PfSense 2.0.1-RELEASE with Squid & HAVP = major problems



  • Hi.

    I always had major problems with pfsense when I tried to use packages on top of it.  pfSense on its own is great, but at the moment I install the packages I need to use, all go wrong..  I followed dozens of configuration tutorials, guides and instructions, to no avail..  I always end up with a semi-functional machine, and when I'm not so lucky, it simply doesn't work.

    So here are the steps I did to install pfSense on this machine.

    2.0.1-RELEASE (amd64)
    built on Mon Dec 12 18:43:51 EST 2011 
    

    1-Downloaded the USB image (pfSense-memstick-2.0-RELEASE-amd64.img.gz)  CRC check OK
    2-Extracted the image
    3-dd 'd to my USB stick (dd if=pfSense-memstick-2.0-RELEASE-amd64.img.gz of=/dev/sdX where X is my USB stick)
    4-Boot the machine with the stick.

    Then I install pfsense using the custom/advanced install mode, I specify 3 partitions as follows (on a 160GB HDD):

    1- /  *
    2- /var  32000M
    3- SWAP 32000M

    Then pfSense reboots and start for the 1st time.  No problem so far.  I configure the LAN & WAN interfaces, all is great.  When everything is setup and running properly, I start the installation of the following packages:

    vnstat2 / CRON / TFTP / ntop / snort / squid / squidGuard / HAVP

    The installation goes well for each packages..  No errors reported by the installer.

    I configure the packages without problems.  The configuration is simple, straight forward and easy for all packages, except I am experiencing major dysfunction with the machine.

    Some of the problems:

    Repetitive error message in the system logs saying:

    Dec 21 23:38:55 	havp[20495]: connect() failed: Operation not permitted
    Dec 21 23:38:54 	havp[20495]: connect() failed: Operation not permitted
    

    Repetitive error page while browsing the web saying:

    
    HAVP
    
    The following server is down:
    Connection failed
    
    

    Strangely, pfsense.org will 100% trigger these two problems, making the issue even worst because I cant post here to ask for support..  On other sites, its random, it may crash, it may not..

    I tried to uninstall & reinstall the packages, but I cant.  At first when I click on the remove button in the package tab, the (un)installer says that some include files are missing and the operation FAILED.  Then, I lose the version column in the package page, and the Repository page is empty with pfsense saying:

    "Unable to communicate with www.pfsense.org" or something similar.  At this moment the system logs has:

    /pkg_mgr_installed.php: XMLRPC communication error: Operation not permitted
    

    Reinstalling the packages also fails..  Only a reboot will help and if lucky I will be able to reinstall the packages without apparent errors..  Not saying there is NO errors but I am not aware of.  Neither the system logs is..

    I am clueless as to which package(s) causes these problems, but I am 99.9% sure this is the packages since I used pfsense without packages for more than a year and never had a problem.  Since I started using the packages, I have been having major problems for months now..  I have been trying to convince myself that I was not properly configuring the system, but no.  I am pretty sure there is bugs of some sort in the packages.  I have googled every single issue I have, and found at least one thread either here on pfsense.org or somewhere else on the web where someone had the same problem, and either the problem went away on its own (!??) or they simply stopped using the package(s).  I haven't found a solution(s) that worked yet.

    By the way, the machine is "clean" i.e. RAM tested for 18 hours, no errors, CPU stressed, no errors, and detailed HDD surface test, no bad sectors.

    These are the packages I currently have installed:

    Cron  0.1.5
    File Manager  0.1.1
    HAVP antivirus	0.91
    ntop  4.0.1_1 v2
    snort 2.9.1 pkg v. 2.0.2
    squid  2.7.9_4.2
    squidGuard  1.3_1 pkg v.1.9.1
    vnstat2  1.10_2 
    

    My system is configured as follows:

    Squid
    Proxy interface: LAN
    Allow users on interface: CHECKED
    Transparent proxy" CHECKED
    Log store directory: /var/log/squid
    Log rotate: 7
    Proxy port: 3128
    What to do with requests that have whitespace characters in the URI: strip
    Custom options (automatically added by SG):

    never_direct allow all;cache_peer 127.0.0.1 parent 3125 0 name=havp no-query no-digest no-netdb-exchange default;redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;redirector_bypass on;redirect_children 3
    

    Hard disk cache size: 8000
    Hard disk cache system: aufs
    Hard disk cache location: /var/squid/cache
    Memory cache size: 128
    Level 1 subdirectories: 16
    Memory replacement policy: Heap LFUDA
    Cache replacement policy: Heap LFUDA
    Allowed subnets: 192.168.0.100/24

    SquidGuard

    Enable: CHECKED
    Enable GUI log: CHECKED
    Enable log: CHECKED
    Enable log rotation: CHECKED
    Blacklist: CHECKED
    Blacklist URL: http://www.shallalist.de/Downloads/shallalist.tar.gz
    Target Rules: <bunch of="" stuff="" selected="" there..="">Proxy Denied Error: http://192.168.0.101/netserver-blocked.html
    Redirect mode: ext url err page
    Redirect info: http://192.168.0.101/netserver-blocked.html
    Log: CHECKED

    Groups ACL:
    Name: blocked
    Client (source): 192.168.0.100/24
    Target Rules: <bunch of="" stuff="" selected="" there..="">Redirect mode: ext url err page
    Redirect: http://192.168.0.101/netserver-blocked.html
    Description: blocked
    Log: checked

    Target categories:
    Name: blocked
    Domain list: partypoker.com bing.com
    Redirect mode: ext url err page
    Redirect: http://192.168.0.101/netserver-blocked.html
    Description: blocked

    Blacklist:
    Blacklist update: http://www.shallalist.de/Downloads/shallalist.tar.gz

    HAVP

    Http proxy:
    Enable: CHECKED
    Proxy mode: Parent for Squid
    Proxy interface(s): LAN
    Proxy port: 3125
    Enable RAM Disk: CHECKED
    Scan max file size: 5000k
    Log: CHECKED
    Syslog: CHECKED

    Settings:
    AV base update: every 6 hours
    Log: CHECKED
    Syslog: CHECKED

    Not sure what else to add …  Anybody can guide step by step in troubleshooting my pfsense install and making it better? (or usable)?
    I appreciate any help.

    Thanks!</bunch></bunch>



  • I suggest you going package by package.

    First a clean install and then, only hapv.

    After stress test, include squid and go on until you find where it stops.

    Did you found any docs about squid + squidguard + hapv together?



  • Fresh install (once again  :'( ) and already I have problems:

    Installing HAVP, I get :

    Beginning package installation for HAVP antivirus...
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading HAVP antivirus and its dependencies... 
    Checking for package installation... 
     Downloading http://files.pfsense.org/packages/amd64/8/All/havp-0.91_1.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/havp-0.91_1.tbz.
    of havp-0.91_1 failed!
    
    Installation aborted.Backing up libraries... 
    Removing package...
    Starting package deletion for havp-0.91_1...done.
    Removing HAVP antivirus components...
    Tabs items... done.
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file havp.inc could not be found for inclusion.
    Deinstall commands... 
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    Cleaning up... Failed to install package.
    
    Installation halted.
    

    Also,  under Firmware -> Auto Update, the webinterface says:

    Downloading new version information...done
    Unable to check for updates.
    Could not contact custom update server.
    
    

    Maybe the servers are down?



  • Check dns name resolution. I always first disable dns forwarder before anything else.





  • i got same problem, after upgrade from pfSense 2.0.0 to 2.0.1. all my installation package is lost (squid ,squid guard, proxy report etc).
    cannot be reinstalled, error message like posted by : lpallard
    my upgrade file is pfSense-Full-Update-2.0.1-RELEASE-i386.tgz
    is there something wrong with my upgrade ?

    regards



  • Nothing wrong, just wait files.pfsense.org get back.



  • Still down this morning..  They dont have mirrors?

    Anyways, all we can do for now is to wait.


  • Banned

    Its a problem if a site goes down and a lot of inst. fail or dont receive updates asf….

    And people cant get on with installing everything. Is it possible to create an offsite line install where pacakages can be DL and installed from another location?



  • Still fail..

    Ive just successfully updated to the latest version of pfsense

    2.0.1-RELEASE (amd64)
    built on Mon Dec 12 18:43:51 EST 2011
    FreeBSD 8.1-RELEASE-p6
    
    

    but trying to install HAVP I still get:

    Installation of HAVP antivirus FAILED!
    
    Beginning package installation for HAVP antivirus...
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading HAVP antivirus and its dependencies... 
    Checking for package installation... 
     Downloading http://files.pfsense.org/packages/amd64/8/All/havp-0.91_1.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/amd64/packages-8.1-release/All/havp-0.91_1.tbz.
    of havp-0.91_1 failed!
    
    Installation aborted.Backing up libraries... 
    Removing package...
    Starting package deletion for havp-0.91_1...done.
    Removing HAVP antivirus components...
    Tabs items... done.
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file havp.inc could not be found for inclusion.
    Deinstall commands... 
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    Cleaning up... Failed to install package.
    
    Installation halted.
    

    What do you need to get this working?



  • Just wait http://files.pfsense.org get back.



  • Yeah that what I figured… its still down. Will wait.

    But the pfsense devs should really consider a mirroring system of some sort..  Imagine if sites like kernel.org or the mirrors and repositories for the other major linux distros were doing this..



  • Hello guys
    I'm sure you're aware of all the problems.
    I'm not new to pfsense, so it is my fault for not checking first, but I've been trying since 7am this morning to get my pfS box working. I wanted to upgrade to the new version, thought I'd do it today. Well…. surpirse, I couldn't even reinstall squid or anything. Eventually I thought I messed up somewhere and reinstsalled (stupid), at least i have backup from monday... but the problem is I'm now at home, waiting for the update site to get back online so that I can reinstall & config everything (downloading 2.0.1 right now, hoping) - I have about 200 user already configured for proxy, so I'm stressing, 'cos I can't figure out how to port forward 8080 proxy to 80 on the outside so that they can bypass proxy and I can't wait till next week to get everyone working again. Otherwise I have to change all of them users to get out bypassing proxy and change back later... I only saw some post about 2 hours after I reinstalled that the update/ downlload site is down... now I'm buggered. I learnt a lesson though, but it is freaking me out - gonna go for IPcop just to get everybody to stop complaining soon (11 pm here, work starts at 7 am) and then try to work around the prblem later on.... what happened; you get hacked or some serious power outage or what... hope you get all running again SOON. When abouts can we expect all to 2 b normal again - please guys, I'm not gonna sleep until I know my customer can do online baning and mailing tomorrow morning... I relaised it wasn't my config or your product, just not thinking.... shoulda left all as is, but I'm stufft as we sit here... please tell us how long till we can get going again...
    Thanks for a greatest product this side of the world and for your dedication and work, all of you... you don't understand - africa is different and not as hot as you are in the US or EU... I love pfS and I actively try to compete with MS ISA / Foreforont over here, and doing a damn good job of it... :-)



  • You can try to install freebsd 8.1 squid package and configure it by hand until files.pfsense get back.





  • As per cmb, files.pfsense.org is back and it won't happen again.



  • OK its been a few days now that things were not too bad, but now: BOOM again!  pfsense is acting again….  Right now, it refuses to deliver http://forum.xbmc.org/ and I get an error page like:

    HAVP - DNS error
    
    HAVP
    
    A DNS error occurred
    while opening the page
    
    forum.xbmc.org
    Please contact your tech support
    

    Why?  I really dont know.  This morning I accessed this forum without problems.  Snort does not block anything the blocked list is empty.  Squidguard's is deactivated

    Im really tired of the randomness…  It works now, 5 minutes later, it no longer works.. Why?  I bet even God doesnt know.

    Here are the problems, on top of this thread (and my 10 other threads on this forum):

    Problems accessing youtube (buffing for 15-30 sec every minute or so while playing, plus takes about 3 to 5 minutes to start the video playback)
    random websites stops going thru pfsense (forum.xbmc.org, www.mls.ca, this forum also stopped working at some point)...
    Firefox behaves very strangely (like right now, it permanently says "Transferring data from forum.pfsense.org..." in the corner, and the "wheel contonuously spins in the page tab)

    I dont know how many times I mentioned this, but pfsense IS the problem.  I plug my laptop directly to the cable modem, and BANG it works..!
    What will it be next?

    I am getting to miss my stupid D-Link router..  Anybody cares to step forward and help me before I abandon pfsense?  I really believes in the project, but to be honest, if I had a good run at it I would be more confidant to use it….



  • I think the best way now is to buy few paid support hours or contact havp package maintainer.

    I do not have this problems but I do not use havp.

    Dansguardian package with antivirus is under devel. Maybe when It's done you will have no need to use havp.



  • Do you have antivirus on your dlink?

    If your problem is with havp, why not just disable it and use only squid+squidguard?

    It will do more then dlink.



  • What puzzles me is that I seem to be the only one with such problems…  Am I or its that nobody cares (except you of course)?

    Hell, I thought some websites actually banned my IP since ive been several weeks without being able to access them... Going to the cable modem directly solved it.  Browsing feels also much much much snappier...



  • Forgot to mention this:  if there are really problems in the packages, the devs NEED to know about it.



  • @lpallard:

    Forgot to mention this:  if there are really problems in the packages, the devs NEED to know about it.

    It could also be havp current version and not package gui.
    Did you tried to rum havp on any Linux/unix server other then pfsense.

    Some times is better having firewall appart of proxy.

    Packages are almost contributions to pfsense project sent by community, maybe havp is currently outdated because there is nobody with free time to maintain it.



  • @marcelloc:

    @lpallard:

    Forgot to mention this:  if there are really problems in the packages, the devs NEED to know about it.

    It could also be havp current version and not package gui.
    Did you tried to rum havp on any Linux/unix server other then pfsense.

    Some times is better having firewall appart of proxy.

    Packages are almost contributions to pfsense project sent by community, maybe havp is currently outdated because there is nobody with free time to maintain it.

    Im gonna deactivate HAVP and see if it helps, but I think I already tried that..  Anyways, I have discovered in the last few days/weeks that most of my problems were from Snort or SquidGuard blocking stuff up, which I deactivated the rules and it helped.  When that happened, I was getting a Connection failed error from HAVP, not a DNS error

    what can cause a DNS error?



  • what can cause a DNS error?

    As I saw in some posts, could be snort
    http://forum.pfsense.org/index.php/topic,43628.0.html

    some extra info about havp I got from package description:

    maintainer: dvserg

    pfsense package version: 0.91_1
    latest version : 0.9.2a
    latest havp update: 07.11.2010

    This package looks like really stable or few used as last release was more then a year ago.

    I think the best configuration for this package is squid + havp as parent for squid.



  • OK Ive done some testing…

    At first,

    suppress gen_id 122, sig_id 22
    ``` 
    
    seemed to have fixed it.  It worked for about 5 or 10 minutes,.  Then, suddenly everything stopped to work.  Now **every** sites (except google) gives the DNS error thing..  Every website!
    
    Until further notice, or a solution is found, pfsense is out of order…
    
    EDIT:  Unplugging my laptop from the pfsense box, and re-plugging it to the pfsense box seems to help, now all seems to work.  **Also Snort is deactivated.,**
    
    Snort might be the problem… It was until I added these rules:
    
    

    suppress gen_id 120, sig_id 3
    suppress gen_id 122, sig_id 22

    
    Any DNS experts out there?


  • this morning, not working.  Unless a burglar or a ghost played with my router while I was sleeping, I dont see why it would have worked yesterday and not this morning.

    forum.xbmc.org is not accessible.

    The frustrating part is that pfsense with NO packages works PERFECTLY.  So I wont blame pfsense devs because I have used it for more than  a year now and it was flawless until I installed the snort/squid/squidguard/havp  >:( stuff..



  • @lpallard:

    The frustrating part is that pfsense with NO packages works PERFECTLY.  So I wont blame pfsense devs because I have used it for more than  a year now and it was flawless until I installed the snort/squid/squidguard/havp  >:( stuff..

    Just like I said, packages are contributions, some are maintained by core team, but not all.

    Uncheck block ofenders from snort, so it will not block false positives and not deny your dns resolution.


Locked