Squid and captive portal

rexis

Greetings,

I have noticed that the current squid package do things differently compare to a year ago before 2.0 was released.

I am still using 1.2.3, due to that I have rolled out live servers before 2.0 was around, and there was some customization. So I would temporarily stick with 1.2.3 for the time being.

Here are my observations:

• If squid is set to transparent mode, CP will not redirect to the default CP login page. When transparent mode is removed, CP redirects happily.
• By comparing to one of my previously set up machines that run transparent squid and CP together(and works), looking at the /usr/local/etc/squid/squid.conf I noticed there has been some difference, the most obvious part is at the 3rd line of the config file:

–--

(old pfsense that set up a year ago)

Do not edit manually !

http_port 192.168.59.1:3128
http_port 127.0.0.1:80 transparent

(set up yesterday with a 1.2.3 iso and added squid package)

Do not edit manually !

http_port 192.168.160.1:3128
http_port 127.0.0.1:3128 transparent

---

You can see that now squid transparent mode is by default listening to the same port setting entered at the webgui "Proxy port" field. That doesn't sound right. Does it has anything to do with how the way 2.0 worked?

As workaround, if I put entered "80" as Proxy port, the CP will work happily, but then users can bypass CP by setting proxy setting with port 80 at web browser. I would like to keep the port at 3128 so I can block it from Firewall.

Any ideas what happening here?

marcelloc

Take a look on /tmp/rules.debug on both and compare rdr rules.

rexis

Here are the lines with "rdr":

Newly set up pfsense 1.2.3 box:

rdr-anchor "pftpx/*"

Load balancing anchor - slbd updates

rdr-anchor "slb"

FTP Proxy/helper

table <vpns>{    }
no rdr on rl0 proto tcp from any to <vpns>port 21
rdr on rl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

Setup Squid proxy redirect

rdr on rl0 proto tcp from any to !(rl0) port 80 -> 127.0.0.1 port 80

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

Old pfsense 1.2.3 box that is running wifi service currently:

rdr-anchor "pftpx/*"

Load balancing anchor - slbd updates

rdr-anchor "slb"

FTP Proxy/helper

table <vpns>{    }
no rdr on rl0 proto tcp from any to <vpns>port 21
rdr on rl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

Setup Squid proxy redirect

rdr on rl0 proto tcp from any to !(rl0) port 80 -> 127.0.0.1 port 80

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

===============================================================

Couldn't spot any difference thou!

Btw, if I restore with the configuration xml file obtained from the old PfSense box, captive portal page won't show unless you key in the URL manually.

Thanks! Happy new year!</vpns></vpns></vpns></vpns>

marcelloc

And between 1.2.3 and 2.0.1 can you see any differences in rdr rules that conflicts captive portal and squid transparent?

rexis

I do not have any 2.0 running atm. Would try so in near future…