Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense Squid proxy NONE/409

    Scheduled Pinned Locked Moved Cache/Proxy
    10 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sviasnetworkmanager
      last edited by

      I am using transparent proxy on pfsense, all clients and proxy are using pfsense DNS. UDP ports blocked by pfsense (to block QUIC protocol). Still am getting NONE/409 error. When I checked from Wireshark I can see pfsense provided IP address (from DNS) is used as the destination IP address from the client. The error generated when the client tries to access google/ facebook/etc services.

      At the same time I can't see the firewall logs for TCP 443 TCP 80

      any solutions?

      1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo
        last edited by DaddyGo

        Try this:

        db5cd8ac-6a66-4942-b8d2-a7fcd44f4ca0-image.png

        50577ae0-4041-4208-9f39-da8132b4730e-image.png

        this is not a complete list just a starting point:
        ssl.gstatic.com
        discordapp.com
        gateway.discord.gg
        web.whatsapp.com
        w1.web.whatsapp.com
        w2.web.whatsapp.com
        w3.web.whatsapp.com
        w4.web.whatsapp.com
        w5.web.whatsapp.com
        w6.web.whatsapp.com
        w7.web.whatsapp.com
        w8.web.whatsapp.com
        w9.web.whatsapp.com
        w10.web.whatsapp.com
        .google.com
        .googleapis.com
        .gstatic.com
        .1e100.net
        www.youtube.com
        www.gmail.com
        *.workplace.com 80/443
        *.facebook.com 80/443
        *.fbcdn.net 80/443
        *.fb.me 80/443
        *.fbsbx.com 80/443
        *.workplace.com
        *.facebook.com
        *.fbcdn.net
        *.fb.me
        *.fbsbx.com
        .teamviewer.com
        .verisign.com
        .verisign.net
        .windowsupdate.com
        .github.com
        .easylist.to

        @sviasnetworkmanager : "UDP ports blocked by pfsense"
        what does this want to be in this case ??????????

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        S 2 Replies Last reply Reply Quote 0
        • S
          sviasnetworkmanager @DaddyGo
          last edited by

          @DaddyGo Thank you for your reply, "UDP ports blocked by pfsense" to block QUIC protocol.

          1 Reply Last reply Reply Quote 0
          • S
            sviasnetworkmanager @DaddyGo
            last edited by

            @DaddyGo I have tried as you said (Whitelisted on squid proxy) still NONE/409 error. Am using squid with squidGuard, on squidGuard those URLs already whitelisted.

            1 Reply Last reply Reply Quote 0
            • DaddyGoD
              DaddyGo
              last edited by DaddyGo

              by default, the firewall blocks unwanted traffic on the WAN interface
              let the firewall do its thing and rather follow this description
              (you can't know, that the "big ones", by the time they still use this protocol for what (in addition)):

              4d6e197b-8861-46cc-a21d-a6cb4ff43e31-image.png

              you didn't write about making your own Cert for Squid
              then installed in the browsers you use (in all of them)
              I think you use SSL MITM?

              for steps to make the error search systematic (you don’t want to configure everything at once, because it’s harder to figure out what’s causing your problem): configure Squid first to work and then SquidGuard can come

              I also assume your DNS settings are ok and without Squid, everything works great

              if these don't help, you could share the PRTSC of your settings

              Cats bury it so they can't see it!
              (You know what I mean if you have a cat)

              S 1 Reply Last reply Reply Quote 0
              • S
                sviasnetworkmanager @DaddyGo
                last edited by

                I have my own Cert for Squid, and I am using SSL MITM. It's not possible to disable QUIC protocol for each user, there are hundreds of users. Without squid its working fine.

                1 Reply Last reply Reply Quote 0
                • DaddyGoD
                  DaddyGo
                  last edited by

                  Does it work without SquidGuard?

                  Cats bury it so they can't see it!
                  (You know what I mean if you have a cat)

                  1 Reply Last reply Reply Quote 0
                  • A
                    aGeekhere
                    last edited by

                    https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3

                    to prevent these issue you need to use the following
                    WPAD (or manual set)
                    Transparent Proxy to catch http traffic the WPAD misses
                    SSL Man In the Middle Filtering SPLICE ALL catch https traffic the WPAD misses

                    Never Fear, A Geek is Here!

                    DaddyGoD S 2 Replies Last reply Reply Quote 2
                    • DaddyGoD
                      DaddyGo @aGeekhere
                      last edited by

                      @aGeekhere Nice job I haven't seen this before, THX

                      Cats bury it so they can't see it!
                      (You know what I mean if you have a cat)

                      1 Reply Last reply Reply Quote 0
                      • S
                        sviasnetworkmanager @aGeekhere
                        last edited by

                        @aGeekhere thank you. I will check that.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.