Transparent Proxy issue?



  • Hi All,

    Please can someone tell me why I get access denied when I switch on transparent proxy? see attached



  • Because you have SquidGuard set to block all?  No other idea with just the information you have provided.



  • Thanks for the reply, so where is this option so I can check?



  • Services - Proxy filter?



  • squid is disabled? see attached




  • SquidGuard (which is different from Squid) is most certainly enabled if you're getting Access Denied errors like that.  When you play with SquidGuard options, you must click Save and then Apply before your changes take effect.



  • That's what I've done save and apply!



  • It's still running if it's giving you the default SquidGuard block page.  What are you actually trying to do, get SquidGuard running?  Get it removed?



  • I just need to filter Internet traffic and check which sites are being accessed. Strange thing is when i enable transparent proxy it works for about a minute and then its hit and miss! Removing squid guard makes no difference!

    By the way the firewall is also configured as captive portal, I have disabled that as well still same results?

    Thanks



  • I'm pretty familiar with Squid and SquidGuard but not Captive Portal.  First off, what versions of Squid and SquidGuard are you using?  Can I see your Common ACL, Groups ACL and Target Categories screens?  Is there anything in your System log?



  • apology for the late response, I was unwell, please see attached, I will get you system logs should you need it?

    Thanks

    ![comman acl.PNG](/public/imported_attachments/1/comman acl.PNG)
    ![comman acl.PNG_thumb](/public/imported_attachments/1/comman acl.PNG_thumb)
    ![group acl.PNG](/public/imported_attachments/1/group acl.PNG)
    ![group acl.PNG_thumb](/public/imported_attachments/1/group acl.PNG_thumb)
    ![target cat.PNG](/public/imported_attachments/1/target cat.PNG)
    ![target cat.PNG_thumb](/public/imported_attachments/1/target cat.PNG_thumb)
    ![squid ver.PNG](/public/imported_attachments/1/squid ver.PNG)
    ![squid ver.PNG_thumb](/public/imported_attachments/1/squid ver.PNG_thumb)



  • On the Common ACL page, click the tiny green Play button to expand your list.  Is there anything there?



  • see attached, but my Squidguard is disabled so why would this be the issue for transparent proxy?

    Thanks

    ![comman acl.PNG](/public/imported_attachments/1/comman acl.PNG)
    ![comman acl.PNG_thumb](/public/imported_attachments/1/comman acl.PNG_thumb)



  • I've just turned transparent proxy on, I can access google and I searched bbc news it brings the results but when I click on the bbc news link it say page cannot be displayed? its same for any other links as well?

    Thanks



  • Squid by itself does not do any filtering, just caching.  I suspect that you have a corrupted SquidGuard install and it's still running.  Shell into your pfSense box and run:

    ps -ax | grep squid

    What does it output?



  • its not letting me type |  ?



  • sorry found it, it was the # key that had that, see attached output.




  • Hmm, SquidGuard is not running.  Are you running another content filter, like DansGuardian?  This is certainly a strange one.



  • no I am not, ive been pulling my hair for weeks but cant seem to find a solution.

    If it makes it easier for you, I don't mind giving you remote access over team viewer 9 ?

    let me know.

    Thanks



  • I'm just some random Internet guy, so giving me access to your box probably isn't good for security.

    I would make a backup of your configuration and then do a reinstall.  That shouldn't take very long and it may get you past a glitch.

    I still cant' get past how SquidGuard is not running, but you get access denied errors that look exactly like SquidGuard's default error msg page.

    You have tried with different browser or client computer to rule out an weird caching issues?

    What happens if you completely uninstall SquidGuard?



  • If I uninstall it I get still the same result, so I really don't think its squid guard, I believe its an issue with transparent proxy!

    Thanks



  • But like I said, Squid by itself doesn't do any filtering.  None at all.  It's a caching proxy and that's all.



  • ok lets take the squid guard out of equation.

    so what I want is transparent proxy with lightsquid and I still get the same result?

    Thanks



  • You had setup not-transparent mode first right?
    Perhaps the switching to transparent mode did not complete the firewall rule changes to accommodate the squid proxy rules to redirect to the proxy-port.

    Does /tmp/rules.debug contain something like this?

    
    # Setup Squid proxy redirect
    no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
    rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
    
    


  • correct I had not set transparent first, but it was installed as the first package out of three I have installed.

    sorry im not familiar with command and im new to pfsense, how do I check the /tmp/rules.debug?

    please can you explain in steps..

    Thanks for all your help so far!



  • Tikimotel can you please respond?

    Thanks



  • Sorry, for the late response..

    The tmp/rules.debug can be viewed via WinSCP or using the command "cat /tmp/rules.debug" in pfsense GUI: diagnostics->command.

    I've checked the "squid.inc" file in the package, and that will normally create the appropriate rules on pressing "save".
    I'm not sure on how to fix that manually if it turns out to be wrong.



  • Hi Tikimotel,

    here is the out put of the command, what does this mean?

    Setup Squid proxy redirect

    rdr on de1 proto tcp from any to !(de1) port 80 -> 127.0.0.1 port 3128

    Thanks



  • Redirect on interface de1, protocol TCP, from Source "Any" to Destination "NOT LAN Address", and send it to localhost on port 3128.  Basically it means that anyone on your LAN sending anything to port 80 (HTTP) but not directed to your pfSense box will be redirected to your pfSense box port 3128.

    It's the redirect rule that turns Transparent mode on or off.



  • rdr on de1 proto tcp from any to !(de1) port 80 -> 127.0.0.1 port 3128
    

    redirect all traffic using tcp protocol on port 80, from any source other than the de1 and redirect that to the localhost using the proxy port.

    So it only half of what is needed.
    You'll need both lines from my example for transparent mode to work, both are set by the squid GUI.

    Do you have "Allow users on interface" enabled?



  • I've unchecked this "Allow users on interface" and saved.
    Now I get a denied message, too.

    Please check "Allow users on interface", or add the allowed subnets manually in the tab "ACLs"

    Have you added anything to the "Authentication" tab?
    Can you try and set "Authentication method" to "none", or add the subnets to "Subnets that don't need authentication" field below that.



  • So it only half of what is needed.
    You'll need both lines from my example for transparent mode to work, both are set by the squid GUI.

    Do you have "Allow users on interface" enabled?

    see attached, so how I do I add the other line?7

    Thanks




  • authentication tab is set to none?




  • the strange thing is when I turn transparent proxy on, google page works (hit and miss), but if I try another site say bbc.co.uk it say page cannot be displayed?

    :-\

    really confusing the hell out of me!



  • The second is depending on your connection type, PPPoE for instance has a different rule than Ethernet connected.

    Have you tried to remove the pkg config, uninstall the package and then fully re-install the package?

    Login the terminal/ssh or local on the box.
    Use the option 12 (developer shell)
    And issue the "playback" command to remove pkg config.
    (playback removepkgconfig squid/squid3/squid3-dev)
    The logout of the terminal shell.
    The package config is the removed from the config.XML, so re-installing squid package from the GUI will be like the very first install, no old settings are restored.

    I'm currently running "squid3-dev" on pfSense v2.1.4 (64-bit) from what I can tell from your images you are running a previous squid package version?
    I don't know if the missing libs is fixed yet in the "squid3-dev" installer, but you can look up these libs in the forum topic there.
    https://forum.pfsense.org/index.php?topic=62256.165

    Marcello has done a lot of work in the squid3-dev package, and for my use case it works great. (it works for me ©)
    https://forum.pfsense.org/index.php?topic=48347.0

    My 2cents to get SquidGuard to cooperate with squid3-dev
    https://forum.pfsense.org/index.php?topic=73640.0



  • here is the screen print of packages installed, do you want me to uninstall this and install the highlighted in yellow on the second screen print?

    Thanks






  • Your current squid is version 2 based. (a.k.a old)
    I don't know if there is any development on that package…

    When re-installing you version of squid, just make sure the old squid pkg settings are gone, because now you have weird issues.

    I suggest you use "Squid3-dev" in combination with "Squidguard-squid3", because there is more development on that being done.



  • Squid3-dev in pfSense 2.1.x is fragile and I would not recommend using it unless you have both time on your hands and a masochistic streak.  Perhaps look at it in pfSense 2.2-ALPHA.



  • more confusion!!  :-\

    im thinking of giving up on this, unless someone gives me assured tested solution please?

    Thanks



  • Zaf, by chance do you have multiple WAN interfaces?  Squid (and even pfsense itself) tend to by super-flakey with multi-wan since I upgraded to 2.1.4 and I think it has to do with apinger failing and dropping connections that are perfectly valid, while also continuously saying that the gateway that is down is actually up.

    I'd initially thought that squid was at fault, but I completely removed squid and still had the issue, so I shut down the failover interface and suddenly everything works again.  Moved the two connections to an old router and it seems to be working fine now, though its much slower than having the connections directly connected to the pfsense box.


Log in to reply