New PFsense Build + Squid



  • Hi all,

    I have just put together a new build of PFsense on an appliance, everything is going well. I have a bunch of vlans on my lan interface trunked to a downstream switch, all inter-vlan traffic is working and the clients that should have internet access do and the ones that shouldn't don't.

    I attempted to install and configure squid, whilst the install has completed successfully and it has been configured as per these instructions; https://docs.netgate.com/pfsense/en/latest/cache-proxy/setup-squid-as-a-transparent-proxy.html.

    Whenever I tail the access log, if I ever see anything (which is rare) I see this; "1571973502.230 0 127.0.0.1 TCP_MISS/200 751 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain".

    Never any hits or reference to a web page, I have tried clearing web browser cache and incognito mode, same result. The cache directory exists and there are subfolders created, the ones i did check had nothing in them.

    Lightsquid shows some bytes and when following through the links, it eventually goes to try and get to http://cache_object//localhost/active_requests and doesn't exist.

    Any help would be greatly appreciated!

    Thanks



  • Did you choose your VLANs for proxy interfaces? Squid will only listen on LAN & loopback by default.

    Transparent squid can be a real PITA when using HTTPS, which is practically the entire web these days. Explicit mode with WPAD allows your clients to autodetect the proxy, and it gives you the flexibility as to who goes through it and who can go around it. With explicit mode, you don't need to install certificates on every client that will use the proxy.

    One last thing: squid is terrible at caching the modern web for the most part. I've found that it's only useful these days as the base for squidguard URL filtering.



  • @KOM Thanks for the reply, yup I've put a my interfaces on it.

    Interesting you mention it's not great at modern web, is there anything else that is better ?



  • It's very hard to cache dynamic content. There is no other cache package for pfSense. When I was running as a caching server, my hit rate was never more than 4-7%, which is pretty poor.



  • No worries, may as well remove it then.

    I have noticed after putting pfsense on the sophos xg230, power consumption has actually gone up.


  • Netgate Administrator

    Try enabling powerd in System > Advanced > Misc to get CPU speed scaling etc.

    Steve


Log in to reply