Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Transparent Proxy issue?

    pfSense Packages
    5
    51
    4499
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zaf last edited by

      Hi All,

      Please can someone tell me why I get access denied when I switch on transparent proxy? see attached

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        Because you have SquidGuard set to block all?  No other idea with just the information you have provided.

        1 Reply Last reply Reply Quote 0
        • Z
          zaf last edited by

          Thanks for the reply, so where is this option so I can check?

          1 Reply Last reply Reply Quote 0
          • KOM
            KOM last edited by

            Services - Proxy filter?

            1 Reply Last reply Reply Quote 0
            • Z
              zaf last edited by

              squid is disabled? see attached


              1 Reply Last reply Reply Quote 0
              • KOM
                KOM last edited by

                SquidGuard (which is different from Squid) is most certainly enabled if you're getting Access Denied errors like that.  When you play with SquidGuard options, you must click Save and then Apply before your changes take effect.

                1 Reply Last reply Reply Quote 0
                • Z
                  zaf last edited by

                  That's what I've done save and apply!

                  1 Reply Last reply Reply Quote 0
                  • KOM
                    KOM last edited by

                    It's still running if it's giving you the default SquidGuard block page.  What are you actually trying to do, get SquidGuard running?  Get it removed?

                    1 Reply Last reply Reply Quote 0
                    • Z
                      zaf last edited by

                      I just need to filter Internet traffic and check which sites are being accessed. Strange thing is when i enable transparent proxy it works for about a minute and then its hit and miss! Removing squid guard makes no difference!

                      By the way the firewall is also configured as captive portal, I have disabled that as well still same results?

                      Thanks

                      1 Reply Last reply Reply Quote 0
                      • KOM
                        KOM last edited by

                        I'm pretty familiar with Squid and SquidGuard but not Captive Portal.  First off, what versions of Squid and SquidGuard are you using?  Can I see your Common ACL, Groups ACL and Target Categories screens?  Is there anything in your System log?

                        1 Reply Last reply Reply Quote 0
                        • Z
                          zaf last edited by

                          apology for the late response, I was unwell, please see attached, I will get you system logs should you need it?

                          Thanks

                          ![comman acl.PNG](/public/imported_attachments/1/comman acl.PNG)
                          ![comman acl.PNG_thumb](/public/imported_attachments/1/comman acl.PNG_thumb)
                          ![group acl.PNG](/public/imported_attachments/1/group acl.PNG)
                          ![group acl.PNG_thumb](/public/imported_attachments/1/group acl.PNG_thumb)
                          ![target cat.PNG](/public/imported_attachments/1/target cat.PNG)
                          ![target cat.PNG_thumb](/public/imported_attachments/1/target cat.PNG_thumb)
                          ![squid ver.PNG](/public/imported_attachments/1/squid ver.PNG)
                          ![squid ver.PNG_thumb](/public/imported_attachments/1/squid ver.PNG_thumb)

                          1 Reply Last reply Reply Quote 0
                          • KOM
                            KOM last edited by

                            On the Common ACL page, click the tiny green Play button to expand your list.  Is there anything there?

                            1 Reply Last reply Reply Quote 0
                            • Z
                              zaf last edited by

                              see attached, but my Squidguard is disabled so why would this be the issue for transparent proxy?

                              Thanks

                              ![comman acl.PNG](/public/imported_attachments/1/comman acl.PNG)
                              ![comman acl.PNG_thumb](/public/imported_attachments/1/comman acl.PNG_thumb)

                              1 Reply Last reply Reply Quote 0
                              • Z
                                zaf last edited by

                                I've just turned transparent proxy on, I can access google and I searched bbc news it brings the results but when I click on the bbc news link it say page cannot be displayed? its same for any other links as well?

                                Thanks

                                1 Reply Last reply Reply Quote 0
                                • KOM
                                  KOM last edited by

                                  Squid by itself does not do any filtering, just caching.  I suspect that you have a corrupted SquidGuard install and it's still running.  Shell into your pfSense box and run:

                                  ps -ax | grep squid

                                  What does it output?

                                  1 Reply Last reply Reply Quote 0
                                  • Z
                                    zaf last edited by

                                    its not letting me type |  ?

                                    1 Reply Last reply Reply Quote 0
                                    • Z
                                      zaf last edited by

                                      sorry found it, it was the # key that had that, see attached output.


                                      1 Reply Last reply Reply Quote 0
                                      • KOM
                                        KOM last edited by

                                        Hmm, SquidGuard is not running.  Are you running another content filter, like DansGuardian?  This is certainly a strange one.

                                        1 Reply Last reply Reply Quote 0
                                        • Z
                                          zaf last edited by

                                          no I am not, ive been pulling my hair for weeks but cant seem to find a solution.

                                          If it makes it easier for you, I don't mind giving you remote access over team viewer 9 ?

                                          let me know.

                                          Thanks

                                          1 Reply Last reply Reply Quote 0
                                          • KOM
                                            KOM last edited by

                                            I'm just some random Internet guy, so giving me access to your box probably isn't good for security.

                                            I would make a backup of your configuration and then do a reinstall.  That shouldn't take very long and it may get you past a glitch.

                                            I still cant' get past how SquidGuard is not running, but you get access denied errors that look exactly like SquidGuard's default error msg page.

                                            You have tried with different browser or client computer to rule out an weird caching issues?

                                            What happens if you completely uninstall SquidGuard?

                                            1 Reply Last reply Reply Quote 0
                                            • Z
                                              zaf last edited by

                                              If I uninstall it I get still the same result, so I really don't think its squid guard, I believe its an issue with transparent proxy!

                                              Thanks

                                              1 Reply Last reply Reply Quote 0
                                              • KOM
                                                KOM last edited by

                                                But like I said, Squid by itself doesn't do any filtering.  None at all.  It's a caching proxy and that's all.

                                                1 Reply Last reply Reply Quote 0
                                                • Z
                                                  zaf last edited by

                                                  ok lets take the squid guard out of equation.

                                                  so what I want is transparent proxy with lightsquid and I still get the same result?

                                                  Thanks

                                                  1 Reply Last reply Reply Quote 0
                                                  • T
                                                    Tikimotel last edited by

                                                    You had setup not-transparent mode first right?
                                                    Perhaps the switching to transparent mode did not complete the firewall rule changes to accommodate the squid proxy rules to redirect to the proxy-port.

                                                    Does /tmp/rules.debug contain something like this?

                                                    
                                                    # Setup Squid proxy redirect
                                                    no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
                                                    rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
                                                    
                                                    
                                                    1 Reply Last reply Reply Quote 0
                                                    • Z
                                                      zaf last edited by

                                                      correct I had not set transparent first, but it was installed as the first package out of three I have installed.

                                                      sorry im not familiar with command and im new to pfsense, how do I check the /tmp/rules.debug?

                                                      please can you explain in steps..

                                                      Thanks for all your help so far!

                                                      1 Reply Last reply Reply Quote 0
                                                      • Z
                                                        zaf last edited by

                                                        Tikimotel can you please respond?

                                                        Thanks

                                                        1 Reply Last reply Reply Quote 0
                                                        • T
                                                          Tikimotel last edited by

                                                          Sorry, for the late response..

                                                          The tmp/rules.debug can be viewed via WinSCP or using the command "cat /tmp/rules.debug" in pfsense GUI: diagnostics->command.

                                                          I've checked the "squid.inc" file in the package, and that will normally create the appropriate rules on pressing "save".
                                                          I'm not sure on how to fix that manually if it turns out to be wrong.

                                                          1 Reply Last reply Reply Quote 0
                                                          • Z
                                                            zaf last edited by

                                                            Hi Tikimotel,

                                                            here is the out put of the command, what does this mean?

                                                            Setup Squid proxy redirect

                                                            rdr on de1 proto tcp from any to !(de1) port 80 -> 127.0.0.1 port 3128

                                                            Thanks

                                                            1 Reply Last reply Reply Quote 0
                                                            • KOM
                                                              KOM last edited by

                                                              Redirect on interface de1, protocol TCP, from Source "Any" to Destination "NOT LAN Address", and send it to localhost on port 3128.  Basically it means that anyone on your LAN sending anything to port 80 (HTTP) but not directed to your pfSense box will be redirected to your pfSense box port 3128.

                                                              It's the redirect rule that turns Transparent mode on or off.

                                                              1 Reply Last reply Reply Quote 0
                                                              • T
                                                                Tikimotel last edited by

                                                                rdr on de1 proto tcp from any to !(de1) port 80 -> 127.0.0.1 port 3128
                                                                

                                                                redirect all traffic using tcp protocol on port 80, from any source other than the de1 and redirect that to the localhost using the proxy port.

                                                                So it only half of what is needed.
                                                                You'll need both lines from my example for transparent mode to work, both are set by the squid GUI.

                                                                Do you have "Allow users on interface" enabled?

                                                                1 Reply Last reply Reply Quote 0
                                                                • T
                                                                  Tikimotel last edited by

                                                                  I've unchecked this "Allow users on interface" and saved.
                                                                  Now I get a denied message, too.

                                                                  Please check "Allow users on interface", or add the allowed subnets manually in the tab "ACLs"

                                                                  Have you added anything to the "Authentication" tab?
                                                                  Can you try and set "Authentication method" to "none", or add the subnets to "Subnets that don't need authentication" field below that.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • Z
                                                                    zaf last edited by

                                                                    So it only half of what is needed.
                                                                    You'll need both lines from my example for transparent mode to work, both are set by the squid GUI.

                                                                    Do you have "Allow users on interface" enabled?

                                                                    see attached, so how I do I add the other line?7

                                                                    Thanks


                                                                    1 Reply Last reply Reply Quote 0
                                                                    • Z
                                                                      zaf last edited by

                                                                      authentication tab is set to none?


                                                                      1 Reply Last reply Reply Quote 0
                                                                      • Z
                                                                        zaf last edited by

                                                                        the strange thing is when I turn transparent proxy on, google page works (hit and miss), but if I try another site say bbc.co.uk it say page cannot be displayed?

                                                                        :-\

                                                                        really confusing the hell out of me!

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • T
                                                                          Tikimotel last edited by

                                                                          The second is depending on your connection type, PPPoE for instance has a different rule than Ethernet connected.

                                                                          Have you tried to remove the pkg config, uninstall the package and then fully re-install the package?

                                                                          Login the terminal/ssh or local on the box.
                                                                          Use the option 12 (developer shell)
                                                                          And issue the "playback" command to remove pkg config.
                                                                          (playback removepkgconfig squid/squid3/squid3-dev)
                                                                          The logout of the terminal shell.
                                                                          The package config is the removed from the config.XML, so re-installing squid package from the GUI will be like the very first install, no old settings are restored.

                                                                          I'm currently running "squid3-dev" on pfSense v2.1.4 (64-bit) from what I can tell from your images you are running a previous squid package version?
                                                                          I don't know if the missing libs is fixed yet in the "squid3-dev" installer, but you can look up these libs in the forum topic there.
                                                                          https://forum.pfsense.org/index.php?topic=62256.165

                                                                          Marcello has done a lot of work in the squid3-dev package, and for my use case it works great. (it works for me ©)
                                                                          https://forum.pfsense.org/index.php?topic=48347.0

                                                                          My 2cents to get SquidGuard to cooperate with squid3-dev
                                                                          https://forum.pfsense.org/index.php?topic=73640.0

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • Z
                                                                            zaf last edited by

                                                                            here is the screen print of packages installed, do you want me to uninstall this and install the highlighted in yellow on the second screen print?

                                                                            Thanks




                                                                            1 Reply Last reply Reply Quote 0
                                                                            • T
                                                                              Tikimotel last edited by

                                                                              Your current squid is version 2 based. (a.k.a old)
                                                                              I don't know if there is any development on that package…

                                                                              When re-installing you version of squid, just make sure the old squid pkg settings are gone, because now you have weird issues.

                                                                              I suggest you use "Squid3-dev" in combination with "Squidguard-squid3", because there is more development on that being done.

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • KOM
                                                                                KOM last edited by

                                                                                Squid3-dev in pfSense 2.1.x is fragile and I would not recommend using it unless you have both time on your hands and a masochistic streak.  Perhaps look at it in pfSense 2.2-ALPHA.

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • Z
                                                                                  zaf last edited by

                                                                                  more confusion!!  :-\

                                                                                  im thinking of giving up on this, unless someone gives me assured tested solution please?

                                                                                  Thanks

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • L
                                                                                    Liath.WW last edited by

                                                                                    Zaf, by chance do you have multiple WAN interfaces?  Squid (and even pfsense itself) tend to by super-flakey with multi-wan since I upgraded to 2.1.4 and I think it has to do with apinger failing and dropping connections that are perfectly valid, while also continuously saying that the gateway that is down is actually up.

                                                                                    I'd initially thought that squid was at fault, but I completely removed squid and still had the issue, so I shut down the failover interface and suddenly everything works again.  Moved the two connections to an old router and it seems to be working fine now, though its much slower than having the connections directly connected to the pfsense box.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post