Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot operate with transparent option

    Scheduled Pinned Locked Moved Cache/Proxy
    10 Posts 2 Posters 843 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      nikpony
      last edited by

      Hello to all, first of all i have to declare that i am very new in pfsense etc.

      So. i managed to set up a pfsense in a Hyper-V and set it appropriately, installing also Squid proxy packages. The configuration of my new proxy completed and i test it as changing the proxy settings manually in my pc and my mobile phone, and this is working properly.
      But if i check the transparent option in my proxy settings and leave the settings without option of a proxy, it doesn't working and websites that i have blocked, still works.

      Attached you will find my settings in proxy and transparent section.
      Thanks in advance.
      Nick

      proxy_pfsense.JPG

      DaddyGoD 1 Reply Last reply Reply Quote 0
      • DaddyGoD Offline
        DaddyGo @nikpony
        last edited by DaddyGo

        @nikpony said in Cannot operate with transparent option:

        But if i check the transparent option in my proxy settings

        Hi,

        A good Squid configuration can take several weeks of work!
        If you use SSL (MITM) filtering, you must configure the client machines:

        -manually (installing the Squid intermediate cert.)
        or
        WPAD
        PAC file, etc.

        you can read about these here:
        https://docs.netgate.com/pfsense/en/latest/cache-proxy/wpad-autoconfigure-for-squid.html
        https://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers

        +++edit:
        https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

        BTW:
        and think about wanting a proxy on each of the WAN and LAN interfaces? 😉

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        1 Reply Last reply Reply Quote 0
        • N Offline
          nikpony
          last edited by

          Dear @DaddyGo ,
          many thanks for your quick response.

          I will read all your links to learn more about it.

          My main purpose is to block some websites (social media) from users that connect through wi-fi (mobile phones, laptops, tablets), and why not to block them from pc's connected wirely...

          Also, of course i want to avoid set manualy in every client's pc, my new proxy settings.

          DaddyGoD 1 Reply Last reply Reply Quote 0
          • DaddyGoD Offline
            DaddyGo @nikpony
            last edited by DaddyGo

            @nikpony said in Cannot operate with transparent option:

            My main purpose is to block some websites (social media) from users

            nothing 😉

            As I have already written, a good Squid setting causes a lot of sweating and I prefer it for an enterprise environment
            In a SOHO environment, better use of pfBlockerNG-devel and / or Snort + OpenAppID

            +++edit:

            I have to add that there are a lot of problems on the https (MITM) page, for example government and banking websites will not work in most case,s because they detect the proxy

            and http will slowly be forgotten...

            Cats bury it so they can't see it!
            (You know what I mean if you have a cat)

            1 Reply Last reply Reply Quote 0
            • N Offline
              nikpony
              last edited by

              Dear @DaddyGo, many thanks for your suggestions.

              As i understand, the WPAD functions are mainly for desktops and laptops, and pfBlocker for mobile apps etc, or not?

              DaddyGoD 1 Reply Last reply Reply Quote 0
              • DaddyGoD Offline
                DaddyGo @nikpony
                last edited by DaddyGo

                @nikpony said in Cannot operate with transparent option:

                WPAD functions are mainly for desktops and laptops, and pfBlocker for mobile apps etc,

                WPAD or PAC file for professional Squid setting.
                PfBlockerNG is suitable for everything, which is on your network and requests DNS from pfSense...ergo for everything use
                (like Pihole, I just think much better) 😁

                Snort + OpenAppID can be perfect for restricting social sites

                BTW:
                Squid is "dying" due to the evolution of https and requires a lot of administration

                Cats bury it so they can't see it!
                (You know what I mean if you have a cat)

                1 Reply Last reply Reply Quote 0
                • N Offline
                  nikpony
                  last edited by

                  Hello and sorry for retrieving this old topic.
                  I have managed to set Snort + Openappid etc in order to block urls, apps, but it works only if i have set in local client dns setting, my pfsense ip as dns.
                  How can i bypass it to all users as a default dns?

                  Thanks in advance.

                  DaddyGoD 1 Reply Last reply Reply Quote 0
                  • DaddyGoD Offline
                    DaddyGo @nikpony
                    last edited by

                    @nikpony said in Cannot operate with transparent option:

                    Hello and sorry for retrieving this old topic.

                    It's nothing 😉

                    @nikpony "I have managed to set Snort + Openappid etc"
                    I am glad.

                    @nikpony "if i have set in local client dns setting, my pfsense ip as dns."

                    I thought it was clear, the firewall is always the basis of DNS, otherwise unnecessary to use...

                    use DHCP to tell clients where they are...............

                    Cats bury it so they can't see it!
                    (You know what I mean if you have a cat)

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      nikpony
                      last edited by

                      Thank you @DaddyGo .

                      It doesn't work on DHCP network, probably a mistake in settings.

                      Could you tell me, using Snort is it necessary to enable DNS Forwarding or Resolve?

                      Thanks in advance.

                      DaddyGoD 1 Reply Last reply Reply Quote 0
                      • DaddyGoD Offline
                        DaddyGo @nikpony
                        last edited by

                        @nikpony said in Cannot operate with transparent option:

                        DNS Forwarding or Resolve?

                        I definitely recommend the Unbound resolver

                        Cats bury it so they can't see it!
                        (You know what I mean if you have a cat)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.