Transparent mode not working



  • Having issues getting Transparent proxy to work. I did a fresh install of pfSense 2.4 on a new device. I restored my configuration from my previous pfsense box. Everything is working fine except for Squid and Squidguard.

    I followed the steps (incuding optional) at https://docs.netgate.com/pfsense/en/latest/cache-proxy/squid-troubleshooting.html

    I only installed squid to get one item at a time working. Squid installed by itself does not work in transparent mode. If set my web browser proxy configuration to the ip address of my pfsense device it works fine. Just does not work in transparent mode.

    I see TCP_MISS/403 status messages in the Real Time log.

    Here is what I did for reinstall of squid. Appreciate any help provided.

    Squid package install

    Installing pfSense-pkg-squid...
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.
    Checking integrity... done (0 conflicting)
    The following 15 package(s) will be affected (of 0 checked):

    New packages to be INSTALLED:
    pfSense-pkg-squid: 0.4.44_8 [pfSense]
    squidclamav: 6.16 [pfSense]
    c-icap: 0.5.3_1,2 [pfSense]
    brotli: 1.0.4,1 [pfSense]
    squid_radius_auth: 1.10 [pfSense]
    squid: 3.5.27_3 [pfSense]
    krb5: 1.16.1_5 [pfSense]
    pkgconf: 1.4.2,1 [pfSense]
    c-icap-modules: 0.5.3_1 [pfSense]
    clamav: 0.101.2,1 [pfSense]
    pcre2: 10.21_1 [pfSense]
    unzoo: 4.4_2 [pfSense]
    libmspack: 0.5 [pfSense]
    arj: 3.10.22_7 [pfSense]
    arc: 5.21p [pfSense]

    Number of packages to be installed: 15

    The process will require 25 MiB more space.
    [1/15] Installing brotli-1.0.4,1...
    [1/15] Extracting brotli-1.0.4,1: .......... done
    [2/15] Installing pkgconf-1.4.2,1...
    [2/15] Extracting pkgconf-1.4.2,1: .......... done
    [3/15] Installing pcre2-10.21_1...
    [3/15] Extracting pcre2-10.21_1: .......... done
    [4/15] Installing unzoo-4.4_2...
    [4/15] Extracting unzoo-4.4_2: ..... done
    [5/15] Installing libmspack-0.5...
    [5/15] Extracting libmspack-0.5: ......... done
    [6/15] Installing arj-3.10.22_7...
    [6/15] Extracting arj-3.10.22_7: .......... done
    [7/15] Installing arc-5.21p...
    [7/15] Extracting arc-5.21p: ...... done
    [8/15] Installing c-icap-0.5.3_1,2...
    ===> Creating groups.
    Using existing group 'c_icap'.
    ===> Creating users
    Using existing user 'c_icap'.
    [8/15] Extracting c-icap-0.5.3_1,2: .......... done
    [9/15] Installing krb5-1.16.1_5...
    [9/15] Extracting krb5-1.16.1_5: .......... done
    [10/15] Installing clamav-0.101.2,1...
    ===> Creating groups.
    Using existing group 'clamav'.
    Using existing group 'mail'.
    ===> Creating users
    Using existing user 'clamav'.
    [10/15] Extracting clamav-0.101.2,1: .......... done
    [11/15] Installing squidclamav-6.16...
    [11/15] Extracting squidclamav-6.16: .......... done
    [12/15] Installing squid_radius_auth-1.10...
    [12/15] Extracting squid_radius_auth-1.10: .... done
    [13/15] Installing squid-3.5.27_3...
    ===> Creating groups.
    Using existing group 'squid'.
    ===> Creating users
    Using existing user 'squid'.
    ===> Pre-installation configuration for squid-3.5.27_3
    [13/15] Extracting squid-3.5.27_3: .......... done
    [14/15] Installing c-icap-modules-0.5.3_1...
    [14/15] Extracting c-icap-modules-0.5.3_1: .......... done
    [15/15] Installing pfSense-pkg-squid-0.4.44_8...
    [15/15] Extracting pfSense-pkg-squid-0.4.44_8: .......... done
    Saving updated package information...
    done.
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...done.
    Executing custom_php_resync_config_command()...done.
    Menu items... done.
    Services... done.
    Writing configuration... done.
    Message from squidclamav-6.16:

    ===> NOTICE:

    The squidclamav port currently does not have a maintainer. As a result, it is
    more likely to have unresolved issues, not be up-to-date, or even be removed in
    the future. To volunteer to maintain this port, please create an issue at:

    https://bugs.freebsd.org/bugzilla

    More information about port maintainership is available at:

    https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
    Message from squid_radius_auth-1.10:

    ===> NOTICE:

    The squid_radius_auth port currently does not have a maintainer. As a result, it is
    more likely to have unresolved issues, not be up-to-date, or even be removed in
    the future. To volunteer to maintain this port, please create an issue at:

    https://bugs.freebsd.org/bugzilla

    More information about port maintainership is available at:

    https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
    Message from squid-3.5.27_3:

    o You can find the configuration files for this package in the
    directory /usr/local/etc/squid.

     o The default cache directory is /var/squid/cache/.
       The default log directory is /var/log/squid/.
    
       Note:
       You must initialize new cache directories before you can start
       squid.  Do this by running "squid -z" as 'root' or 'squid'.
       If your cache directories are already initialized (e.g. after an
       upgrade of squid) you do not need to initialize them again.
    
     o When using DiskD storage scheme remember to read documentation:
         http://wiki.squid-cache.org/Features/DiskDaemon
       and alter your kern.ipc defaults in /boot/loader.conf. DiskD will not
       work reliably without this. Last recomendations were:
    
         kern.ipc.msgmnb=8192
         kern.ipc.msgssz=64
         kern.ipc.msgtql=2048
    
     o The default configuration will deny everyone but the local host and
       local networks as defined in RFC 1918 for IPv4 and RFCs 4193 and
       4291 for IPv6 access to the proxy service.  Edit the "http_access
       allow/deny" directives in /usr/local/etc/squid/squid.conf
       to suit your needs.
    
     o If AUTH_SQL option is set, please, don't forget to install one of
       following perl modules depending on database you like:
         databases/p5-DBD-mysql
         databases/p5-DBD-Pg
         databases/p5-DBD-SQLite
    
     To enable Squid, set squid_enable=yes in either
     /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid
     Please see /usr/local/etc/rc.d/squid for further details.
    
     Note:
     If you just updated your Squid installation from an earlier version,
     make sure to check your Squid configuration against the 3.4 default
     configuration file /usr/local/etc/squid/squid.conf.sample.
    
     /usr/local/etc/squid/squid.conf.documented is a fully annotated
     configuration file you can consult for further reference.
    
     Additionally, you should check your configuration by calling
     'squid -f /path/to/squid.conf -k parse' before starting Squid.
    

    Message from pfSense-pkg-squid-0.4.44_8:

    Please visit Services - Squid Proxy Server menu to configure the package and enable the proxy.

    Cleaning up cache... done.
    Success

    Services / SquidProxy Server

    Configure Squid Settings
    Local Cache - Clear Disk Cache NOW - Save

    Antivirus - Checked Enable Squid antivirus check using ClamAV, Enables Google Safe Browsing support, & This option disables antivirus scanning of streamed video and audio. ClamAV Database Update - Every 8 Hours. Click - Save Clicked Update AV. Click Save.

    General - Check to Enable Squid porxy, Highlight appropriate Proxy interfaces - (All but WAN and loopback), Allow Users on Interface checked. Enable this to force DNS IPv4 lookup first. Transparetn HTTP proxy checked. Transpartent Proxy Interfaces Highlighted - (All but WAN Loopback not an option), enable access logging, log pages denided by squidguard checked, set visible hostname, set administrators email. Save.

    Dashboard shows:
    quid Version 3.5.27_3
    Antivirus Scanner ClamAV 0.101.2,1 C-ICAP 0.5.3_1,2 + SquidClamav 6.16
    Antivirus Bases
    Database Date Version Builder
    daily.cld 2019.06.17 25483 raynman
    bytecode.cvd 2019.01.02 328 neo
    main.cvd 2017.06.07 58 sigmgr
    safebrowsing.cvd 2019.06.17 48777 google
    Last Update Mon Jun 17 03:56:00 2019

    When trying to access http:// sites receive:
    The following error was encountered while trying to retrieve the URL: http://nameofsite/

    Access Denied.

    Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

    Your cache administrator is adminemail@mycomany.domain



  • @MissionaryRob said in Transparent mode not working:

    Access Denied.
    Access control configuration prevents your request from being allowed at this time.

    Are you on a different subnet from squid?



  • @KOM No I am on the same subnet.



  • @KOM All is working. I figured it out. There were some private IP addresses in use upstream that were the same as those configured on my LAN interface. I connected to a different network and all is fine now. Thanks.


Log in to reply