / Advanced / Admin Access
    I use the HTTP procotol as the doc says.

    I enable the DNS forwarder (and disable the DNS resolver)
    Host Overides
    wpad localdomain 192.168.10.1

    Services / DHCP Server / LAN
    Additional BOOTP/DHCP Options
    Numer : 252
    Type : String
    Value : "http://wpad.localdomain/wpad.dat"
    (I did it with the 2 others files)

    At this stage, I should be able to download a file if I go to http://wpad.localdomain/wpad.dat
    Or able to ping/nslookup wpad.localdomain

    But it doesn't work and I'm stuck... (Of course, I already restart some services and the machine).

    Thanks!



  • Is the client you're testing from actually using pfSense as its DNS? What does "it doesn't work" mean, specifically? What happens? What error message, if any, do you get? You didn't say anything about where you placed the wpad.dat file on your pfSense box.



  • @kom said in WPAD doesn't work:

    Is the client you're testing from actually using pfSense as its DNS? What does "it doesn't work" mean, specifically? What happens? What error message, if any, do you get? You didn't say anything about where you placed the wpad.dat file on your pfSense box.

    Hello,

    Thanks for your answer.

    Yes it works if I put (manually) the pfSense IP address in my DNS configuration. But in this case, the clients are not able to resolve the other domain names (google.com, wikipedia.org, ...) ?



  • OK, brainfart on my part. I didn't notice you were handing out 8.8.8.8 to your DHCP users. WPAD will never work that way, since your host overrides will never get used. Put 8.8.8.8 as your DNS under System - General Setup - DNS Servers, then give your pfSense LAN IP as the DHCP DNS server. and try again.



  • @kom OK I changed the DNS in the DHCP configuration, it's better but...

    If I add the proxy manually in my browser, it works fine: sites that are not allowed are blocked and others sites works. If I go on http://wpad.localdomain/wpad.dat I can download the file and ping wpad.localdomain works.

    If I put the proxy on "Automatically detect settings" the client doesn't download the proxy settings and I can't access to any websites (I have a timed out) but If I go on http://wpad.localdomain/wpad.dat I can download the file and ping wpad.localdomain works.

    Maybe it's a problem with the FW settings? How to force my client to download the WPAD file?
    Here's my FW settings (I follow a tutorial on YT and also this thread) :
    alt text

    Thanks.



  • Your LAN rules are crap. Rules are evaluated top-down, first match. Literally get rid of everything except for the Anti-Lockout rule at the top, and the two Default allow LAN to any rules at the bottom. If you aren't using IPv6 then you may as well disable it via System - Advanced - Networking - IPv6 Options - Allow IPv6 and uncheck it. Enable the Default allow LAN rules that are currently disabled for some reason. Delete everything else and try again.

    Also, what is in your wpad.dat file?

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting



  • @kom in fact I already tried with the default LAN rules and it doesn't works. That's why I tried with the rules I saw on the YT video...

    With the default rules It seems that the client goes through the FW (because I have access to internet/websites) but doesn't get the proxy configuration (because I also have access to the blocked websites).

    At the begining my files was containing:

    function FindProxyForURL(url,host)
    {
    return "PROXY 192.168.10.1:3128";
    }
    

    Then I change to:

    function FindProxyForURL(url, host) 
    { 
        if (isPlainHostName(host) ||
            shExpMatch(host, "*.local") ||
            isInNet(dnsResolve(host), "192.168.10.0",  "255.255.255.0"))
            return "DIRECT";
    
        return "PROXY 192.168.10.1:3128";
    }
    


  • in fact I already tried with the default LAN rules and it doesn't works.

    That had nothing to do with firewall rules. If it isn't working with an 'Allow everything to everywhere' rule, then it won't ever work no matter what you do with rules.

    Your wpad.dat looks good.

    You're saying that you think WPAD isn't working because you can get to blocked sites? Perhaps WPAD and squid are working fine, but squidguard is not?

    Go to Services - Squid Proxy Server - Real Time and see if there is any action in the Squid Access Table. Have your test client set to autodetect the proxy, and then browse somewhere and look at the Access Table to see if you can see the URL requested form the client.

    Note that some OSes, like Android, do not support WPAD. You must configure the proxy manually for those.



  • @kom I say WPAD isn't working because when I put manually the proxy settings in my browser, SquidGuard works (the websites is blocked). When I put the proxy settings in my browser on "Automatically detect settings", I have access to all websites.

    I don't have access to the server right know.

    Thanks.



  • What OS are these clients using? Can you confirm that you are assigning the localdomain domain via DHCP to your clients? The WPAD config is usually pretty simple. I assume you have read this:

    https://docs.netgate.com/pfsense/en/latest/cache-proxy/wpad-autoconfigure-for-squid.html

    Technically you don't even need the DHCP 252 option for this to work. I'm also wondering if there might be some weird bug where it doesn't behave properly if you have a FQDN in the form of a.b instead of the usual a.b.c. As a last desperate test, change localdomain to something like localdomain.local or localdomain.lan or domain.local and try again. I doubt it will make any difference, but I've seen weirder things.



  • @kom OK the problem comes from the DHCP. I didn't put the localdomain. Now it works. It was never mentioned in the guides I followed.

    Thanks for your help!!!


Log in to reply