Pfsense Squid proxy NONE/409

sviasnetworkmanager

I am using transparent proxy on pfsense, all clients and proxy are using pfsense DNS. UDP ports blocked by pfsense (to block QUIC protocol). Still am getting NONE/409 error. When I checked from Wireshark I can see pfsense provided IP address (from DNS) is used as the destination IP address from the client. The error generated when the client tries to access google/ facebook/etc services.

At the same time I can't see the firewall logs for TCP 443 TCP 80

any solutions?

DaddyGo

Try this:

this is not a complete list just a starting point:
ssl.gstatic.com
discordapp.com
gateway.discord.gg
web.whatsapp.com
w1.web.whatsapp.com
w2.web.whatsapp.com
w3.web.whatsapp.com
w4.web.whatsapp.com
w5.web.whatsapp.com
w6.web.whatsapp.com
w7.web.whatsapp.com
w8.web.whatsapp.com
w9.web.whatsapp.com
w10.web.whatsapp.com
.google.com
.googleapis.com
.gstatic.com
.1e100.net
www.youtube.com
www.gmail.com
*.workplace.com 80/443
*.facebook.com 80/443
*.fbcdn.net 80/443
*.fb.me 80/443
*.fbsbx.com 80/443
*.workplace.com
*.facebook.com
*.fbcdn.net
*.fb.me
*.fbsbx.com
.teamviewer.com
.verisign.com
.verisign.net
.windowsupdate.com
.github.com
.easylist.to

@sviasnetworkmanager : "UDP ports blocked by pfsense"
what does this want to be in this case ??????????

sviasnetworkmanager

@DaddyGo Thank you for your reply, "UDP ports blocked by pfsense" to block QUIC protocol.

sviasnetworkmanager

@DaddyGo I have tried as you said (Whitelisted on squid proxy) still NONE/409 error. Am using squid with squidGuard, on squidGuard those URLs already whitelisted.

DaddyGo

by default, the firewall blocks unwanted traffic on the WAN interface
let the firewall do its thing and rather follow this description
(you can't know, that the "big ones", by the time they still use this protocol for what (in addition)):

you didn't write about making your own Cert for Squid
then installed in the browsers you use (in all of them)
I think you use SSL MITM?

for steps to make the error search systematic (you don’t want to configure everything at once, because it’s harder to figure out what’s causing your problem): configure Squid first to work and then SquidGuard can come

I also assume your DNS settings are ok and without Squid, everything works great

if these don't help, you could share the PRTSC of your settings

sviasnetworkmanager

I have my own Cert for Squid, and I am using SSL MITM. It's not possible to disable QUIC protocol for each user, there are hundreds of users. Without squid its working fine.

DaddyGo

Does it work without SquidGuard?

aGeekhere

https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3

to prevent these issue you need to use the following
WPAD (or manual set)
Transparent Proxy to catch http traffic the WPAD misses
SSL Man In the Middle Filtering SPLICE ALL catch https traffic the WPAD misses

DaddyGo

@aGeekhere Nice job I haven't seen this before, THX

sviasnetworkmanager

@aGeekhere thank you. I will check that.