Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense 2.2: Squid 3.4.10_2 pkg 0.2.6 redirection not working in transparent mode

    Cache/Proxy
    9
    49
    11043
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Steve Evans last edited by

      This is a follow-on from THIS thread. I've overcome the hurdles highlighted there with respect to the /tmp/rules.test.packages syntax error, so I thought I'd best start a more focussed thread.

      If I enable tranparency mode on my LAN (on interface msk2) the only difference I see in the output of

      pfctl -s rules -s nat
      

      is the addition of

      rdr on msk2 inet proto tcp from any to ! (msk2) port = http -> 127.0.0.1 port 3128
      

      which appears correct.

      I have a firewall rule setup to allow outbound traffic from my LAN on port 3128 on which I've enabled logging for the moment.

      If I manually enable the proxy on my laptop (MacBook Pro if that's of relevance) and access a webpage I see the following in my firewall log and the accesses are recorded in /var/log/squid/access.log.

      If I turn on the transparent proxy and attempt to access the same webpage, the redirected access is logged as shown, but nothing appears in the squid access log, and the browser hangs.

      Why might this be?

      Thanks,

      Steve




      1 Reply Last reply Reply Quote 0
      • S
        Steve Evans last edited by

        The notable thing about the screenshots above is that in transparent mode the request is forwarded to the loopback interface. Squid is not listening on that interface when not in transparent mode.

        : netstat -an | grep LISTEN | grep 3128
        tcp4       0      0 10.5.1.1.3128          *.*                    LISTEN
        

        However in transparent mode it starts listening on loopback.

        : netstat -an | grep LISTEN | grep 3128
        tcp4       0      0 127.0.0.1.3128         *.*                    LISTEN
        tcp4       0      0 10.5.1.1.3128          *.*                    LISTEN
        

        Why then is nothing being logged?

        Steve

        1 Reply Last reply Reply Quote 0
        • marcelloc
          marcelloc last edited by

          Logged on  squid or system logs?

          If you have enabled logs,  the default dir is /var/squid/logs  instead of  /var/log/squid.

          1 Reply Last reply Reply Quote 0
          • S
            Steve Evans last edited by

            Squid logs. I changed the default logging directory some time ago (under 2.1) as all the other pfSense logs are under /var/logs. I'll switch it back in case that makes a difference.

            When accessing the proxy direct I see the expected per access entries in access.log.

            Steve

            1 Reply Last reply Reply Quote 0
            • S
              Steve Evans last edited by

              Regardless of logging path, using squid direct I see logging, such as

              : tail /var/squid/logs/access.log
              1422370314.239     61 10.5.1.144 TCP_MISS/200 681 GET http://stat.flashtalking.com/reportV3/ft.stat? - HIER_DIRECT/172.224.35.210 text/plain
              1422370314.284     16 10.5.1.144 TCP_MISS/304 360 GET http://cdn.flashtalking.com/38651/O2UKL0861C_JanSale_samsung_300x250.swf - HIER_DIRECT/172.224.35.210 application/x-shockwave-flash
              1422370314.293     16 10.5.1.144 TCP_MISS/304 360 GET http://cdn.flashtalking.com/38651/O2UKL0861C_JanSale_samsung_728x90.swf - HIER_DIRECT/172.224.35.210 application/x-shockwave-flash
              1422370314.296    223 10.5.1.144 TCP_MISS/200 1056 GET http://a.dpmsrv.com/dpmpxl/index.php? - HIER_DIRECT/107.23.105.222 text/javascript
              1422370314.696     24 10.5.1.144 TCP_MISS/200 631 GET http://pagead2.googlesyndication.com/activeview? - HIER_DIRECT/64.233.167.154 image/gif
              1422370315.170     49 10.5.1.144 TCP_MISS/302 939 GET http://ib.adnxs.com/seg? - HIER_DIRECT/37.252.163.24 text/html
              1422370315.215     94 10.5.1.144 TCP_MISS/200 971 GET http://a.dpmsrv.com/dpmpxl/index.php? - HIER_DIRECT/107.23.105.222 text/javascript
              1422370315.239     64 10.5.1.144 TCP_MISS/302 965 GET http://ib.adnxs.com/bounce? - HIER_DIRECT/37.252.163.24 text/html
              1422370315.370    243 10.5.1.144 TCP_MISS/200 674 GET http://rtd.tubemogul.com/upi/? - HIER_DIRECT/107.21.248.242 image/png
              1422370316.718     48 10.5.1.144 TCP_MISS/200 358 GET http://dt.adsafeprotected.com/dt? - HIER_DIRECT/69.172.216.111 image/gif
              

              But with transparent mode, nothing.

              Thanks,

              Steve

              1 Reply Last reply Reply Quote 0
              • S
                Steve Evans last edited by

                Not sure if it's relevant, but I'd noted the following in cache.log.

                2015/01/27 15:17:02 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1...
                2015/01/27 15:17:02| pinger: Initialising ICMP pinger ...
                2015/01/27 15:17:02|  icmp_sock: (1) Operation not permitted
                2015/01/27 15:17:02| pinger: Unable to start ICMP pinger.
                2015/01/27 15:17:02|  icmp_sock: (1) Operation not permitted
                2015/01/27 15:17:02| pinger: Unable to start ICMPv6 pinger.
                2015/01/27 15:17:02| FATAL: pinger: Unable to open any ICMP sockets.
                2015/01/27 15:17:04 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1...
                2015/01/27 15:17:05| pinger: Initialising ICMP pinger ...
                2015/01/27 15:17:05|  icmp_sock: (1) Operation not permitted
                2015/01/27 15:17:05| pinger: Unable to start ICMP pinger.
                2015/01/27 15:17:05|  icmp_sock: (1) Operation not permitted
                2015/01/27 15:17:05| pinger: Unable to start ICMPv6 pinger.
                2015/01/27 15:17:05| FATAL: pinger: Unable to open any ICMP sockets.
                

                Not sure why this should be so I'd enabled the Disable ICMP option on the General settings tab which then gives a clean start thus.

                2015/01/27 15:21:09 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1...
                2015/01/27 15:21:11 kid1| Starting Squid Cache version 3.4.10 for i386-portbld-freebsd10.1...
                

                Steve

                1 Reply Last reply Reply Quote 0
                • S
                  Steve Evans last edited by

                  It's not too clear what happening from a browser perspective, but using telnet may be a little more informative.

                  From my laptop

                  $ telnet news.bbc.co.uk 80
                  Trying 212.58.244.56...
                  
                  

                  and then nothing.

                  Whereas

                  $ telnet pfsense 3128
                  Trying 10.5.1.1...
                  Connected to pfsense.
                  Escape character is '^]'.
                  

                  clearly connects.

                  Trying the connection locally from the pfSense console

                  : telnet 127.0.0.1 3128
                  Trying 127.0.0.1...
                  Connected to localhost.
                  Escape character is '^]'.
                  

                  works.

                  This suggests that the redirection is not working, or at least squid is not accepting redirected connections.

                  This is making me think that the redirected request may not even be reaching squid. I've tried adding a pass all rule to the firewall, but this had no effect. As mentioned before I see the firewall logging TCP packets being passed on port 3128 so I'm somewhat confused.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • S
                    Steve Evans last edited by

                    I note the following applicable rule even if I disable my explicit rule such that I see the firewall log blocking access to 127.0.0.1:3128.

                    : pfctl -s rules | grep 3128
                    pass in quick on msk2 proto tcp from any to ! (msk2) port = 3128 flags S/SA keep state
                    
                    

                    I this state I see, from my laptop, immediate refused connections thus.

                    $ telnet news.bbc.co.uk 80
                    Trying 212.58.244.56...
                    telnet: connect to address 212.58.244.56: Connection refused
                    Trying 212.58.244.57...
                    telnet: connect to address 212.58.244.57: Connection refused
                    telnet: Unable to connect to remote host
                    

                    If I re-enable my explicit rule such that the firewall logs the packet being passed, I see the following rules.

                    : pfctl -s rules | grep 3128
                    pass in log quick on msk2 inet proto tcp from any to any port = 3128 flags S/SA keep state label "USER_RULE: Squid Proxy"
                    pass in log quick on msk2 inet6 proto tcp from any to any port = 3128 flags S/SA keep state label "USER_RULE: Squid Proxy"
                    pass in quick on msk2 proto tcp from any to ! (msk2) port = 3128 flags S/SA keep state
                    
                    

                    Then the firewall logs a packet passed, but telnet hangs as per my previous post.

                    If I disable transparency mode I see that the extra rule is no longer there.

                    : pfctl -s rules | grep 3128
                    pass in log quick on msk2 inet proto tcp from any to any port = 3128 flags S/SA keep state label "USER_RULE: Squid Proxy"
                    pass in log quick on msk2 inet6 proto tcp from any to any port = 3128 flags S/SA keep state label "USER_RULE: Squid Proxy"
                    
                    

                    Is this extra rule somehow broken?

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • marcelloc
                      marcelloc last edited by

                      Did you selected lan on transparent interface?

                      if you execute grep 3128 /tmp/rules.debug you should see two rules, one for redirect and other to allow traffic.

                      rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
                      pass in quick on em1 proto tcp from any to !(em1) port {80,3128} flags S/SA keep state
                      
                      1 Reply Last reply Reply Quote 0
                      • S
                        Steve Evans last edited by

                        Hi Marcelloc,

                        Your assistance with this is much appreciated.

                        Yes, LAN is selected as shown below. Note that SkyPlus is an alias for my Sky+ box which historically has refused to work with VOD services if proxied. It's presence in the config makes no difference.

                        I see the following

                        : grep 3128 /tmp/rules.debug
                        SquidProxy = "{   3128 }"
                        rdr on msk2 proto tcp from any to !(msk2) port 80 -> 127.0.0.1 port 3128
                        pass in quick on msk2 proto tcp from any to !(msk2) port {80,3128} flags S/SA keep state
                        
                        

                        Should I need to define a rule to allow LAN access to port 3128? It looks like the above should cover it, but this alone results in blocked packets.

                        Thanks,

                        Steve


                        1 Reply Last reply Reply Quote 0
                        • S
                          Steve Evans last edited by

                          OK, so I just found the following in /tmp/rules.debug, between my rule for port 3128 and the one added by squid.

                          block return  in log  quick  on $LAN inet from any to any tracker 1422139962  label "USER_RULE: IPv4 block"
                          

                          As I block all traffic by default and only allow out what's explicitly permitted, and the squid rule is simply being appended to the ruleset, this makes sense now.

                          I'll try amending my rule to be an exact match and report back.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • S
                            Steve Evans last edited by

                            So, due to my use of aliases my rule did show up with your grep.

                            : grep SquidProxy /tmp/rules.debug
                            SquidProxy = "{   3128 }"
                            pass  in log  quick  on $LAN inet proto tcp  from any to any port $SquidProxy tracker 1422139913 flags S/SA keep state  label "USER_RULE: Squid Proxy"
                            

                            I realise my rules for proxy access were too weak as they would have allowed somebody on my network to use alternate proxy, so I've modified my rules thus, but this hasn't fixed transparency mode.  :(

                            pass  in log  quick  on $LAN inet proto tcp  from any to $pfSense port $SquidProxy tracker 1422139913 flags S/SA keep state  label "USER_RULE: Squid Proxy"
                            pass  in log  quick  on $LAN inet proto tcp  from any to (self) port $SquidProxy tracker 1422382055 flags S/SA keep state  label "USER_RULE: Squid Proxy loopback"
                            

                            Thanks,

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • marcelloc
                              marcelloc last edited by

                              Include 127.0.0.1 on your 3128 rule too.

                              1 Reply Last reply Reply Quote 0
                              • S
                                Steve Evans last edited by

                                Is that not the same as self?

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • marcelloc
                                  marcelloc last edited by

                                  @Steve:

                                  Is that not the same as self?

                                  I don't know if is lan ip or any local ip (including lo0)

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Steve Evans last edited by

                                    Changed rules to

                                    : grep SquidProxy /tmp/rules.debug
                                    SquidProxy = "{   3128 }"
                                    pass  in log  quick  on $LAN inet proto tcp  from any to $pfSense port $SquidProxy tracker 1422139913 flags S/SA keep state  label "USER_RULE: Squid Proxy"
                                    pass  in log  quick  on $LAN inet proto tcp  from any to 127.0.0.1 port $SquidProxy tracker 1422382055 flags S/SA keep state  label "USER_RULE: Squid Proxy loopback"
                                    
                                    

                                    No improvement.

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Steve Evans last edited by

                                      To prove the point that the redirected transparent connection is not getting through to squid, I stopped the squid process and then ran the following on the pfSense console.

                                      : nc -l 3128
                                      

                                      I then telnetted to pfsense from my laptop and a connection was established and characters passed.

                                      $ telnet 10.5.1.1 3128
                                      Trying 10.5.1.1...
                                      Connected to pfsense.scevans.com.
                                      Escape character is '^]'.
                                      hello
                                      
                                      : nc -Dl 3128
                                      hello
                                      

                                      I repeated trying to telnet to port 80 on news.bbc.co.uk which should have been directed by the redirect, and no connection was made.

                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Steve Evans last edited by

                                        I've now turn off transparent mode and then added a NAT rule.

                                        This appears in /tmp/rules.debug thus.

                                        rdr on msk2 proto tcp from any to !10.5.1.0/24 port 80 -> 10.5.1.1 port 3128
                                        

                                        I see the resulting packet to port 3128 being passed by the firewall in the logs on an attempt to access an external host on port 80 from LAN.

                                        With squid stopped and running

                                        nc -vl 3128
                                        

                                        instead on the pfSense console this connection attempt is not seen.

                                        Contacting pfSense directly from the LAN on port 3128 does get through.

                                        Clearly the HTTP request gets redirected to port 3128, makes it through the firewall, but then gets lost.

                                        I'm stumped.

                                        Steve


                                        1 Reply Last reply Reply Quote 0
                                        • marcelloc
                                          marcelloc last edited by

                                          May be not related to the issue but do you have pfsense gui redirect enabled under system -> advanced?

                                          All my testes were on pfsense 2.2 amd64, no cf or nanobsd.

                                          What 2.2 version are you using?

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            Steve Evans last edited by

                                            I have the Disable webConfigurator redirect rule checkbox ticked as I have WPAD running on port 80 using the vHosts web server. Unfortunately iPhones etc don't use WPAD so I need transparency mode, but I've left it turned on for now.

                                            I'm using the recent full 2.2 release.

                                            I've just tried putting a pass all rule at the start of my LAN rules to see if that would fix any firewall issue, but it did no good.

                                            Steve

                                            1 Reply Last reply Reply Quote 0
                                            • marcelloc
                                              marcelloc last edited by

                                              2.2 amd64?

                                              1 Reply Last reply Reply Quote 0
                                              • S
                                                Steve Evans last edited by

                                                : uname -a
                                                FreeBSD pfsense.scevans.com 10.1-RELEASE-p4 FreeBSD 10.1-RELEASE-p4 #0 36d7dec(releng/10.1)-dirty: Thu Jan 22 15:19:32 CST 2015     root@pfsense-22-i386-builder:/usr/obj.i386/usr/pfSensesrc/src/sys/pfSense_wrap.10.i386  i386
                                                : cat /etc/version
                                                2.2-RELEASE
                                                
                                                

                                                I've just rebooted the firewall with all pf rules reverted to those in /conf.default/config.xml. This should eliminate any firewall rule peculiarities. I'll let you know how that works once it's up.

                                                Thanks,

                                                Steve

                                                1 Reply Last reply Reply Quote 0
                                                • marcelloc
                                                  marcelloc last edited by

                                                  I have two users on portuguese forum with same version 2.2-RELEASE-i386 and same issue.

                                                  Maybe it's related to squid pbi package compilation under i386 system.

                                                  1 Reply Last reply Reply Quote 0
                                                  • S
                                                    Steve Evans last edited by

                                                    Interesting.

                                                    Given that I see the lack of redirection with nc as well as squid I'm inclined to think this may not be an issue with squid at all, but rather with pf. That'd be quite a fundamental problem for pfSense!

                                                    I made THIS post in the Firewalling forum to see if that provides any insight. For now I'm going to see if a minimal pf configuration helps.

                                                    Thanks,

                                                    Steve

                                                    1 Reply Last reply Reply Quote 0
                                                    • S
                                                      Steve Evans last edited by

                                                      With the default firewall rules, squid is still not working in transparent mode.

                                                      As you're seeing multiple reports of this, could you please raise a bug report that captures the collective experience.

                                                      Thanks,

                                                      Steve

                                                      1 Reply Last reply Reply Quote 0
                                                      • marcelloc
                                                        marcelloc last edited by

                                                        @Steve:

                                                        With the default firewall rules, squid is still not working in transparent mode.

                                                        As you're seeing multiple reports of this, could you please raise a bug report that captures the collective experience.

                                                        Thanks,

                                                        Steve

                                                        I'll need to create an i386 virtual machine to get same problem. On all my labs, transparent proxy is working fine.

                                                        1 Reply Last reply Reply Quote 0
                                                        • S
                                                          Steve Evans last edited by

                                                          OK, thanks.

                                                          I thought the following might be of use to confirm the squid configuration I have installed.

                                                          : squid -v
                                                          Squid Cache: Version 3.4.10
                                                          configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd10.1' 'build_alias=i386-portbld-freebsd10.1' 'CC=cc' 'CFLAGS=-O2 -pipe  -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing  -Wno-unused-private-field' 'CPP=cpp' 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience
                                                          

                                                          Steve

                                                          1 Reply Last reply Reply Quote 0
                                                          • S
                                                            Steve Evans last edited by

                                                            Now here's an oddity. There are two squid binaries installed. Potential for inconsistencies here…

                                                            : which squid
                                                            /usr/local/sbin/squid
                                                            : /usr/local/sbin/squid -v 
                                                            Squid Cache: Version 3.4.10
                                                            configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd10.1' 'build_alias=i386-portbld-freebsd10.1' 'CC=cc' 'CFLAGS=-O2 -pipe  -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing  -Wno-unused-private-field' 'CPP=cpp' 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience
                                                            : /usr/pbi/squid-i386/local/sbin/squid -v
                                                            Shared object "libmd5.so.0" not found, required by "squid"
                                                            

                                                            Steve

                                                            1 Reply Last reply Reply Quote 0
                                                            • marcelloc
                                                              marcelloc last edited by

                                                              @Steve:

                                                              Now here's an oddity.

                                                              This is one of pbi behaviors. same binary, different folder, different results. (Imagine get all it working together :))

                                                              And here is the confirmation that pbi build on i386 is outdated

                                                              '--disable-ipf-transparent' '--disable-ipfw-transparent'
                                                              

                                                              Go to amd64 and it will work  :)

                                                              Thanks for your feedback

                                                              1 Reply Last reply Reply Quote 0
                                                              • S
                                                                Steve Evans last edited by

                                                                Hi Marcelloc,

                                                                As I'm running on a Pentium-M on a Watchguard Firebox x750e I'm afraid that I'm constrained somewhat to only running 32 bit. That said, one of the great things about pfSense is it's a great application to run on older hardware, so thanks for keeping the i386 version alive!

                                                                How soon might a package update for i386 be forthcoming would you guess?

                                                                Thanks again,

                                                                Steve

                                                                1 Reply Last reply Reply Quote 0
                                                                • marcelloc
                                                                  marcelloc last edited by

                                                                  Just wait core team to compile it again. The compile args were fixed few weeks ago but only amd64 was rebuild.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • G
                                                                    georgio777 last edited by

                                                                    @marcelloc:

                                                                    Just wait core team to compile it again. The compile args were fixed few weeks ago but only amd64 was rebuild.

                                                                    I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • marcelloc
                                                                      marcelloc last edited by

                                                                      @georgio777:

                                                                      I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.

                                                                      Check package config again, it's working on my setup and on my labs.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • G
                                                                        georgio777 last edited by

                                                                        @marcelloc:

                                                                        @georgio777:

                                                                        I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.

                                                                        Check package config again, it's working on my setup and on my labs.

                                                                        Not sure what's wrong, I am getting the following errors on the system/squid logs.

                                                                        Squid log:

                                                                        2015/01/27 13:35:16 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1...
                                                                        2015/01/27 13:35:17 kid1| sendto FD 24: (1) Operation not permitted
                                                                        2015/01/27 13:35:17 kid1| ipcCreate: CHILD: hello write test failed
                                                                        2015/01/27 13:44:36 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1...
                                                                        2015/01/27 13:44:36 kid1| sendto FD 24: (1) Operation not permitted
                                                                        2015/01/27 13:44:36 kid1| ipcCreate: CHILD: hello write test failed
                                                                        2015/01/27 13:54:48 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1...
                                                                        2015/01/27 13:54:48 kid1| sendto FD 24: (1) Operation not permitted
                                                                        2015/01/27 13:54:48 kid1| ipcCreate: CHILD: hello write test failed
                                                                        2015/01/27 13:56:10 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1...
                                                                        2015/01/27 13:56:10 kid1| sendto FD 24: (1) Operation not permitted
                                                                        2015/01/27 13:56:10 kid1| ipcCreate: CHILD: hello write test failed
                                                                        2015/01/29 13:57:45 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1...
                                                                        2015/01/29 13:57:45 kid1| sendto FD 24: (1) Operation not permitted
                                                                        2015/01/29 13:57:45 kid1| ipcCreate: CHILD: hello write test failed
                                                                        2015/01/29 14:08:07 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1...
                                                                        2015/01/29 14:08:08 kid1| sendto FD 24: (1) Operation not permitted
                                                                        2015/01/29 14:08:08 kid1| ipcCreate: CHILD: hello write test failed
                                                                        2015/01/29 14:17:08 kid1| Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1...
                                                                        2015/01/29 14:17:08 kid1| sendto FD 24: (1) Operation not permitted
                                                                        2015/01/29 14:17:08 kid1| ipcCreate: CHILD: hello write test failed
                                                                        

                                                                        System log:

                                                                        Jan 29 12:32:00 pfsense php-fpm[86134]: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was '/tmp/rules.test.packages:37: syntax error /tmp/rules.test.packages:38: syntax error /tmp/rules.test.packages:39: syntax error /tmp/rules.test.packages:40: syntax error' 
                                                                        Jan 29 12:32:00 pfsense php-fpm[86134]: /rc.filter_configure_sync: There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc.
                                                                        Jan 29 12:32:03 pfsense php-fpm[86134]: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was '/tmp/rules.test.packages:36: syntax error' 
                                                                        Jan 29 12:32:03 pfsense php-fpm[86134]: /rc.filter_configure_sync: There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc.
                                                                        

                                                                        Hope you can help.

                                                                        Thanks.

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • marcelloc
                                                                          marcelloc last edited by

                                                                          Problably you've enabled transparent mode but did not selected any interface for interception.

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • S
                                                                            Steve Evans last edited by

                                                                            @marcelloc:

                                                                            @georgio777:

                                                                            I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.

                                                                            Check package config again, it's working on my setup and on my labs.

                                                                            Could you please confirm that my experiment using nc works in your setup. This will help determine if the issue is with squid or the firewall.

                                                                            Thanks,

                                                                            Steve

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • S
                                                                              Steve Evans last edited by

                                                                              @georgio777:

                                                                              @marcelloc:

                                                                              Just wait core team to compile it again. The compile args were fixed few weeks ago but only amd64 was rebuild.

                                                                              I am running 2.2-RELEASE (amd64) and transparent mode isn't working either.

                                                                              Hi Marcelloc,

                                                                              Any idea when the new package might be available?

                                                                              Thanks,

                                                                              Steve

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • marcelloc
                                                                                marcelloc last edited by

                                                                                No. I'll ping Renato again and ask for a update to 3.4.11

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • S
                                                                                  Steve Evans last edited by

                                                                                  Thank you.

                                                                                  Steve

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • E
                                                                                    eqx last edited by

                                                                                    @Steve:

                                                                                    Thank you.
                                                                                    Steve

                                                                                    Bump for i386 build:)

                                                                                    I'm also on a i386 box and i wonder if i should go with squid or squid3 ? i've had squid running under other circumstances, but not with pfSense on i386. Im already running pfBlockerNG with several alias lists, and i'd want squid/squid3 to not work for sites that are blocked there, obviously. Does squid3 transparent proxies 'bypass' the pfBlockerNG rules, or are the rules applied before the traffic even reaches it?

                                                                                    I think SquidGuard rule administering are a lot harder than in pfBlocker so i'd prefer to keep all the rules management there and have squid3 only do transparent proxying for the sites that pass the firewall.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post

                                                                                    Products

                                                                                    • Platform Overview
                                                                                    • TNSR
                                                                                    • pfSense Plus
                                                                                    • Appliances

                                                                                    Services

                                                                                    • Training
                                                                                    • Professional Services

                                                                                    Support

                                                                                    • Subscription Plans
                                                                                    • Contact Support
                                                                                    • Product Lifecycle
                                                                                    • Documentation

                                                                                    News

                                                                                    • Media Coverage
                                                                                    • Press
                                                                                    • Events

                                                                                    Resources

                                                                                    • Blog
                                                                                    • FAQ
                                                                                    • Find a Partner
                                                                                    • Resource Library
                                                                                    • Security Information

                                                                                    Company

                                                                                    • About Us
                                                                                    • Careers
                                                                                    • Partners
                                                                                    • Contact Us
                                                                                    • Legal
                                                                                    Our Mission

                                                                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                                    Subscribe to our Newsletter

                                                                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                                    © 2021 Rubicon Communications, LLC | Privacy Policy