Trouble with pfsense + dansguardian + sqid3



  • Hi,

    I have used pfsense as a firewall at home and are very pleased with it.  Now, I want to add web filters to it and have installed Dansguardian and Sqid3 (in that order) and configured it in a way I think is correct - but it doesn't work quite like I expected… :-\

    Here's what I've done:

    1. Installed Dansguardian and configured it like shown in the attached picture.
    2. Installed Squi3 and configured it like shown in the other attached picture.
    3. At last I created a NAT rule that redirect all tcp/80 (http) to tcp/8080, which is the port Dansguardian are listening on...(see picture)

    Now...no matter what url/web address I put in my browser, I only get to the login page to pfSense!

    Anyone seen this - what to do ?

    Thanks!








  • I assume your pfSense box (LAN) address is 192.168.1.2? If so, your NAT rule is the same as mine except that I do a "not destination address of pfSense" (192.168.1.2 in your case).



  • @rjcrowder:

    I assume your pfSense box (LAN) address is 192.168.1.2? If so, your NAT rule is the same as mine except that I do a "not destination address of pfSense" (192.168.1.2 in your case).

    And… just to make sure, you have the pfSense web UI running on port 80? correct?



  • Hi,

    yes - the LAN address of my pfsense box is 192.168.1.2…

    I've changed web UI to listen to 8080 on my pfsense box...

    I'm not sure what you mean about "not destination address of pfSense"...

    /Bjørn-Ove



  • Change your pfsense to use the HTTPS interface on 443 instead of 8080 or 80 if you want and that will absolutely have no way to conflict with squid.  If you need 443 for something else, you can change the https to something different like port 7443 or 8443.

    You would then get to it by :    https://mypfsenseip:7443      (bookmark if typing a port is a hassle for you)

    But if you are not running a server on 443, just regular HTTPS on 443 is preferred and easiest.

    This is easiest because https is completely overlooked by squid unless you go out of your way to make it address https.



  • @Auxilium:

    Hi,

    yes - the LAN address of my pfsense box is 192.168.1.2…

    I've changed web UI to listen to 8080 on my pfsense box...

    I'm not sure what you mean about "not destination address of pfSense"...

    /Bjørn-Ove

    The reason you're seeing the web UI is because you are running it on port 8080…



  • Hi,

    that solved the issue about just coming to the login page - but now I see that my pfsense box doesn't listen on port 8080 (DansGuardinan)…



  • We don't know what you did…  So, what change did you make?



  • I changed the port that pfsense UI listens on to 7080 instead of 8080.

    Now, Dansguardinan doesn't start…and I need to know why.

    tcp listening:
    s(20): netstat -an | grep -i listen
    tcp4      0      0 127.0.0.1.3128        .                    LISTEN
    tcp4      0      0 *.7080                .                    LISTEN
    tcp6      0      0 *.53                  .                    LISTEN
    tcp4      0      0 *.53                  .                    LISTEN
    tcp4      0      0 *.22                  .                    LISTEN
    tcp6      0      0 *.22                  .                    LISTEN

    I can't find any processes running related to Dansguardinan eighter...



  • Did you try reinstall dansguardian package and reboot?



  • yepp - nothing changed…DG does not start...digging for logs...

    Anything I can check at command prompt ?

    when typing this:

    dansguardian

    Error resolving icap host address.
    Content scanner plugin init returned error value: -1
    Error loading CS plugins
    Error parsing the dansguardian.conf file or other DansGuardian configuration files



  • I don't know what you did that is causing the dansguardian error. However, it is not related to changing the web UI to run on 7080. I suspect Dans was never running…



  • Lets try something new…

    Try this.

    Stop the squid process from the web gui.

    Then go to pfsense command line

    type:

    cd /var/squid/cache

    rm -rf *

    squid -z

    Should clear the cache.

    Then reboot pfsense.



  • Hi,

    thanks…tried the last suggestion - no change.

    And yes - as mentioned above, I also suspect that DG never worked, I was just fooled by the port 8080 since UI listened on that...

    I've uninstalled squid and DG - rebooted - installed DG and squid -> No luck... :-\

    Any other suggestions to what could cause this ?



  • OK… just did a little googling. It appears to me that perhaps the icap error is caused by DG not being able to get your host by name. Is there something wrong with how your host name is setup? Do you have your host name in any of the DG configs?



  • I'm not using hostname (eighter shortname or fqdn) in any configuration file…but, could it be that it tries to do a lookup ?

    Anyway, I'm now trying to set up DG on a separate box (CentOS) and have a config like this:

    pfsensebox: running squid on port 3128 on LAN interface (192.168.1.2)
    pfsensebox: NAT rule point at the new server 192.168.1.9 (tcp/8080)

    DGbox: listening on 8080
    DGbox: proxyip 192.168.1.2
    DGbox: proxyport 3128

    When I activate the NAT rule - web browsing stops...

    UPDATE: when configureing the web browsers proxy IP directly to DG server - it's working...but I need to get this working by forwarding tcp/80 to DG:8080...

    augh... :-\



  • Conceptually your new config should work (although it is unnecessary). You've got to go through some debugging steps and figure out where things are failing. Start eliminating variables - for example, have you tried configuring a client to use the new box and port  8080 as a proxy?



  • Yes - when configuring the client's proxy in the web browser to point towards my new DG box - DG works…and - while watching squid logs on my pfsense box...DG server redirect to it...

    My problem now is to find out how to redirect web access (tcp/80) from default gateway (pfsense box) to DG...

    client –-tcp/80---> pfsense/defgw –--redirect tcp/80 to DGserver/8080 ---> DGserver –-filterfilterfilter ---> pfsense/squid 3128  –--to the web --->



  • Just a thought…while all my clients are configured with pfsense as default gateway - and when enabling the squid server as "transparent" all request automatically will be redirected to port 3128...then squid will handle all requests.  When enabling my NAT rule to forward tcp/80 request to the DG server - something crashes...and web browsing stop working.

    cut and paste from pfsense proxy ui:
    "If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary."



  • @Auxilium:

    My problem now is to find out how to redirect web access (tcp/80) from default gateway (pfsense box) to DG…

    client –-tcp/80---> pfsense/defgw –--redirect tcp/80 to DGserver/8080 ---> DGserver –-filterfilterfilter ---> pfsense/squid 3128  –--to the web --->

    All looks correct. Now create a LAN NAT rule that redirects anything that is destination port 80 to DGserver/8080. Should work fine…



  • Hi again,

    OK - just to rule out any issues with my pfsense box, I've installed and configured squid on the same server as Dansguardian.  Now - when configuring dansguardian as a proxy in my browser, this works.  But, I still want to redirect all tcp/80 connections via my firewall towards dansguardian (tcp/8080).

    I've created a NAT rule as attached to this post…but, when this is enabled web browsing stop working...are there any faults in my NAT rule ?

    squid and dansguardian are uninstalled on my pfsense box.




  • These services were not running on the same box?
    Why do people do this to themselves?



  • Yeah.  Thats how mine looks except I would expect redirect target IP to be 192.168.1.1, not .9

    "squid and dansguardian are uninstalled on my pfsense box"

    I hope you meant installed…



  • @kejianshi: all services was installed on one box - dansguardian didn't work at all.

    So, I installed squid and dansguardian on a separate server, which is working if i configure proxy-settings in my web browser.  But, I don't want to do it this way - I want to redirect the traffic so the user can't affect web traffic without even get more creative that they already are (teenages in the house).

    So yes - i uninstalled squid and dg on my pfsense box.

    Now - when trying to redirect the traffic (tcp/80) to my dg-box (192.168.1.9:8080) i created that rule…but it doesn't work...



  • To me it sounds like something on your pfsense box got seriously screwed up and that maybe the answer is reinstall that box clean then cleanly add in your packages and rules.



  • @kejianshi:

    To me it sounds like something on your pfsense box got seriously screwed up and that maybe the answer is reinstall that box clean then cleanly add in your packages and rules.

    I guess I'd have to agree… When setup properly, DQ/Squid works fine on pfSense. I've done this build dozens of times with no issue...



  • augh…last try is to reinstall...:\


Log in to reply