Dansguardian with transparent pfSense

  • I've scoured the forums looking for an answer to my problem, but everything I've found has said my setup should work.

    I have pfSense setup and working in transparent mode (WAN, LAN, and BRIDGE). I have squid and dansguardian installed.

    I've tried every combination of listening interfaces I can think of for squid and dansguardian, but I can't get it to work transparently. Currently, I have this:

    dansguardian -> WAN (, proxy (explicitly filled in)

    squid -> loopback

    When I configure the client to proxy to I do get filtering via dansguardian. When I try to create a NAT port forward to do this transparently I can't get any HTTP traffic to pass. Here's my current NAT port forward rule:

    If - LAN
    Proto    - TCP
    Src. addr - *
    Src. ports - *
    Dest. addr - *
    Dest. ports - 80
    NAT IP -
    NAT Ports  - 8080

    So, I want to forward all traffic from the LAN destined for port 80 to (the WAN IP, where dansguardian is currently listening).

    I've read in several places that in order to get this to work I should have Dansguardian listening on the LAN, and have squid on the loopback. When you're using the Bridge the LAN doesn't have an IP address, so I can't create a port forwarding rule that points to the LAN.

    Maybe it's not possible with a transparent (bridged) setup, but it seems like other folks have gotten it to work. I have to think I'm missing a step somewhere. Any ideas?



  • Dans should be on the LAN interface… not the WAN.

    What do you mean that the bridge doesn't have an IP? What address is the pfSense Web GUI on?

  • Sorry, should have had more detail in the first post. Here's the setup:

    WAN - DHCP (just for testing)
    LAN - IPv4 and IPv6 types set to none (That's as per the Transparent Firewall/Filtering Bridge document)
    Bridge - Contains WAN and LAN interfaces. IPv4 and IPv6 types set to none (as above)

    So, the webgui is on the WAN ip of

    With the LAN not having an IP in this scenario, maybe it's not possible to setup dansguardian the way I want?

  • remove the bridge..

    WAN should be connected to your ISP.

    Set an ip address for the LAN… setup the NAT rule for the LAN interface

    dans upstream to proxy via loopback is fine, this is what I do today

  • I can take a look at how to setup your bridge. I assume you have two NIC's bridged that should be on the same subnet and serving up DHCP, etc. for the LAN? Someone else may be able to chime in and tell you off the top of their head…

    Regardless... as Cino pointed out... your current config is wrong. The WAN should connect to the ISP (most likely getting its IP via DHCP from your ISP). The webgui should run on the LAN and Dans should listen on the LAN

  • Cino,

    I want to apply this filtering to only a segment of my network. I also don't want to make any configuration changes to the affected clients. DHCP, etc. will be served by other devices on the WAN side of pfSense. Those requirements seem to necessitate using pfSense in a transparent setup.

    If I understand correctly (which I clearly may not), and I remove the bridge I will no longer be using pfSense transparently. That would mean I'd need to make changes to the clients to use the pfSense box as their gateway.

    So, can I use dansguardian with pfsense and still keep pfsense transparent? If not, that's fine, I'll just have to go back to the drawing board and figure something else out.


  • rjcrowder,

    Yeah, I want this to sit on one segment of the network and not need any client changes to work. Both the WAN and LAN sides will be on a 10.1.1.x network. On a lark, I did try giving the LAN a 10.1.1.x address and tried setting up the NAT port forwarding to point there, but still no luck. Nothing gets served back to the client machine.


  • On most tests I did, bridge is not the best setup for packages. If you use it only as a firewall, try to create a forward rule to send http traffic to a third gateway/machine with dansguardian and squid.

    clients –-> pfsense bridge ---> lan --->
                                              |---> second pfsense as a server with dansguardian and nat rule to transparent proxy.

    Remember that a lot of sites today uses https, so this setup will not work for them.

Log in to reply