Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Transparent mode not working

    Cache/Proxy
    2
    4
    420
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MissionaryRob last edited by

      Having issues getting Transparent proxy to work. I did a fresh install of pfSense 2.4 on a new device. I restored my configuration from my previous pfsense box. Everything is working fine except for Squid and Squidguard.

      I followed the steps (incuding optional) at https://docs.netgate.com/pfsense/en/latest/cache-proxy/squid-troubleshooting.html

      I only installed squid to get one item at a time working. Squid installed by itself does not work in transparent mode. If set my web browser proxy configuration to the ip address of my pfsense device it works fine. Just does not work in transparent mode.

      I see TCP_MISS/403 status messages in the Real Time log.

      Here is what I did for reinstall of squid. Appreciate any help provided.

      Squid package install

      Installing pfSense-pkg-squid...
      Updating pfSense-core repository catalogue...
      pfSense-core repository is up to date.
      Updating pfSense repository catalogue...
      pfSense repository is up to date.
      All repositories are up to date.
      Checking integrity... done (0 conflicting)
      The following 15 package(s) will be affected (of 0 checked):

      New packages to be INSTALLED:
      pfSense-pkg-squid: 0.4.44_8 [pfSense]
      squidclamav: 6.16 [pfSense]
      c-icap: 0.5.3_1,2 [pfSense]
      brotli: 1.0.4,1 [pfSense]
      squid_radius_auth: 1.10 [pfSense]
      squid: 3.5.27_3 [pfSense]
      krb5: 1.16.1_5 [pfSense]
      pkgconf: 1.4.2,1 [pfSense]
      c-icap-modules: 0.5.3_1 [pfSense]
      clamav: 0.101.2,1 [pfSense]
      pcre2: 10.21_1 [pfSense]
      unzoo: 4.4_2 [pfSense]
      libmspack: 0.5 [pfSense]
      arj: 3.10.22_7 [pfSense]
      arc: 5.21p [pfSense]

      Number of packages to be installed: 15

      The process will require 25 MiB more space.
      [1/15] Installing brotli-1.0.4,1...
      [1/15] Extracting brotli-1.0.4,1: .......... done
      [2/15] Installing pkgconf-1.4.2,1...
      [2/15] Extracting pkgconf-1.4.2,1: .......... done
      [3/15] Installing pcre2-10.21_1...
      [3/15] Extracting pcre2-10.21_1: .......... done
      [4/15] Installing unzoo-4.4_2...
      [4/15] Extracting unzoo-4.4_2: ..... done
      [5/15] Installing libmspack-0.5...
      [5/15] Extracting libmspack-0.5: ......... done
      [6/15] Installing arj-3.10.22_7...
      [6/15] Extracting arj-3.10.22_7: .......... done
      [7/15] Installing arc-5.21p...
      [7/15] Extracting arc-5.21p: ...... done
      [8/15] Installing c-icap-0.5.3_1,2...
      ===> Creating groups.
      Using existing group 'c_icap'.
      ===> Creating users
      Using existing user 'c_icap'.
      [8/15] Extracting c-icap-0.5.3_1,2: .......... done
      [9/15] Installing krb5-1.16.1_5...
      [9/15] Extracting krb5-1.16.1_5: .......... done
      [10/15] Installing clamav-0.101.2,1...
      ===> Creating groups.
      Using existing group 'clamav'.
      Using existing group 'mail'.
      ===> Creating users
      Using existing user 'clamav'.
      [10/15] Extracting clamav-0.101.2,1: .......... done
      [11/15] Installing squidclamav-6.16...
      [11/15] Extracting squidclamav-6.16: .......... done
      [12/15] Installing squid_radius_auth-1.10...
      [12/15] Extracting squid_radius_auth-1.10: .... done
      [13/15] Installing squid-3.5.27_3...
      ===> Creating groups.
      Using existing group 'squid'.
      ===> Creating users
      Using existing user 'squid'.
      ===> Pre-installation configuration for squid-3.5.27_3
      [13/15] Extracting squid-3.5.27_3: .......... done
      [14/15] Installing c-icap-modules-0.5.3_1...
      [14/15] Extracting c-icap-modules-0.5.3_1: .......... done
      [15/15] Installing pfSense-pkg-squid-0.4.44_8...
      [15/15] Extracting pfSense-pkg-squid-0.4.44_8: .......... done
      Saving updated package information...
      done.
      Loading package configuration... done.
      Configuring package components...
      Loading package instructions...
      Custom commands...
      Executing custom_php_install_command()...done.
      Executing custom_php_resync_config_command()...done.
      Menu items... done.
      Services... done.
      Writing configuration... done.
      Message from squidclamav-6.16:

      ===> NOTICE:

      The squidclamav port currently does not have a maintainer. As a result, it is
      more likely to have unresolved issues, not be up-to-date, or even be removed in
      the future. To volunteer to maintain this port, please create an issue at:

      https://bugs.freebsd.org/bugzilla

      More information about port maintainership is available at:

      https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
      Message from squid_radius_auth-1.10:

      ===> NOTICE:

      The squid_radius_auth port currently does not have a maintainer. As a result, it is
      more likely to have unresolved issues, not be up-to-date, or even be removed in
      the future. To volunteer to maintain this port, please create an issue at:

      https://bugs.freebsd.org/bugzilla

      More information about port maintainership is available at:

      https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
      Message from squid-3.5.27_3:

      o You can find the configuration files for this package in the
      directory /usr/local/etc/squid.

       o The default cache directory is /var/squid/cache/.
   The default log directory is /var/log/squid/.

   Note:
   You must initialize new cache directories before you can start
   squid.  Do this by running "squid -z" as 'root' or 'squid'.
   If your cache directories are already initialized (e.g. after an
   upgrade of squid) you do not need to initialize them again.

 o When using DiskD storage scheme remember to read documentation:
     http://wiki.squid-cache.org/Features/DiskDaemon
   and alter your kern.ipc defaults in /boot/loader.conf. DiskD will not
   work reliably without this. Last recomendations were:

     kern.ipc.msgmnb=8192
     kern.ipc.msgssz=64
     kern.ipc.msgtql=2048

 o The default configuration will deny everyone but the local host and
   local networks as defined in RFC 1918 for IPv4 and RFCs 4193 and
   4291 for IPv6 access to the proxy service.  Edit the "http_access
   allow/deny" directives in /usr/local/etc/squid/squid.conf
   to suit your needs.

 o If AUTH_SQL option is set, please, don't forget to install one of
   following perl modules depending on database you like:
     databases/p5-DBD-mysql
     databases/p5-DBD-Pg
     databases/p5-DBD-SQLite

 To enable Squid, set squid_enable=yes in either
 /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid
 Please see /usr/local/etc/rc.d/squid for further details.

 Note:
 If you just updated your Squid installation from an earlier version,
 make sure to check your Squid configuration against the 3.4 default
 configuration file /usr/local/etc/squid/squid.conf.sample.

 /usr/local/etc/squid/squid.conf.documented is a fully annotated
 configuration file you can consult for further reference.

 Additionally, you should check your configuration by calling
 'squid -f /path/to/squid.conf -k parse' before starting Squid.

      Message from pfSense-pkg-squid-0.4.44_8:

      Please visit Services - Squid Proxy Server menu to configure the package and enable the proxy.

      Cleaning up cache... done.
      Success

      Services / SquidProxy Server

      Configure Squid Settings
      Local Cache - Clear Disk Cache NOW - Save

      Antivirus - Checked Enable Squid antivirus check using ClamAV, Enables Google Safe Browsing support, & This option disables antivirus scanning of streamed video and audio. ClamAV Database Update - Every 8 Hours. Click - Save Clicked Update AV. Click Save.

      General - Check to Enable Squid porxy, Highlight appropriate Proxy interfaces - (All but WAN and loopback), Allow Users on Interface checked. Enable this to force DNS IPv4 lookup first. Transparetn HTTP proxy checked. Transpartent Proxy Interfaces Highlighted - (All but WAN Loopback not an option), enable access logging, log pages denided by squidguard checked, set visible hostname, set administrators email. Save.

      Dashboard shows:
      quid Version 3.5.27_3
      Antivirus Scanner ClamAV 0.101.2,1 C-ICAP 0.5.3_1,2 + SquidClamav 6.16
      Antivirus Bases
      Database Date Version Builder
      daily.cld 2019.06.17 25483 raynman
      bytecode.cvd 2019.01.02 328 neo
      main.cvd 2017.06.07 58 sigmgr
      safebrowsing.cvd 2019.06.17 48777 google
      Last Update Mon Jun 17 03:56:00 2019

      When trying to access http:// sites receive:
      The following error was encountered while trying to retrieve the URL: http://nameofsite/

      Access Denied.

      Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

      Your cache administrator is adminemail@mycomany.domain

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        @MissionaryRob said in Transparent mode not working:

        Access Denied.
        Access control configuration prevents your request from being allowed at this time.

        Are you on a different subnet from squid?

        M 2 Replies Last reply Reply Quote 0
        • M
          MissionaryRob @KOM last edited by

          @KOM No I am on the same subnet.

          1 Reply Last reply Reply Quote 0
          • M
            MissionaryRob @KOM last edited by

            @KOM All is working. I figured it out. There were some private IP addresses in use upstream that were the same as those configured on my LAN interface. I connected to a different network and all is fine now. Thanks.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post