Squid Transparent Proxy Issue
-
When I enable Transparent Proxy and try to navigate to a website such as apple.com it asks me to login and takes me to the pfsense web interface. When I turn it off it's fine but obviously then the proxy isn't being used. Why is this happening?
-
I'd like to add that I'm using Squid 2.6.5_1-p15 and pfSense 1.2-RC3. Thanks.
-
Any chance you set your proxy port to pfSense's webGUI port?
Put the transparent proxy on 3128 and do not allow traffic to the outside on port 80.
Also the admin port for pfSense should be https and not http (port 80) -
The proxy port is the default of 3128. I changed to using https (443) for web interface. Now websites(e.g. microsoft.com) go nowhere instead of to the web interface login. Thanks though.
It seems like it's forwarding anything that has a destination port 80 to pfsense's internal port 80 instead of pfsense's port 3128. I assume that's how it works but I may be wrong. Maybe there's a way to manually set up a transparent proxy?
-
From Proxy server | General settings did you enable LAN as interface and 'Allow users on interface' is ticked?
And just to be sure 'Transparent proxy' is enabled as well?
Upstream Proxy is empty and what about 'Access control'? -
LAN is the interface and yes 'Allow users on interface' is ticked. I have no acl rules at all. Transparent proxy is definitely enabled. Everything else in the Squid config is default.
I recently restored pfsense to factory settings. Didn't help. So I reinstalled pfsense from the live cd and it worked great. So then I started restoring previous and it broke again. So again I've reformatted and installed pfsense along with squid. I am in the process of tweaking one thing at a time to figure out what is breaking it and causing this strange behavior.
-
So far so good except the internet definitely seems slower and on a fast machine. One more clue to the puzzle; I happened to stop the squid service from the services page to see if squid was slowing things down and it made all websites start pointing to the pfsense login again. Very strange. I turned the service back on and everything was back to normal.
Also, the lightsquid config page says "shedule" in a few places. How do we get that fixed?
-
Also, the lightsquid config page says "shedule" in a few places. How do we get that fixed?
What this mean? Can you show screenshot?
Only create please new topic. Lightsquid different package, and I was able quickly to find a new theme.
–-
Must be 2 shedule items
Refresh sheduler
Squid rotate log sheduler -
Hi dvserg, glad you're on this thread!
Also, the lightsquid config page says "shedule" in a few places. How do we get that fixed?
What this mean?
It think Eric complains about spelling. It should be: schedule
-
Hi dvserg, glad you're on this thread!
..
It think Eric complains about spelling. It should be: scheduleOhm.. This is grammatic error. :( I learned English poorly in school.:_(
If you can - please check Lightsquid interface for grammatic and write me - i fix this.
ps
Sorry to me, all. -
Dvserg, do you have an idea why Eric's traffic is redirected to the pfSense webGUI when disabling the transparent proxy?
-
It actually happens when I turn transparent proxy on. It also happened when I shut down the squid service though. Doesn't make sense to me.
-
Dvserg, do you have an idea why Eric's traffic is redirected to the pfSense webGUI when disabling the transparent proxy?
On transparent mode squid make self redirect rules
May be have incorrect switching from transparent to non-transparent mode
Try switch to transparent and them to non-transparent once more.
If problem also exists - paste you /tmp/rules.debug in topic or in PM
–-
Also what installed packages you have? -
So far so good except the internet definitely seems slower and on a fast machine. One more clue to the puzzle; I happened to stop the squid service from the services page to see if squid was slowing things down and it made all websites start pointing to the pfsense login again. Very strange. I turned the service back on and everything was back to normal.
I am seeing the same issues where the internet is far slower when the proxy is enabled. Please see my post here…
http://forum.pfsense.org/index.php/topic,7186.0.htmlAlso, as suggested above, I have included my rules.debug - though I am not having issues with traffic being redirected to the GUI.
# System Aliases loopback = "{ lo0 }" lan = "{ rl0 }" wan = "{ xl0 }" enc0 = "{ enc0 }" # User Aliases set loginterface xl0 set loginterface rl0 set optimization normal scrub all random-id fragment reassemble nat-anchor "pftpx/*" nat-anchor "natearly/*" nat-anchor "natrules/*" # FTP proxy rdr-anchor "pftpx/*" # Outbound NAT rules nat on $wan from 10.21.1.0/24 port 500 to any port 500 -> (xl0) port 500 nat on $wan from 10.21.1.0/24 port 5060 to any port 5060 -> (xl0) port 5060 nat on $wan from 10.21.1.0/24 to any -> (xl0) #SSH Lockout Table table <sshlockout> persist # Load balancing anchor - slbd updates rdr-anchor "slb" # FTP Proxy/helper table <vpns> { } no rdr on rl0 proto tcp from any to <vpns> port 21 rdr on rl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # Setup Squid proxy redirect rdr on rl0 proto tcp from any to !(rl0) port 80 -> 127.0.0.1 port 80 # IMSpector rdr anchor rdr-anchor "imspector" # UPnPd rdr anchor rdr-anchor "miniupnpd" # Setup squid pass rules for proxy pass in quick on rl0 proto tcp from any to !(rl0) port 80 flags S/SA keep state pass in quick on rl0 proto tcp from any to !(rl0) port 3128 flags S/SA keep state anchor "ftpsesame/*" anchor "firewallrules" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # snort2c table <snort2c> persist block quick from <snort2c> to any label "Block snort2c hosts" block quick from any to <snort2c> label "Block snort2c hosts" # loopback anchor "loopback" pass in quick on $loopback all label "pass loopback" pass out quick on $loopback all label "pass loopback" # package manager early specific hook anchor "packageearly" # carp anchor "carp" # permit wan interface to ping out (ping_hosts.sh) pass quick proto icmp from 205.158.217.134 to any keep state # NAT Reflection rules # allow access to DHCP server on LAN anchor "dhcpserverlan" pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN" pass in quick on $lan proto udp from any port = 68 to 10.21.1.1 port = 67 label "allow access to DHCP server on LAN" pass out quick on $lan proto udp from 10.21.1.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN" block in log quick on $wan proto udp from any port = 67 to 10.21.1.0/24 port = 68 label "block dhcp client out wan" pass in quick on $wan proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan" # LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses) antispoof for rl0 anchor "spoofing" # Support for allow limiting of TCP connections by establishment rate anchor "limitingesr" table <virusprot> block in quick from <virusprot> to any label "virusprot overload table" # pass traffic from firewall -> out anchor "firewallout" pass out quick on xl0 all keep state label "let out anything from firewall host itself" pass out quick on rl0 all keep state label "let out anything from firewall host itself" pass out quick on $enc0 keep state label "IPSEC internal host to host" # make sure the user cannot lock himself out of the webGUI or SSH anchor "anti-lockout" pass in quick on rl0 from any to 10.21.1.1 keep state label "anti-lockout web rule" # SSH lockout block in log proto tcp from <sshlockout> to any port 22 label "sshlockout" anchor "ftpproxy" anchor "pftpx/*" # User-defined aliases follow # User-defined rules follow block in quick on $lan proto tcp from any to any port = 80 label "USER_RULE" pass in quick on $lan from 10.21.1.0/24 to any keep state label "USER_RULE: Default LAN -> any" # VPN Rules pass in quick on rl0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on rl0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on xl0 inet proto tcp from port 20 to (xl0) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" # enable ftp-proxy # IMSpector anchor "imspector" # uPnPd anchor "miniupnpd" #--------------------------------------------------------------------------- # default rules (just to be sure) #--------------------------------------------------------------------------- block in log quick all label "Default block all just to be sure." block out log quick all label "Default block all just to be sure."</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout> -
Please see also this ticket http://cvstrac.pfsense.com/tktview?tn=1557, i can duplicate this behaviour.
-
Eric & Heiko:
What type of hardware are you using when you can see the decrease in speed?
-
this one…
http://www.ipc2u.de/catalog/M/MB/33531.html
with 1 GB RAM and 40 GB HDD
