Can set PFSense proxy with one interface WAN?

happyboy · Dec 25, 2021, 11:18 AM

Hi all,
I am the newbie.
Pls help me this case:
In my company, all PCs in LAN (10.1.1.0/24) can go to internet by set ting proxy in browser (192.168.5.2 port 80). This proxy (name A) is from my head office, connected to my LAN by internal network (not by intrenet. The A proxy , I cannot manage.

Now in my LAN, I want to control what PC and URL can go to internet by A proxy. So I set up a proxy B using PFSense with squid proxy. So PC => Proxy B => Proxy A => Internet.
The proxy B is in the same network with my LAN, and proxy B can only go to the internet just by using proxy A.

Pls help me to clear that:

Does PFSense with one just one interface WAN can solve this?
How to config it?

Thanks a lot.

stephenw10 · Dec 25, 2021, 1:58 PM

Yes, you can do that with one interface.

Just install and configure Squid to listen on WAN.

There might be better ways to do that though. Like just filtering traffic to the remote proxy.

Steve

happyboy · Dec 27, 2021, 7:10 AM

@stephenw10
Thannks for reply. Pls help me

The proxy B (installed PFSense) can just only go to internet by setting using proxy A (cannot not go to internet directly).

I have set proxy B

One interface WAN: 10.1.1.3
Using port 80
On System - Advanced - Miscellaneous of proxy B
Proxy Support: I have the information of proxy A (this use port 80)
- IP: 192.168.5.2
- Port : 80

On client in my LAN, I have set proxy in browser
IP: 10.1.1.3
Port:80
-> But the client not go to internet

stephenw10 · Dec 27, 2021, 6:09 PM

Can pfSense itself connect out? Is it using the upstream proxy correctly?

I'm not sure if Squid uses that config, you may need to add it to the Squid config directly.

Do you actually need a second proxy here? What are you trying to filter?

Steve

happyboy · Dec 28, 2021, 6:42 AM

Hi @stephenw10 ,
PFSense itself connect out! I have to find configure it in Squid.

I have to use 2 proxy, because the remote proxy I cannot manage except using it to go to internet by setting proxy in browser.
But I would like to control which users/URLs in my LAN go to that remote proxy => so I use another proxy in my LAN and then forward it to remote proxy.

Another problem, When setting proxy, on client browser I always get this error message:

ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: https://127.0.0.1/sgerror.php?

Failed to establish a secure connection to 127.0.0.1

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)

Self-signed SSL Certificate: /O=pfSense webConfigurator Self-Signed Certificate/CN=pfSense-61c2d3120a403

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.

Generated Tue, 28 Dec 2021 06:34:22 GMT by localhost (squid/4.15)

stephenw10 · Dec 28, 2021, 2:59 PM

It looks like a certificate mismatch because pfSense uses a self signed cert to serve that page.