Pfsense Squid wpad https mitm



  • Hi all i am trying to setup Squid as https mitm. I follow these instructions http://irj972.co.uk/articles/pfSense-WPAD-PAC-configuration when i point the browser manually i am asked for the certificate confirmation on auto discovery nothing. Also nslookup wpad.pfsense.test gives the ip but server can't find wpad.pfsense.test Nxdomain and i am stacked. Any help will be highly appreciated



  • Hi,

    Even i'm stuck at the similar issue… I give the wpad url manually on a browser and disable the rule that blocks port 80 It works fine.
    If i enable the rule and put the browser to auto-discovery it doesn't work............. can someone help!

    attached is the LAN rule that disables the port 80 connections!

    Regards,






  • Hi all i am trying to setup Squid as https mitm. I follow these instructions http://irj972.co.uk/articles/pfSense-WPAD-PAC-configuration

    Typically, MitM happens when you use a transparent proxy.  If you're using WPAD then it's explicit.  You need to choose one or the other, transparent or explicit w/WPAD.

    Also nslookup wpad.pfsense.test gives the ip but server can't find wpad.pfsense.test Nxdomain

    Do you have an HTTP server at wpad.pfsense.test?  Does it have the wpad.dat file accessible via http://wpad.pfsense.test/wpad.dat?



  • Thanks for the reply…. I able to download the wpad.dat and proxy.pac file and everything(nslookup) works. but when i put the browser to auto discovery and add the firewall lan rule to block 80 and 443. It never works.

    Even i followed the same --> http://irj972.co.uk/articles/pfSense-WPAD-PAC-configuration



  • What browser are you using? if you are using firefox you may need to use automatic proxy configuration url and enter the wpad address there.



  • Exactly it works if i put the url with firewall lan rules disabled(but painfull to do this manually for all the 150 systems in my network right). once i enable the firewall rules that blocks 80 and 443. it doesn't work.

    The same thing happens with ie as well. Automatic doesn't work for me.. FYI I use pfsense 2.2.2, squid3 v0.2.8, squidguard v1.9.14 and multi-wan.

    Is ther any other configurations that need to be done apart from these things?? Or am i doing anything wrong?



  • What I ended up doing is in internet options (if using windows) - connections - lan settings and use the automatic proxy configuration and then for all other program (ie firefox) connection settings use system proxy settings.

    I am finding that some programs cannot find the wpad (not just firefox) and this option fixes a lot of issues.
    As for the 150 systems, update your install image so the wpad is set in the internet options and do an image update.



  • Thanks… nice idea will try that and update the thread later.

    No image update will work, if the machines are already being used.  :)



  • 150 machines ?

    For IE: Use a Windows Active Directory GPO.
    For Firefox check this: http://stackoverflow.com/questions/843340/firefox-proxy-settings-via-command-line
    For Chrome: I'm not sure, but I think it uses the same as stated for IE.



  • I have seen this here as well.  A mix of Windows boxes from Server 2003 up to Windows 8.1.  Even with all set to Automatically detect proxy, some of my clients still need to be hard-coded.  I have no idea why.  You would think that it's all or nothing.



  • @srk3461:

    I able to download the wpad.dat and proxy.pac file and everything(nslookup) works. but when i put the browser to auto discovery and add the firewall lan rule to block 80 and 443. It never works.

    Could you please explain what this does?
    Where do you add such setting and why?

    I suspect you set it at FW level in order to prevent access to internet without using proxy. AM I correct?
    If yes, could you please explain this rule and provide more detail?



  • @Chris.

    Sorry for putting it so plainly…. What i meant was i'm able to download the wpad files through browser.

    I followed these instructions http://irj972.co.uk/articles/pfSense-WPAD-PAC-configuration.. and i run light http to serve the wpad files on port 80. And run pfsense webgui on port '83'.

    To disable the users browsing through normal 80 or 443 port, it's mentioned at the end of that link to add a rule at the top of the firewall to do that.

    Yes, you're right... Attached is the screenshot the rules that i tried..

    Thanks.




  • If you:
    1 - serve proxy.pac from pfSense
    2 - prevent users accessing pfSense web server that is exposing proxy.pac

    then I don't see how this could work.

    Rule preventing users to access internet without using proxy should be set so that:

    • either you prevent access to "non-LAN" network on port 80 & 443
    • either you authorize access to pfSense (LAN side) from LAN then deny all access on port 80 & 443

    Whatever the way you achieve it, access to pfSense is mandatory in order to be able to download proxy.pac and what you show prevents it  8)  (as far as I understand)



  • The firewall rules look good to me (this is how i have it) thought make it IPv4+6 instead of just IPv4.



  • @aGeekHere:

    The firewall rules look good to me (this is how i have it) thought make it IPv4+6 instead of just IPv4.

    Sure it works if WPAD settings do not point to pfSense itself as web server storing and exposing proxy.pac file otherwise, unless there is another rule before allowing to access pfSense on port 80 from LAN, I don't see and understand how this could work.
    But there is perhaps something I miss or don't understand  ;)



  • Just to add one more thing to my advice, in internet options - connections - lan settings - have automatic detect settings on as well as automatic configuration script .

    So if the automatic detect settings does not work then the automatic configuration script will be a backup option.

    to chris4916
    I would add a bypass proxy rule for the external webserver to pfsense if that is where the wpad is coming from.



  • @Chris.

    If you:
    1 - serve proxy.pac from pfSense
    2 - prevent users accessing pfSense web server that is exposing proxy.pac

    then I don't see how this could work. Y

    You read my mind, this is exactly why i hijacked this thread from @alxbob. b'cos everybody(most of 'em) on this forum seems to have got it working on a similar way..  @aGeekHere even has made step by step which mentions the same thing.

    But looks like i'm doing something wrong here. however i don't have any rules on top of that expect the anti-lockout rule. Please find the attached screenshot.

    As i mentioned it's difficult to it manually for so many and i don't have an option of pushing it out dynamically for all of them. This (wpad)seemed to be an better option in my environment.




  • @aGeekHere:

    to chris4916
    I would add a bypass proxy rule for the external webserver to pfsense if that is where the wpad is coming from.

    I'm not sure you get my point (or I don't get your  :D)

    When deploying proxy, there is an obvious point that is to prevent users accessing directly internet without using this proxy. This is usually done adding FW rule that is preventing direct internet access from LAN to internet, at least on port 80 & 443.
    So far so good  8)

    When deploying WPAD, browser will have to download proxy.pac file in order to launch proxy setting configuration.

    If server that is exposing this file is pfSense web server and if you don't set specific FW rule that is authorizing to access at least pfSense on its internal interface on port 80, there is no way proxy.pac file can ever be downloaded.

    Adding rule to bypass proxy doesn't apply here  ;)

    Am I correct?



  • I'm not sure you get my point (or I don't get your  :D)

    We will get there :)

    When deploying proxy, there is an obvious point that is to prevent users accessing directly internet without using this proxy. This is usually done adding FW rule that is preventing direct internet access from LAN to internet, at least on port 80 & 443.
    So far so good  8)

    That is correct, port 80 and 443 need to be blocked or else users can bypass the proxy.

    When deploying WPAD, browser will have to download proxy.pac file in order to launch proxy setting configuration.

    That is correct, it can also get that information from the system settings.

    If server that is exposing this file is pfSense web server and if you don't set specific FW rule that is authorizing to access at least pfSense on its internal interface on port 80, there is no way proxy.pac file can ever be downloaded.

    This would be download locally and would not be going through the firewall (correct me if i am wrong) that's why it does not get blocked by the rule.

    So try the system setting way and see how you go.



  • @aGeekHere:

    This would be download locally and would not be going through the firewall (correct me if i am wrong) that's why it does not get blocked by the rule.

    That's exactly  where I'm not in line, at least with your statement.
    The point is that we have, with this screen copy, only a partial view of FW rules.

    However, problem is not to go through or not.

    With FW rules, you define source, destination and port. It doesn't matter if you go through. If destination is "*****", then it also covers pfSense LAN interface.
    What can be done, if not already applied, is to ensure that "Anti-Lockout Rule" rule (on LAN interface) already contains port 80  ;)

    So try the system setting way and see how you go.

    I'm not using pfSense neither as HTTP proxy nor as WPAD web server  ;) furthermore my anti-lockout rule already includes ports 80 and 22  ;D
    On top of that, if it doesn't work like what I describe, then I will have to spend a lot of time reading documentation to better understand how iptables and netfilter work  8)



  • @chris4916:

    @aGeekHere:

    This would be download locally and would not be going through the firewall (correct me if i am wrong) that's why it does not get blocked by the rule.

    That's exactly  where I'm not in line, at least with your statement.
    The point is that we have, with this screen copy, only a partial view of FW rules.

    However, problem is not to go through or not.

    With FW rules, you define source, destination and port. It doesn't matter if you go through. If destination is "*****", then it also covers pfSense LAN interface.
    What can be done, if not already applied, is to ensure that "Anti-Lockout Rule" rule (on LAN interface) already contains port 80  ;)

    So try the system setting way and see how you go.

    I'm not using pfSense neither as HTTP proxy nor as WPAD web server  ;) furthermore my anti-lockout rule already includes ports 80 and 22  ;D
    On top of that, if it doesn't work like what I describe, then I will have to spend a lot of time reading documentation to better understand how iptables and netfilter work  8)

    I think…......... this is how the firewall rules supposed to look like based on the explanation by chris4916! :) (If i'm reading it properly!!! :P) which makes sense.

    I'm yet to try it out and i don't know whether this will or not... will update later.




  • Better but not yet perfect  ;D
    I would suggest that source is set to "this LAN" instead of "*" so that you only authorize access to pfSense on port 80 from YOUR LAN.

    What do you think?



  • @chris4916:

    Better but not yet perfect  ;D
    I would suggest that source is set to "this LAN" instead of "*" so that you only authorize access to pfSense on port 80 from YOUR LAN.

    What do you think?

    I already made that change chris…. 8) 8) 8). will let you guys know how this works out.
    Thanks for your help guys!



  • Guys i got wpad working… but can anyone help me with this..

    if i set a ip on a machine manually the wpad doesn' t seem to work.. it  works only through dhcp!!!

    And can anyone give me info about the NAT rule that needs to be configured.?

    Thanks!



  • if i set a ip on a machine manually the wpad doesn' t seem to work.. it  works only through dhcp!!!

    If you set the IP address manually, you will either have to manually set the proxy too, or at least ensure Automatically detect proxy is set in your client browser.



  • @srk3461:

    if i set a ip on a machine manually the wpad doesn' t seem to work.. it  works only through dhcp!!!

    This is most likely because you are discovering proxy using the "well known alias" that will (DNS) search for "wpad.your_domain".
    "your_domain" is pushed by youyr DHCP configuration while I suspect you do not set it up or with different settings when configuring your client manually. This also could be due to use of different (or no) DNS when done manually.

    WPAD can rely on different mechanisms.
    the "well known alias" is the one mainly used but you could also use DHCP option or DNS services definition.
    Notice that nothing prevents you to use all of them ;-)  because depending on clients, some will better work (or not  :-[)

    I wrote [url=https://wiki.zentyal.org/wiki/Select_Right_HTTP_Proxy_Design]something in a previous life that may help you making right decision in term of design



  • Guys…. Thank you all for your help... I got it running perfectly.

    One small issue has anyone come across with this "when using citrix receiver to connect to RDP i get the following error only through proxy. "There is no Citrix SSL Server configured on the specified address". I tried out usual troubleshooting like using "proxy server options" and "bypass proxy for local address" on IE and using newer clients and all.

    Thank you for your time.


Log in to reply