Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Bypass these destination IPs - Not really working

    Cache/Proxy
    2
    7
    167
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      beauw last edited by

      I've been using an XG-1540 with Squid/Squidguard for about 2 years now. We have to use Squid/Squidguard for filtering in a K-12 institution. Generally it works well with multiple ACLs, VLANS etc.

      One thing I haven't quite been able to get working (or rather is hit-or-miss) is the "Bypass these Destination IPs".

      I have them listed in an Alias in FQDN (which has worked before and the documentation says will work), but now I'm encountering situations where it appears to completely ignore the setting. When monitoring the proxy in real-time, sites that should be ignored pop up in the real-time monitoring list. Often with a TAG409 causing SSL issues. This is only maybe 5% of my traffic, but these sites are critical for administrators.

      Any ideas on how I can either validate the setting is applied (though a command line prompt) or change some setting to further fix it?

      I really can't use IP address as all the different websites change IP routinely.

      1 Reply Last reply Reply Quote 0
      • periko
        periko last edited by

        What sites for example?

        Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
        www.bajaopensolutions.com
        https://www.facebook.com/BajaOpenSolutions
        Quieres aprender PfSense, visita mi canal de youtube:
        https://www.youtube.com/c/PedroMorenoBOS

        1 Reply Last reply Reply Quote 0
        • B
          beauw last edited by

          The largest offender with Squid / Squidguard is anything held in Amazon AWS. These routinely fail and throw SSL connection errors.

          The bigger issue is that the list itself is not being obeyed by the Squid Proxy Config....

          1 Reply Last reply Reply Quote 0
          • periko
            periko last edited by

            I had a similar case with the monster google, I found all the ip blocks they use(I know they can change, but right now are still working).

            This way I add a alias for each block and allow they by pass on squid, in my case I just o allow emails ports 465,587,993 and block anything else.

            But looks like similar case.

            Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
            www.bajaopensolutions.com
            https://www.facebook.com/BajaOpenSolutions
            Quieres aprender PfSense, visita mi canal de youtube:
            https://www.youtube.com/c/PedroMorenoBOS

            1 Reply Last reply Reply Quote 0
            • B
              beauw last edited by

              How many aliases do you have on the "bypass these destination IPs"? Yours are all IPs right, not FQDN?

              I had found previously (could have been a bug) that more than two aliases also caused it to not block anything.

              periko 1 Reply Last reply Reply Quote 0
              • periko
                periko @beauw last edited by

                @beauw I have 19 net blocks and Yes, they are IP's not FQDN, FQDN won't work for google because pfsense just can have 1 for the FQDN and google can use any of the world of ips they have.

                Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
                www.bajaopensolutions.com
                https://www.facebook.com/BajaOpenSolutions
                Quieres aprender PfSense, visita mi canal de youtube:
                https://www.youtube.com/c/PedroMorenoBOS

                1 Reply Last reply Reply Quote 0
                • B
                  beauw last edited by

                  Thanks!

                  I ended up doing two things.

                  1. Completely deleting all the items from the list, killall of filterdns, and reloading the list - which appeared to properly resolve all the FQDNs in the proper alias table.
                  2. Created a separate list of IPs to bypass as well.

                  Both seem to be working better now.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post