Bypass these destination IPs - Not really working

beauw

I've been using an XG-1540 with Squid/Squidguard for about 2 years now. We have to use Squid/Squidguard for filtering in a K-12 institution. Generally it works well with multiple ACLs, VLANS etc.

One thing I haven't quite been able to get working (or rather is hit-or-miss) is the "Bypass these Destination IPs".

I have them listed in an Alias in FQDN (which has worked before and the documentation says will work), but now I'm encountering situations where it appears to completely ignore the setting. When monitoring the proxy in real-time, sites that should be ignored pop up in the real-time monitoring list. Often with a TAG409 causing SSL issues. This is only maybe 5% of my traffic, but these sites are critical for administrators.

Any ideas on how I can either validate the setting is applied (though a command line prompt) or change some setting to further fix it?

I really can't use IP address as all the different websites change IP routinely.

periko

What sites for example?

beauw

The largest offender with Squid / Squidguard is anything held in Amazon AWS. These routinely fail and throw SSL connection errors.

The bigger issue is that the list itself is not being obeyed by the Squid Proxy Config....

periko

I had a similar case with the monster google, I found all the ip blocks they use(I know they can change, but right now are still working).

This way I add a alias for each block and allow they by pass on squid, in my case I just o allow emails ports 465,587,993 and block anything else.

But looks like similar case.

beauw

How many aliases do you have on the "bypass these destination IPs"? Yours are all IPs right, not FQDN?

I had found previously (could have been a bug) that more than two aliases also caused it to not block anything.

periko

@beauw I have 19 net blocks and Yes, they are IP's not FQDN, FQDN won't work for google because pfsense just can have 1 for the FQDN and google can use any of the world of ips they have.

beauw

Thanks!

I ended up doing two things.

1. Completely deleting all the items from the list, killall of filterdns, and reloading the list - which appeared to properly resolve all the FQDNs in the proper alias table.
2. Created a separate list of IPs to bypass as well.

Both seem to be working better now.