Squid and Dansguardian not working



  • Hello,
    im setting up a new PFSense and im really stuck with the Squid3 and Dansguardian setup.

    First i have installed Dansguardian, after that i have installed Squid 3, turned transparent on, restarted the machine.

    Added the following rule:

    LAN TCP LAN net * * 80 (HTTP) 192.168.0.1 8080

    But everyhting without luck. Sometimes Dansguardian seem to block every single webpage, sometimes the browsing didn´t work at all.

    So what´s the problem here?

    When im enabling DG again and activate the rule it breaks down again. So Squid alone does work.

    Thanks!



  • Can you post logs of what is happening and be more clear with the steps you have taken. There is also a few threads in this forum that are about squid/dansguardian



  • Agree… you are going to have to be more explicit. Also, I'd suggest testing things in steps so that you know what is actually broken (i.e. don't just start off with a redirect rule).

    1.) test that squid is working correctly by doing an explicit proxy config in your browser (to the squid port).
    2.) setup dans and change your browser to point to the dans port. Once that is working correctly...
    3.) block direct access to squid (either with a firewall rule or the squid configuration) and test that the explicit proxy config pointing at dans still works.
    4.) create a redirect rule and remove the proxy config from the browser.



  • So where do i have to be more specific?

    Installing pfsense, installing DG (everything on default and activated), Installing Squid3 (also tried squid3-dev), turning on transparent mode (at this point browsing works fine, but no filtering at all), selecting LAN or Loopback, adding filtering rule as described above, No browsing anymore no matter what port im giving him.

    1.) test that squid is working correctly by doing an explicit proxy config in your browser (to the squid port).
      - Check works
    2.) setup dans and change your browser to point to the dans port. Once that is working correctly…
    -  Does not work
    3.) block direct access to squid (either with a firewall rule or the squid configuration) and test that the explicit proxy config pointing at dans still works.

    • Don´t  know how to do that
      4.) create a redirect rule and remove the proxy config from the browser.
    • After activating the redirect rule it does not work at all...

    Conclusion:
    It seems that the Dansguardian is not accepting any connections on port 8080. As soon as i activate the forwarding rule everything breaks up.



  • Can you post a screenshot of the page and the rule?

    What does the browser do exactly when you say browsing doesnt work? Error? Timeout? Loads forever?



  • Sure i will make some Screenshots later. Im currently at Home, but maybe im back there later.

    Firefox runs in a timeout.



  • Set DG's interface to loopback. Set up your NAT rule to redirect to 127.0.0.1 instead of 192.168.0.1. I literally just set up this same scenario, and it works great. You'd also want to, if only using the loopback interface, set up NAT rules to redirect to 127.0.0.1 when the destination is 192.168.0.1 (or whatever your interface IP is), port 8080 (or whatever your DG port is). From the sound of it, you only have DG enabled on the loopback port (or not enabled at all).



  • @Alternativende:

    1.) test that squid is working correctly by doing an explicit proxy config in your browser (to the squid port).
      - Check works
    2.) setup dans and change your browser to point to the dans port. Once that is working correctly…
    -  Does not work

    OK… that's my point. Do this in a logical order and test that each piece works. If you can't get it working with the browser pointing directly at dans, then there is no sense in proceeding - the redirect rule isn't magically going to make it work.

    If you point the browser directly at the dans port (via the proxy config).

    • Have you verified that dans is actually running?

    • What happens? Does it just hang?

    • Do you see anything in the squid logs? In the dansguardian logs?

    As far as dditional info that would be helpful… screenshots of the config (IP's and ports for both squid and dans) + any info from the logs.



    • Have you verified that dans is actually running?

    • What happens? Does it just hang?

    • Do you see anything in the squid logs? In the dansguardian logs?

    As far as dditional info that would be helpful… screenshots of the config (IP's and ports for both squid and dans) + any info from the logs.

    Hope this helps.

    Edit:
    I can bypass Dansguardian when im hitting the browser to use 192.168.0.1:3128 as proxy. Everything runs just fine then. Setting him to 8080 nothing works (timeout). Levaing him alone DG blocks everyhting.












  • 1. What's your access.log from Dansguardian saying?

    2. Do you have blanket ban turned on?

    
    #/etc/dansguardian/bannedsitelist
    #Blanket Block.  To block all sites except those in the
    #exceptionsitelist file remove the # from the next line to leave
    #only a '**':
    **
    
    


  • Hi,
    in finally found out the problem, at least kind of. It seems that the default group was set on "Banned" which of course banned everything.
    Setting it to filtered leads to a constant timeout, but not every time. After some restarts of PFSense it seems to work…. sometimes. But sometimes he claims that normal webpages are blocked because he isn´t able scan it. Beside this he always pop´s-up messages from clamav, which i did not activate.

    After some reboot´s the WAN interface didn´t get an IP.. don´t ask me why but after several minutes and endless reboots and rechecks it worked again.

    Putting the group to unfiltered seems to be the best way to get a stable connection through the internet, but for this i don´t need DG  :D.
    Another problem is that the list´s i tell him to filter didn´t get uncommented in the configs at ALL! So i had to uncomment everything by myself.

    Im sorry but this whole thing does not seem to work for a productive environment at the moment.

    I have wasted a lot of time the last days to get this work, but strange behaviors and bugs make it impossible to  me to be not totally frustrated about PFSense at all.

    Sorry but this is crap... :-\



  • OK… If I'm understanding correctly what you have setup...

    You cannot hit DG directly from the browser (as I had originally suggested) because DG is listening on the loopback interface. If you are getting the DG accessdenied page when the redirect rule is in place, then DG is actually functioning fine. As you've pointed out, the "blocking" is a DG configuration issue.

    I'm uncertain of the issue you are describing with the lists... I've never had any issue with simply selecting the lists I wanted to use in DG and then doing a save.

    It also sounds like you have clam anti-virus turned on? I'd shut it off until you are happy with the overall DG configuration. To be quite honest, the clam anti-virus scanning (whether using DG or HAVP to implement it) is a little frustrating because it introduces a lag - particularly on large file downloads. Also, just so you know I'm fairly certain that the enable/disable of clam requires a hard restart of DG - which does not work correctly from the UI. Bottom line is that if you enable/disable clam you will either have to manually stop/start DG (at the command line) or just reboot the box. This is the only thing you've described so far that I believe is actually a "bug" in the DG pfSense code.

    As far as the WAN interface not getting an IP... never experienced that issue (it has nothing to do with DG), but it seems to me that there were some threads on the forum where other had that problem. You could probably find it with a search.



  • Just wanted to add… and I'm not trying to be defensive (I had nothing to do with the original implementation of DG on pfSense)...

    I've used several open source firewall implementations over the years. Before using pfSense, I used IPCop for several years but I've also played with almost every distro that looked like it might meet my criteria. My main criteria for selecting a distribution have been the following...

    1.) had to be free and open source.
    2.) had to have squid and Dansguardian packages available
    3.) had to have some kind of rules interface for time restrictions, etc.
    4.) had to be easy to modify if I wanted to customize something
    5.) had to be *NIX based (Linux or some other UNIX flavour)

    My experience has been that pfSense is by far the most complete, most stable, easiest to modify open source firewall distro that I've run across. It offers a great blend between enterprise class firewall features and a simple, easily modified UI that is appropriate for home use (where I use it). It also has the most complete set of addon packages and an active, helpful support community.

    However - it is still open source and it is still community supported... There will be things that don't work or don't give you the results you expect. If you want to get the best out of it then it's not for the feint of heart. In my opinion, you should not be afraid to navigate a command line or unwilling to overcome the learning curve.

    Bottom line - I enjoy it and think it's worth the investment... I like the fact that I can fix things myself and then contribute back to the project. However, it's not for everyone - some would prefer (and may be better off) buying a product and paying for support.



  • You need to tell us:

    Is it a fresh 2.1 install or an upgrade?
    Have you had either squid or dansguardian installed before?
    What version of the packages do you have installed?
    What is your pkg_info result?
    What guide are you using to setup squid3+dansguardian?

    Also:

    Not getting a WAN IP could be the device that is handing out the IP and not the WAN interface in pfsense.
    Resetting the device infront of Pfsense or checking out syslogs would be the way to solve that not just endlessly rebooting pfsense
    Lots of people use Squid+Dansguardian
    You haven't really given us that much information to work with in solving the problem.



  • Ok sure i will do best i can.

    @bryan.paradis:

    Is it a fresh 2.1 install or an upgrade?
    Have you had either squid or dansguardian installed before?
    What version of the packages do you have installed?
    What is your pkg_info result?
    What guide are you using to setup squid3+dansguardian?

    It´s a fresh install.
    Dansguardian first, then Squid3, also tried Squid3-devel.
    I have installed them with the package service, so i guess it´s the recent version of DG.
    pkg_info result???
    I couldn´t find any guide on this.

    Not getting a WAN IP could be the device that is handing out the IP and not the WAN interface in pfsense.
    Resetting the device infront of Pfsense or checking out syslogs would be the way to solve that not just endlessly rebooting pfsense

    The device itself is definitely working with other firewalls. I have had a look into the syslog, but can´t remember what it was saying, sorry. It was something like LC down/LC UP trying to reconnect and so on.

    I can do a fresh install again, but i have really no idea where i should have made a big mistake here..



  • @Alternativende:

    Dansguardian first, then Squid3, also tried Squid3-devel.

    If you don't need something specifically in squid3 can you try the squid package instead?

    pkg_info result???

    Do a pkg_info and then a pbi_info in ssh terminal. It will output a list of all packages installed

    I couldn´t find any guide on this.

    https://www.google.ca/search?num=50&safe=off&espv=210&es_sm=93&q=squid+%2B+dansguardian+pfsense&oq=squid+%2B+dansguardian+pfsense&gs_l=serp.3..0j0i22i30l6.3149.3961.0.4087.8.8.0.0.0.0.109.667.6j1.7.0….0...1c.1.32.serp..1.7.666.VoxiQW2jGxQ

    The device itself is definitely working with other firewalls. I have had a look into the syslog, but can´t remember what it was saying, sorry. It was something like LC down/LC UP trying to reconnect and so on.

    What device is it plugged into? If you post about the problem you should include logs as well.

    Also you should read this thread as well and other threads in this forum that have to do with dansguardian + squid

    https://forum.pfsense.org/index.php/topic,69980.0.html



  • Sorry for warming this up again, but im sitting on this now again and i would love to get this work  :D.

    : pbi_info
    dansguardian-2.12.0.3-i386
    squid-2.7.9_3-i386

    So i have tried it now with every version of Squid which is available, but none of them seems to work with Dansguardian.

    Squid alone works every time. As soon as i try to communicate with DG itself nothing happens. The logfile itself is also clean.

    I have attached a picture of my only NAT rule at the moment, and i have also tried to activate and deactivate this rule.

    Everything without success now so far.

    Please tell me what im doing wrong here.

    Edit:
    It´s a fresh install inside a a larger network so far. The WAN interface gets an IP from another machine.










  • Anyone who can help out here?

    I really need this for an elementary school.



  • OK… I guess I'd need to know more specifically how you have this setup... You should not need any NAT rules in order to get Dans working with Squid. You setup the squid proxy in the DG configuration. Then test manually connecting the browser to DG. If you want to make it "transparent", then add a redirect rule later...

    I've never had any problem with this working - with any version of Squid.

    @Alternativende:

    Anyone who can help out here?

    I really need this for an elementary school.



  • Hi,
    so i  do install Squid, install DG, but if i try then to point to DG with a browser nothing happens. He just won´t open ANY site. There is no log entry at all.



  • Could you please upload some pictures of your settings and could you give a little description what you have installed in which order?

    It would be very very helpful.



  • I install DG then Squid3. See attached pictures.

    ![Screenshot from 2014-03-14 18:44:22.png](/public/imported_attachments/1/Screenshot from 2014-03-14 18:44:22.png)
    ![Screenshot from 2014-03-14 18:44:22.png_thumb](/public/imported_attachments/1/Screenshot from 2014-03-14 18:44:22.png_thumb)
    ![Screenshot from 2014-03-14 18:44:30.png](/public/imported_attachments/1/Screenshot from 2014-03-14 18:44:30.png)
    ![Screenshot from 2014-03-14 18:44:30.png_thumb](/public/imported_attachments/1/Screenshot from 2014-03-14 18:44:30.png_thumb)
    ![Screenshot from 2014-03-14 18:44:40.png](/public/imported_attachments/1/Screenshot from 2014-03-14 18:44:40.png)
    ![Screenshot from 2014-03-14 18:44:40.png_thumb](/public/imported_attachments/1/Screenshot from 2014-03-14 18:44:40.png_thumb)



  • Ive managed to work through this thread, with input and learnings from a few others and finally have a working
    squid / dansguardian setup.
    Ive found a strange issue in that everything works great for the first ten minutes or so, then web surfing becomes slower before eventually stopping. If I shortcut the localhost chain (NAT 80 -> DG 8080 -> Squid 3128 -> Web) by setting my proxy direct to Squids 3128 port everything resumes as normal.
    If I restart Dansguardian things return to normal as well so it appears to be some kind of memory leak / cache / buffers filling up type issue.
    Any ideas? Ive killed squids caching along the route of debugging this matter and that didn't help.