Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Squid blocking all sites except Google and a few others

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 7.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alltime
      last edited by

      Hi,

      I have the strangest thing going on here. For some reason, SQUID is blocking every website except for Google when transparent mode is set. There is no real specification showing that this should occur.

      • My network is on the same subnet as pfsense which is 192.168.1.0/24 so there shouldn't be any blocking whatsoever (ACLs).

      • We are using Google DNS in addition to our own.

      • There are no specified firewall rules that should block users.

      • Below is the Squid configuration from the pfSense XML. Please let me know if this is not what is needed.

      What gives?

      <squid><config><active_interface>opt2</active_interface>
      <proxy_port>3128</proxy_port>
      <icp_port><allow_interface>on</allow_interface>
      <patch_cp><dns_v4_first>on</dns_v4_first>
      <disable_pinger><dns_nameservers><transparent_proxy><transparent_active_interface>opt2</transparent_active_interface>
      <private_subnet_proxy_off><defined_ip_proxy_off><defined_ip_proxy_off_dest><ssl_proxy>on</ssl_proxy>
      <ssl_active_interface>opt2</ssl_active_interface>
      <ssl_proxy_port><dca>53dac4f051ce5</dca>
      <sslcrtd_children><interception_checks><interception_adapt><log_enabled><log_dir>/var/squid/logs</log_dir>
      <log_rotate><visible_hostname>localhost</visible_hostname>
      <admin_email>admin@localhost</admin_email>
      <error_language>en</error_language>
      <disable_xforward><disable_via><log_sqd><uri_whitespace>strip</uri_whitespace>
      <disable_squidversion></disable_squidversion></log_sqd></disable_via></disable_xforward></log_rotate></log_enabled></interception_adapt></interception_checks></sslcrtd_children></ssl_proxy_port></defined_ip_proxy_off_dest></defined_ip_proxy_off></private_subnet_proxy_off></transparent_proxy></dns_nameservers></disable_pinger></patch_cp></icp_port></config></squid>

      1 Reply Last reply Reply Quote 0
      • T
        tanniit
        last edited by

        disable the squid and give a try.  usually by default squid will not block any website.
        posting some of the pfsense config screenshot and logs from firewall and squid will be helpful.

        1 Reply Last reply Reply Quote 0
        • A
          alltime
          last edited by

          Without Squid, pfSense works flawlessly and has been for several years. Now i'm seeing that forum.pfsense.org also works now and a few other SSL enabled sites. Not all.

          WAN Firewall Rules

          Wireless (LAN) Firewall Rules

          Squid Configuration

          Squid Log:

          All that I see within /var/squid/logs is cache.log:

          
          2014/08/22 17:58:30 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
          2014/08/22 17:58:30 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
          2014/08/22 17:58:30 kid1| Unable to load default error language files. Reset to backups.
          2014/08/22 17:58:30 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
          2014/08/22 17:58:30 kid1| WARNING: failed to find or read error text file error-details.txt
          2014/08/22 17:58:30 kid1| sendto FD 22: (1) Operation not permitted
          2014/08/22 17:58:30 kid1| ipcCreate: CHILD: hello write test failed
          2014/08/23 16:08:47 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
          2014/08/23 16:08:47 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
          2014/08/23 16:08:47 kid1| Unable to load default error language files. Reset to backups.
          2014/08/23 16:08:47 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
          2014/08/23 16:08:47 kid1| WARNING: failed to find or read error text file error-details.txt
          2014/08/23 16:08:47 kid1| sendto FD 33: (1) Operation not permitted
          2014/08/23 16:08:47 kid1| ipcCreate: CHILD: hello write test failed
          2014/08/23 18:09:20 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
          2014/08/23 18:09:20 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
          2014/08/23 18:09:20 kid1| Unable to load default error language files. Reset to backups.
          2014/08/23 18:09:20 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
          2014/08/23 18:09:20 kid1| WARNING: failed to find or read error text file error-details.txt
          2014/08/23 18:09:20 kid1| sendto FD 33: (1) Operation not permitted
          2014/08/23 18:09:20 kid1| ipcCreate: CHILD: hello write test failed
          
          

          Firewall log:

          1 Reply Last reply Reply Quote 0
          • T
            tanniit
            last edited by

            try
            1.  check the "transparent http proxy"
            2.  in your firewall log, the "x", click on that to see which firewall rule is blocking your traffic.

            1 Reply Last reply Reply Quote 0
            • A
              alltime
              last edited by

              The issue mentioned in the first post only occurs when ""transparent http proxy" is checked. My apologies for not being clear.

              Within our firewall log, the only real errors that I see are below after clicking each X. However, according to: https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

              this seems to be normal.

              @5 block drop in log inet all label "Default deny rule IPv4"

              1 Reply Last reply Reply Quote 0
              • A
                AIMS-Informatique
                last edited by

                Don't know why, but to have transparent proxy to work, we had to add these lines in "Custom Option field" :

                redirect_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf;redirector_bypass off;url_rewrite_children 5
                

                I dont have a clue of what it does exactly, but it did work…

                1 Reply Last reply Reply Quote 0
                • A
                  alltime
                  last edited by

                  Figured it out! So apparently within the Squid Allowed ports, despite Squid configuration page stating:

                  This is a space-separated list of "safe ports" in addition to the already defined list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535

                  I had to make the following modifications:

                  
                  acl safeports: 21-65535
                  acl sslports: 443 563 995
                  
                  

                  All good  :o

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.