Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble with pfsense + dansguardian + sqid3

    Scheduled Pinned Locked Moved pfSense Packages
    27 Posts 3 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Auxilium
      last edited by

      Hi,

      I have used pfsense as a firewall at home and are very pleased with it.  Now, I want to add web filters to it and have installed Dansguardian and Sqid3 (in that order) and configured it in a way I think is correct - but it doesn't work quite like I expected… :-\

      Here's what I've done:

      1. Installed Dansguardian and configured it like shown in the attached picture.
      2. Installed Squi3 and configured it like shown in the other attached picture.
      3. At last I created a NAT rule that redirect all tcp/80 (http) to tcp/8080, which is the port Dansguardian are listening on...(see picture)

      Now...no matter what url/web address I put in my browser, I only get to the login page to pfSense!

      Anyone seen this - what to do ?

      Thanks!

      Dansguardian.PNG
      Dansguardian.PNG_thumb
      Squid3.PNG
      Squid3.PNG_thumb
      NAT-rule.PNG
      NAT-rule.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • R
        rjcrowder
        last edited by

        I assume your pfSense box (LAN) address is 192.168.1.2? If so, your NAT rule is the same as mine except that I do a "not destination address of pfSense" (192.168.1.2 in your case).

        1 Reply Last reply Reply Quote 0
        • R
          rjcrowder
          last edited by

          @rjcrowder:

          I assume your pfSense box (LAN) address is 192.168.1.2? If so, your NAT rule is the same as mine except that I do a "not destination address of pfSense" (192.168.1.2 in your case).

          And… just to make sure, you have the pfSense web UI running on port 80? correct?

          1 Reply Last reply Reply Quote 0
          • A
            Auxilium
            last edited by

            Hi,

            yes - the LAN address of my pfsense box is 192.168.1.2…

            I've changed web UI to listen to 8080 on my pfsense box...

            I'm not sure what you mean about "not destination address of pfSense"...

            /Bjørn-Ove

            1 Reply Last reply Reply Quote 0
            • K
              kejianshi
              last edited by

              Change your pfsense to use the HTTPS interface on 443 instead of 8080 or 80 if you want and that will absolutely have no way to conflict with squid.  If you need 443 for something else, you can change the https to something different like port 7443 or 8443.

              You would then get to it by :    https://mypfsenseip:7443      (bookmark if typing a port is a hassle for you)

              But if you are not running a server on 443, just regular HTTPS on 443 is preferred and easiest.

              This is easiest because https is completely overlooked by squid unless you go out of your way to make it address https.

              1 Reply Last reply Reply Quote 0
              • R
                rjcrowder
                last edited by

                @Auxilium:

                Hi,

                yes - the LAN address of my pfsense box is 192.168.1.2…

                I've changed web UI to listen to 8080 on my pfsense box...

                I'm not sure what you mean about "not destination address of pfSense"...

                /Bjørn-Ove

                The reason you're seeing the web UI is because you are running it on port 8080…

                1 Reply Last reply Reply Quote 0
                • A
                  Auxilium
                  last edited by

                  Hi,

                  that solved the issue about just coming to the login page - but now I see that my pfsense box doesn't listen on port 8080 (DansGuardinan)…

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    We don't know what you did…  So, what change did you make?

                    1 Reply Last reply Reply Quote 0
                    • A
                      Auxilium
                      last edited by

                      I changed the port that pfsense UI listens on to 7080 instead of 8080.

                      Now, Dansguardinan doesn't start…and I need to know why.

                      tcp listening:
                      s(20): netstat -an | grep -i listen
                      tcp4      0      0 127.0.0.1.3128        .                    LISTEN
                      tcp4      0      0 *.7080                .                    LISTEN
                      tcp6      0      0 *.53                  .                    LISTEN
                      tcp4      0      0 *.53                  .                    LISTEN
                      tcp4      0      0 *.22                  .                    LISTEN
                      tcp6      0      0 *.22                  .                    LISTEN

                      I can't find any processes running related to Dansguardinan eighter...

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        Did you try reinstall dansguardian package and reboot?

                        1 Reply Last reply Reply Quote 0
                        • A
                          Auxilium
                          last edited by

                          yepp - nothing changed…DG does not start...digging for logs...

                          Anything I can check at command prompt ?

                          when typing this:

                          dansguardian

                          Error resolving icap host address.
                          Content scanner plugin init returned error value: -1
                          Error loading CS plugins
                          Error parsing the dansguardian.conf file or other DansGuardian configuration files

                          1 Reply Last reply Reply Quote 0
                          • R
                            rjcrowder
                            last edited by

                            I don't know what you did that is causing the dansguardian error. However, it is not related to changing the web UI to run on 7080. I suspect Dans was never running…

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              Lets try something new…

                              Try this.

                              Stop the squid process from the web gui.

                              Then go to pfsense command line

                              type:

                              cd /var/squid/cache

                              rm -rf *

                              squid -z

                              Should clear the cache.

                              Then reboot pfsense.

                              1 Reply Last reply Reply Quote 0
                              • A
                                Auxilium
                                last edited by

                                Hi,

                                thanks…tried the last suggestion - no change.

                                And yes - as mentioned above, I also suspect that DG never worked, I was just fooled by the port 8080 since UI listened on that...

                                I've uninstalled squid and DG - rebooted - installed DG and squid -> No luck... :-\

                                Any other suggestions to what could cause this ?

                                1 Reply Last reply Reply Quote 0
                                • R
                                  rjcrowder
                                  last edited by

                                  OK… just did a little googling. It appears to me that perhaps the icap error is caused by DG not being able to get your host by name. Is there something wrong with how your host name is setup? Do you have your host name in any of the DG configs?

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    Auxilium
                                    last edited by

                                    I'm not using hostname (eighter shortname or fqdn) in any configuration file…but, could it be that it tries to do a lookup ?

                                    Anyway, I'm now trying to set up DG on a separate box (CentOS) and have a config like this:

                                    pfsensebox: running squid on port 3128 on LAN interface (192.168.1.2)
                                    pfsensebox: NAT rule point at the new server 192.168.1.9 (tcp/8080)

                                    DGbox: listening on 8080
                                    DGbox: proxyip 192.168.1.2
                                    DGbox: proxyport 3128

                                    When I activate the NAT rule - web browsing stops...

                                    UPDATE: when configureing the web browsers proxy IP directly to DG server - it's working...but I need to get this working by forwarding tcp/80 to DG:8080...

                                    augh... :-\

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      rjcrowder
                                      last edited by

                                      Conceptually your new config should work (although it is unnecessary). You've got to go through some debugging steps and figure out where things are failing. Start eliminating variables - for example, have you tried configuring a client to use the new box and port  8080 as a proxy?

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        Auxilium
                                        last edited by

                                        Yes - when configuring the client's proxy in the web browser to point towards my new DG box - DG works…and - while watching squid logs on my pfsense box...DG server redirect to it...

                                        My problem now is to find out how to redirect web access (tcp/80) from default gateway (pfsense box) to DG...

                                        client –-tcp/80---> pfsense/defgw –--redirect tcp/80 to DGserver/8080 ---> DGserver –-filterfilterfilter ---> pfsense/squid 3128  –--to the web --->

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          Auxilium
                                          last edited by

                                          Just a thought…while all my clients are configured with pfsense as default gateway - and when enabling the squid server as "transparent" all request automatically will be redirected to port 3128...then squid will handle all requests.  When enabling my NAT rule to forward tcp/80 request to the DG server - something crashes...and web browsing stop working.

                                          cut and paste from pfsense proxy ui:
                                          "If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary."

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            rjcrowder
                                            last edited by

                                            @Auxilium:

                                            My problem now is to find out how to redirect web access (tcp/80) from default gateway (pfsense box) to DG…

                                            client –-tcp/80---> pfsense/defgw –--redirect tcp/80 to DGserver/8080 ---> DGserver –-filterfilterfilter ---> pfsense/squid 3128  –--to the web --->

                                            All looks correct. Now create a LAN NAT rule that redirects anything that is destination port 80 to DGserver/8080. Should work fine…

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.