Limiter blocks internet access (Squid transparent proxy)


  • I don't think there is anything I/you/we can do about the compatibility issue. I can get the limiter to work by simply changing the squid binding to the loopback, without disabling it. This tells me there is some sort of binding issue with how squid works now and the limiter feature of pfSense. Something is getting goofed in the stack.

    For now, I'll likely use the captive portal to perform some bandwidth limiting. If I had a spare machine, I would setup a second instance of pfSense - one as a UTM and the other as the limiter.

    All I can think of doing is putting in a report with the Squid devs to see if they are aware of the issue. Seems this issue is specific to Squid3, also. I don't recall having it with the prior version of Squid.

    Maybe if I get some time I'll work on testing the older version of Squid/squidguard and the limiter. I'll let you know the results.


  • Good News! I've got it working!
    Bad News? I had to roll-back to pfSense 2.5.1. On this version, I'm able to use squid + traffic shaping to limit bandwidth.


  • @Shuon:

    Good News! I've got it working!
    Bad News? I had to roll-back to pfSense 2.5.1. On this version, I'm able to use squid + traffic shaping to limit bandwidth.

    sounds promising, I don't think its a problem for me to use and old version since I'm not using pfsense for alot of things, only the traffic shaper and squid. I'm curious tho', are you using squid in transparent mode? also I only tried with squid3 will try with squid stable version and report results.

    update:
    I've tried squid stable version but its still not working for me, I still can't use squid with the Limiter, I disabled squid transparent mode and I could access internet without proxy settings on browser but squid wasnt caching anything. I really would like this to work for me even if with an older version of pfsense that's why I would like to know if in your case squid is in transparent mode or what you are using squid for.


  • Yup, squid is in transparent mode. I'm using a fresh/clean install of 2.5.1. It could also be an issue with your configuration. If you were in messing with some of the settings, that could also be messing with ya right now.

    Here is the general setup/what I have running right now. Very basic, since it is a clean install, but it works. I might try to do a clean/fresh install to 2.2.1 (rather than the upgrade) and see if that makes any difference. I'd rather be running the latest/greatest of pfSense rather than an older version, simply due to bug / security fixes.

    https://www.walj.us/rand/pfs/pfsense-squid-limiter.cfm


  • Thanks Shuon, this is very helpful. I'm suspecting I have something wrong with the firewall rule, I have a very simple limiter and squid setup, will do everything afresh and see.

    Update:
    I can confirm that squid + limiter works on 2.5.1, I couldn't get it working on 2.2 & 2.2.1…guess I'm going to stick with 2.5.1 for a while atleast until someones confirms this setup works with any newer version of pf.

    Thanks alot Shuon


  • I having same issue here.

    2.2.1 i cant limit with squid

    A old 2.1.5 runs perfectly.

    Anyone more had this issue?

  • Banned

    Known issue, nothing new here.


  • @doktornotor:

    Known issue, nothing new here.

    Hello is there any temp work around? I really need this.
    Thanks

  • Banned

    No.


  • doktornotor  ,    Please Share the reason , why it is working on 2.1  and not in 2.2 .  I'm using squid 2.7.9 with pfsense 2.2.1 and facing the same issue.

  • Banned

    Because it's broken. SIGDUH! If the devs knew what's broken where, they'd fix it.


  • Thank You doktornotor,

    I want to restrict Bandwidth and At the same time URL filtering for LAN users .

  • Banned

    Well then stick with 2.1.5 until fixed.

  • Banned

    Just a thought…. in 2.2.x they introduced Unbound as the default resolver.

    Could it be related to that?

    If changing DNS forwarder to the former one also available in the GUI, will it work??

  • Banned

    Hmmm? Not really sure how's this related to unbound, or even any resolver at all? When I put limiters on a NAT firewall rule, the traffic stop flowing. As simple as that.


  • I have same problem.
    Firstly i am sorry for my english.
    I install squid+transparent mode. Filter active and  everything works good.
    When i do limiter activate, then i cant internet access.

    In proxy server, disable transparent mode; then internet can access and works fine limiter. But filter doesnt works.
    What is problem and what can i do?
    Help pls.  Regard.

  • Banned

    @gringo13:

    What is problem

    It is broken! Did you read the thread?

    @gringo13:

    and what can i do?

    Ditch the proxy, or wait, or get debugging and coding.


  • @doktornotor:

    @gringo13:

    What is problem

    It is broken! Did you read the thread?

    @gringo13:

    and what can i do?

    Ditch the proxy, or wait, or get debugging and coding.

    Problem is at the same time transparent mode and traffic shapper doesnt works.
    If i disable limiter then no block internet. But i enable limiter block internet.
    Or i disable transparent mode and enable limiter then works fine but doesnt work filter.

    What do I need to work both at the same time?

  • Banned

    @gringo13:

    What do I need to work both at the same time?

    Go re-read the previous reply a couple of times.


  • This issue persists on 2.2.2? Oh Crap :(


  • I also noticed this yesterday. After limiters added to pass all rule and logging enabled, the rule blocks all traffic for that interface and fills up the System logs.

  • Banned

    Your "fills up the System logs" non-issue has nothing to do with the topic here. When you log ALL passed traffic, then yeah, your logs are going to fill up, limiters or not.


  • @doktornotor:

    Hmmm? Not really sure how's this related to unbound, or even any resolver at all? When I put limiters on a NAT firewall rule, the traffic stop flowing. As simple as that.

    This should be fixed in 2.2.3 snapshots.

  • Banned

    Thanks, will test as soon as nanobsd becomes usable again…  :D


  • @ermal:

    @doktornotor:

    Hmmm? Not really sure how's this related to unbound, or even any resolver at all? When I put limiters on a NAT firewall rule, the traffic stop flowing. As simple as that.

    This should be fixed in 2.2.3 snapshots.

    I am seeing this problem on 2.2.3-DEVELOPMENT (amd64) built on Fri Jun 19 14:25:29 CDT 2015 FreeBSD 10.1-RELEASE-p13.  No traffic with limiter and transparent proxy.

  • Banned

    Yeah this is still broken. Don't use limiters on NAT.

    https://redmine.pfsense.org/issues/4596
    https://redmine.pfsense.org/issues/4590


  • Still not working on Pfsense 2.2.3 final release. I need both, limiter and  transparent squid proxy to work together for my scenario.

    Regards,

    Nabeel


  • I have been having this problem also. It's a BIG problem actually for me. Does anyone know if it's been fixed yet, and if not if it's been brought to the developers attention ?

  • LAYER 8 Netgate

    Apparently the changes to fix this are significant so they have pushed it to 2.3.  I see they're planning a 2.2.5 first so you're looking at months (at least) before limiters are usable again. Use 2.1.5 and hope no significant vulnerabilities appear since they have stated they will not be patched.  Or evaluate other options, as I am.

    2.2 is, for the most part, useless if you rely on dummynet limiters.


  • @doktornotor:

    Well then stick with 2.1.5 until fixed.

    Can any1 share 2.1.5 v pfsense usb image ?

  • LAYER 8 Netgate

    That's a pretty good question.

    I just clicked around and couldn't find a 2.1.5 download.

    You might want to start thinking about other products/distros if you can't wait months for the functionality you need.

    I <3 pfSense but this limiter shit is getting old.

  • Banned

    @Derelict:

    That's a pretty good question.

    I just clicked around and couldn't find a 2.1.5 download.

    You clicking skills suck.  ;D :P

    Just click on the "Just show me the mirrors" on the download page. Select one, and go to "old" dir.

  • LAYER 8 Netgate

    Didn't see the old dir.  Knew it was there somewhere.  Thanks.


  • SOLVED*

    I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

    IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

    It worked and the speed limiter still works also.


  • @Alfanetindo:

    SOLVED*

    I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

    IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

    It worked and the speed limiter still works also.

    anyone else tested this ?


  • @Abhishek:

    @Alfanetindo:

    SOLVED*

    I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

    IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

    It worked and the speed limiter still works also.

    anyone else tested this ?

    Limiter still not working!


  • I can confirm that the issue solved 100 %

    My configuration :

    1.  Pfsense Version :  2.2.4-RELEASE (amd64)
    built on Sat Jul 25 19:57:37 CDT 2015

    2.  Packages Installed :  A.  Squid :  2.7.9 pkg v.4.3.6  ( Do not install squid3 – its very buggy )
    b.  Squidguard : 1.9.14  -- squid configured as a transparent proxy on lan interface  - rest are default settings.

    3.  Memory : 1 GB

    4.  Bandwidth Available :  4 MB

    5.  Limiter applies for testing :  only to 1 ip  ( 256 kb download and 1 mb upload )

    6.  Result  tested with speed.net  (  Worked exactly as expected )

    7.  All test carried when no one else using internet ( doubly confirmed )

    Please mark that this issue is fully resolved.

    Kudos and special thanks to  Alfanetindo  for a simple but a great solution.

    Steps need to be taken...

    1.  Following rule must be first rule

    IPv4 TCP    *    *    *    3128    *    none        Rule to allow transparent proxy to work

    2.  Then you can apply the limiter rule.







  • the order of the actual pf rules must be the issue then, perhaps someone can post the pf rules of working 2.1.5 and not working 2.2.x


  • Not "solved" and the rule change does not "solve" it. Looks like it just bypasses the limiter.

    Tried on 2.2.4, squid 3 (what was installed, has not been transparent since I decided that limiter fairness beat the heck out of squid caching if I had to pick only one of those) - traffic limited at 10 and running 10.6 shot above 12, quality shot from 40 to 1500 ms.

    Uninstalled squid 3, installed 2.7.9.

    Traffic again shot above 12, quality went to 400, then 1200 ms.

    Turned off transparent and disabled firewall rule. Traffic remained high, quality low, so I reset states as well to flush it out.

    Back to 10.4 and 27 ms.

    Guess I'll have to find a second box to run an independent squid instance between pfSense and the rest of the LAN, since this is not remotely working (on older versions I could have both work, but only when cache hits were shaped, which was NOT the point, and the workarounds some claimed to work for that always left me with a locked up system and no network access.

    I have been running the limiter (and basically no squid, or only non-transparent squid which is functionally like no squid) since last spring with excellent results on getting fairness while allowing most of the BW to be used (one user gets it all (minus limiter overhead to make the limiter work at all), two users share evenly, 80 users share evenly) and holding quality to a reasonable level.

    "Quality to a reasonable level" is basically tuning the main limiters' in/out values that are then divided among users.


  • Finally the only way to fix this was installing the old version of pfsense 2.1.5. I tested with squid transparent mode, dansguardian and Limiters and everything works fine. I was reading the pfsense Digest and there are many security issues and bugs from the old version 2.1.5 to the last version 2.2.4, like a multiple Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI, and OpenSSL “FREAK” vulnerability (If packages include a web server or similar component, such as a proxy, an improper user configuration may be affected. Consult the package documentation or forum for details.)

    My question, is there any secure way to keep this old version for remote access?

    Regards!