[SOLVED] Squid blocking all sites except Google and a few others



  • Hi,

    I have the strangest thing going on here. For some reason, SQUID is blocking every website except for Google when transparent mode is set. There is no real specification showing that this should occur.

    • My network is on the same subnet as pfsense which is 192.168.1.0/24 so there shouldn't be any blocking whatsoever (ACLs).

    • We are using Google DNS in addition to our own.

    • There are no specified firewall rules that should block users.

    • Below is the Squid configuration from the pfSense XML. Please let me know if this is not what is needed.

    What gives?

    <squid><config><active_interface>opt2</active_interface>
    <proxy_port>3128</proxy_port>
    <icp_port><allow_interface>on</allow_interface>
    <patch_cp><dns_v4_first>on</dns_v4_first>
    <disable_pinger><dns_nameservers><transparent_proxy><transparent_active_interface>opt2</transparent_active_interface>
    <private_subnet_proxy_off><defined_ip_proxy_off><defined_ip_proxy_off_dest><ssl_proxy>on</ssl_proxy>
    <ssl_active_interface>opt2</ssl_active_interface>
    <ssl_proxy_port><dca>53dac4f051ce5</dca>
    <sslcrtd_children><interception_checks><interception_adapt><log_enabled><log_dir>/var/squid/logs</log_dir>
    <log_rotate><visible_hostname>localhost</visible_hostname>
    <admin_email>admin@localhost</admin_email>
    <error_language>en</error_language>
    <disable_xforward><disable_via><log_sqd><uri_whitespace>strip</uri_whitespace>
    <disable_squidversion></disable_squidversion></log_sqd></disable_via></disable_xforward></log_rotate></log_enabled></interception_adapt></interception_checks></sslcrtd_children></ssl_proxy_port></defined_ip_proxy_off_dest></defined_ip_proxy_off></private_subnet_proxy_off></transparent_proxy></dns_nameservers></disable_pinger></patch_cp></icp_port></config></squid>



  • disable the squid and give a try.  usually by default squid will not block any website.
    posting some of the pfsense config screenshot and logs from firewall and squid will be helpful.



  • Without Squid, pfSense works flawlessly and has been for several years. Now i'm seeing that forum.pfsense.org also works now and a few other SSL enabled sites. Not all.

    WAN Firewall Rules

    Wireless (LAN) Firewall Rules

    Squid Configuration

    Squid Log:

    All that I see within /var/squid/logs is cache.log:

    
    2014/08/22 17:58:30 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
    2014/08/22 17:58:30 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
    2014/08/22 17:58:30 kid1| Unable to load default error language files. Reset to backups.
    2014/08/22 17:58:30 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
    2014/08/22 17:58:30 kid1| WARNING: failed to find or read error text file error-details.txt
    2014/08/22 17:58:30 kid1| sendto FD 22: (1) Operation not permitted
    2014/08/22 17:58:30 kid1| ipcCreate: CHILD: hello write test failed
    2014/08/23 16:08:47 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
    2014/08/23 16:08:47 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
    2014/08/23 16:08:47 kid1| Unable to load default error language files. Reset to backups.
    2014/08/23 16:08:47 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
    2014/08/23 16:08:47 kid1| WARNING: failed to find or read error text file error-details.txt
    2014/08/23 16:08:47 kid1| sendto FD 33: (1) Operation not permitted
    2014/08/23 16:08:47 kid1| ipcCreate: CHILD: hello write test failed
    2014/08/23 18:09:20 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
    2014/08/23 18:09:20 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/en/error-details.txt
    2014/08/23 18:09:20 kid1| Unable to load default error language files. Reset to backups.
    2014/08/23 18:09:20 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt
    2014/08/23 18:09:20 kid1| WARNING: failed to find or read error text file error-details.txt
    2014/08/23 18:09:20 kid1| sendto FD 33: (1) Operation not permitted
    2014/08/23 18:09:20 kid1| ipcCreate: CHILD: hello write test failed
    
    

    Firewall log:



  • try
    1.  check the "transparent http proxy"
    2.  in your firewall log, the "x", click on that to see which firewall rule is blocking your traffic.



  • The issue mentioned in the first post only occurs when ""transparent http proxy" is checked. My apologies for not being clear.

    Within our firewall log, the only real errors that I see are below after clicking each X. However, according to: https://doc.pfsense.org/index.php/Logs_show_"blocked"_for_traffic_from_a_legitimate_connection,_why%3F

    this seems to be normal.

    @5 block drop in log inet all label "Default deny rule IPv4"



  • Don't know why, but to have transparent proxy to work, we had to add these lines in "Custom Option field" :

    redirect_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf;redirector_bypass off;url_rewrite_children 5
    

    I dont have a clue of what it does exactly, but it did work…



  • Figured it out! So apparently within the Squid Allowed ports, despite Squid configuration page stating:

    This is a space-separated list of "safe ports" in addition to the already defined list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535

    I had to make the following modifications:

    
    acl safeports: 21-65535
    acl sslports: 443 563 995
    
    

    All good  :o