Squid + Squidguard with WPAD. Filter doesn't work.
-
@JonathanLee
I have already installed some pfSense and they work without problems without HTTPS configurations.
As I said previously, I need to manage traffic without being too intrusive with users because I don't always have permission to intervene on their laptops and smartphones.
So I need ClamAV and Squidguard filters to filter their traffic, preventing or limiting access to the network and the content they request on the network.
My case is for a small company, but the best example would be a school where you have to allow students to access the network without letting them do what they want and monitor "who does what".
I'm spending days looking for a correct configuration and frankly I don't understand all these difficulties for activities that in 2023 should already be taken for granted at first installation level.
Furthermore, I also find it difficult to understand the reasons.
Squidguard handles URLs (unlike Dansguardian which handles content), so you shouldn't even need to open the packet.
It makes sense to do this for ClamAV, but that still wouldn't be a fixable security service. So, I might as well not install it.The guide you suggested to me the other day was over 5 years ago; The world has changed and perhaps the guide should also change.
However, it didn't help me even with a new installation.Now I'll do the tests with your latest suggestions and then if it doesn't work, I'll leave it alone because you can't spend all this time in vain.
In any case, thank you for your help. I really appreciated it, also for your patience.
-
I can see your access control lists need to be studied more. The proxy takes over 443 and 80 when it's being used however if you have a any any rule for approval for all ports and for all lan traffic that defeats the purpose of the proxy and use of port 3128. Again you also want to use port address translation if your using unbound DNS.
Don't give up I am sure you will get it. I highly suggest you only use transparent mode for URL filtering. SSL intercept is more of an advanced configuration. It took me a long time to get it right.
I wish you good luck. Sorry it's not working yet.
You asked about the log clearing it. Just go to command line and delete it if you need to clear it.
-
@JonathanLee
I was trying to work on it now.I can't do without https.
It's a small business firewall where I work, I deal with guests and people who use their laptop or smartphone.
I have to create filters to prevent them from doing what they want.
I should have also configured squidguard for subnets, but there's no point in thinking about it if I can't even configure the main network.In your screenshots I don't see many differences regarding the main settings, but I see other differences compared to the documentation and guide from the other day. For example there are NAT rules.
I didn't understand the use of the ".*" whitelist. Quale è esattamente lo scopo?
Not even NoSSLintercept acls. I also have to avoid managing certain traffic such as that of banks.As for DNS, in General Setup I have configured "DNS Server Override = On" and in DNS Resolver "DNS Query Forwarding = On".
Did you create the Certificate Authority from the GUI or from SSH as indicated in the guide?
-
@WhiteTiger-IT command line after imported it into pfsense gui
whitelist is a wildcard to allow internet useDo you use any dhcp options??
Ref:
https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/dhcp/dhcp-options/predefined-dhcp-options -
@JonathanLee
This news makes our discussion purely philosophical. -
Looks updated to me. . .
I am going to continue to run it. I had issues with Intel Speed shift patch on my SG-2100 so I will stay with the last stable version. It was so slow when I went to 23.09
-
@WhiteTiger-IT Netgate Does recommend you uninstall it and use something else.
Sorry It is pretty advanced to run and configure it.
-
@JonathanLee
I had already seen that Squid only produced updates last week, so I was surprised by pfSense's decision.
Furthermore, in other posts we read that version 28 is close to release, so the problem is "just around the corner".
In the OPNSense forums we read more or less the same thing; they will remove Squid from the integrated system and place it among the optional plugins, therefore without support.Squid is not a secondary element, but the basis of web traffic management.
I'm very perplexed.
If I focus on a firewall distribution it is certainly not to then go and implement its components on my own.At this point it is difficult to decide what to do.
For the antivirus I can always decide to rely only on the one installed on the PCs.
For the cache it no longer becomes so important where there is good network connectivity (however in this company there is still an old ADSL because optical fiber is not available).
But it becomes difficult, if not impossible, to manage content filtering if you cannot rely on engines like Squidguard or Dansguardian since they rely on Squid. I don't know others. -
@WhiteTiger-IT there is a way to run Squid on a raspberry pi 5 or 4b or some other box, simply NAT traffic to it. Or use mitmproxy it's also open source.
But heed Netgate's warnings. If you use it do so at your own risk.
-
Have you all attempted to use the following custom patches
Redmine#13984
This fixed a lot for me with Squid and Squidguard
