[WPAD] How to configure it?

  • Hi,

    I am using the last version of Pfsense.

    I use it as a captive portal mainly.
    My user can log using their ID from LDAP (I had install the radius package to make the connection).
    Pfsense is behind a server with Squid proxy.

    I had install a squid proxy on my Pfsense too with the transparent option. This way my user can surf on Internet without problem (after authentification of course).

    PROBLEM : They can't go to HTTPS website.
    I know that, with a transparent proxy, I can't surf on HTTPS website (unless I want to use my own certificate wich I don't).

    I want to use WPAD. This way user can surf on html web page and, when they need to go to a HTTPS website they got an error message (custom webpage) telling them that they juste have to check the automatic detection box in their browser.

    My configuration :

    Squid proxy
    user                192.168.0.x (dhcp)

    It looks like I can't use DHCP to "push" my wpad configuration.
    I know I can use DNS : http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid but this method doesn't work so far.

    Should I delete my squid proxy on pfsense (useless?) first then push the wpad to my client by dhcp? dns?

    My main problem is how to tell the browser client to use my proxy by wpad. I don't know where he's looking for this file, how can i check if my wpad.dat is right…

    Any idea about what I am doing wrong?

    Thanks for reading ;)

    (english isn't my native language, I apologize)

  • @saienc:

    My configuration :

    Squid proxy
    user                192.168.0.x (dhcp)

    It looks like I can't use DHCP to "push" my wpad configuration.

    Can you share why you can't use DHCP to push WPAD?
    If pfSense is the DHCP Server, we may be able to get WPAD via DHCP working for you.

  • I am using pfsense as the DHCP server.

    I actually don't know how to "push" wpad by DHCP. I heard DNS solution was a better one but I am open to any proposition.
    How can I do that by DHCP?
    i don't know if it's important but, by WPAD, I don't want to give the pfsense squid information but the information of my main squid (different IP). I had already tried them by manual configuration and it works just fine.

  • Under Services -> DHCP Server you get a list of dhcp servers for each of your pfSense interfaces that are statically assigned. There is an option under each server for "Custom Options" or maybe "Advanced", I don't remember. You add three entries to that section. The entry format is:

    252  Text  http://your_pfsense_ip/wpad.dat
    252  Text  http://your_pfsense_ip/wpad.da
    252  Text  http://your_pfsense_ip/proxy.pac

    You need to make sure that you have those files available on your pfSense's www path. And then, how do your clients access those files? For me, I block all traffic on port 80 except special stuff. My regular lighttpd serves the pfSense webgui via SSL only. To serve wpad I have a dedicated instance of lighttpd serving port 80 just for client wpad access.

  • In my DHCP tab I got this :

    The only other configuration I have done on this page is my DHCP range.

    My proxy.pac looks like this :

    function FindProxyForURL(url,host)
    return "PROXY";

    In usr/local/www I got a proxy.pac file and I have done symbolic link to wpad.dat and wpad.da.

    I put autodetect in my browser (firefox and Internet explorer).

    I still got the promp "you should configure your proxy".

    How can I check where my browser is looking to find his configuration?
    Is my proxy.pac file ok?

  • To test, point your browser at http://your_pfsense_domain/wpad.dat. Does it download the file?

    You might have firewall rules preventing access to your_pfsense_domain:port 80.

    You might need to have a server serving wpad.dat (like I briefly mentioned I do, with a dedicated lighttpd instance).

    Also, my understanding might be wrong but https will instigate a direct connection via port 443 so it will bypass wpad anyway. You could maybe try a NAT rule to redirect 443 traffic to your proxy but that might be a bad idea. I'm not sure if you can also serve wpad via port 443 or if that's a bad idea.

    One other thing to bear in mind is if you have your pfSense webgui on 443 and you redirect 443 with NAT, you probably don't want that. Same if pfSense webgui is on port 80. Consider changing pfSense ports to something else or you'll need special firewall rules to allow access.

    I don't really know what I'm talking about so take all I say with a grain of salt.

  • I am still looking for what's wrong.

    My Browser download the file without problem.

    All port are open from the lan.

    (thanks for your help by the way)

  • Close your browser, open it again (sometimes mine seemed to be relying on persistent old settings and required a restart).

    Reboot pfSense if you've made significant changes.

    When you try to open a webpage, if I'm using Chrome it says something like "downloading proxy script" in the bottom status bar sometimes when I start a new session. I'm pretty sure that's Chrome downloading wpad.

    One thing I thought of - in your initial post you had Squid enabled in transparent mode. I don't use that. You mentioned you want to use wpad instead, but if Squid is in transparent mode I assume it will redirect all traffic on port 80 automatically, probably bypassing wpad altogether. Did you turn transparent mode off?

  • Ok i have deleted Squid proxy.

    If I put auto detect in my browser it doesn't work.

    If, in firefox, I choose to point on "Automatic proxy configuration URL" and choose it works just fine.

    I see a beginning of solution.

  • Firefox doesn't seem to work with dhcp:


  • Whatever is serving your wpad might need to be configured with the correct definitions for ".dat" and ".da" files.

    E.g., my lighttpd_for_wpad.conf file has similar lines as the ".pac" line for the other two filetypes:


    Also read this. You can't just add the mimetype lines to your system's lighttpd.conf, you would need to modify system.inc or have a dedicated lighttpd with it's own unique conf like I do.

    Same deal if you choose to use Apache or nginx to serve wpad I would guess.

  • I am using the default web server used by pfsense. I actually don't know much about this part. I really need to work on it.

    Those links looks more than interesting by the way. I'll work on it asap.

  • Do you connect to pfSense's webgui via https? If so, your web server will not be serving anything via port 80 (I'm pretty sure, it will be quite clear in the file lighttpd.conf). That might explain why requests for normal web pages, accessed via http/port 80, are not finding wpad.dat.

    I had some difficulty configuring wpad too. For a while I had a NAT rule instead redirecting outward bound port 80 traffic towards my proxy. It's a less elegant, less flexible, more brute force approach IMO. I'm not sure how it is configured right now, I'll have to check. It might be an option for you too though.

  • Yes I am accessing webgui by Https.

    I am still working on it. So far I have a custom webpage explaining how to configure the proxy.

    I'll keep you inform as soon as I have found a good solution.

  • Here are my relevant NAT entries:

    With these rules, my wpad.dat is still hit (I just checked) but if anything tries to bypass wpad it is redirected to my proxy setup. My wpad does nothing currently, just redirects to the proxy the same as NAT. Some of the devices on my network aren't capable of auto-detect, so they are either pointed directly to the proxy or NAT handles it.

    Here is an extract from my lighty-proxy-wpad.conf:

    The server.bind line has my pfSense private IP between the double quotes. The mimetypes entry has all the other entries deleted to make the image smaller, but you can see that I added two lines for .dat and .da files. I also commented out all the 443 and SSL stuff. This file was originally a copy of the webgui's /var/etc/lighty-webConfigurator.conf. Then I have lighttpd running like this:

    /usr/local/sbin/lighttpd -f /path/to/wpad/lighty-proxy-wpad.conf

    This is my webserver for port 80 requests, that serves my wpad to client devices on my network. I use a service to start lighttpd up and monitor it, but you can use a entry in the config. Or another method.

    I also have firewall rules to allow traffic on my interfaces to wpad, my proxy and other services:

Log in to reply