Limiter blocks internet access (Squid transparent proxy)
-
-
That's a pretty good question.
I just clicked around and couldn't find a 2.1.5 download.
You might want to start thinking about other products/distros if you can't wait months for the functionality you need.
I <3 pfSense but this limiter shit is getting old.
-
That's a pretty good question.
I just clicked around and couldn't find a 2.1.5 download.
You clicking skills suck. ;D :P
Just click on the "Just show me the mirrors" on the download page. Select one, and go to "old" dir.
-
Didn't see the old dir. Knew it was there somewhere. Thanks.
-
SOLVED*
I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).
IPv4 TCP * * * 3128 * none Rule to allow transparent proxy to work
It worked and the speed limiter still works also.
-
SOLVED*
I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).
IPv4 TCP * * * 3128 * none Rule to allow transparent proxy to work
It worked and the speed limiter still works also.
anyone else tested this ?
-
SOLVED*
I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).
IPv4 TCP * * * 3128 * none Rule to allow transparent proxy to work
It worked and the speed limiter still works also.
anyone else tested this ?
Limiter still not working!
-
I can confirm that the issue solved 100 %
My configuration :
1. Pfsense Version : 2.2.4-RELEASE (amd64)
built on Sat Jul 25 19:57:37 CDT 20152. Packages Installed : A. Squid : 2.7.9 pkg v.4.3.6 ( Do not install squid3 – its very buggy )
b. Squidguard : 1.9.14 -- squid configured as a transparent proxy on lan interface - rest are default settings.3. Memory : 1 GB
4. Bandwidth Available : 4 MB
5. Limiter applies for testing : only to 1 ip ( 256 kb download and 1 mb upload )
6. Result tested with speed.net ( Worked exactly as expected )
7. All test carried when no one else using internet ( doubly confirmed )
Please mark that this issue is fully resolved.
Kudos and special thanks to Alfanetindo for a simple but a great solution.
Steps need to be taken...
1. Following rule must be first rule
IPv4 TCP * * * 3128 * none Rule to allow transparent proxy to work
2. Then you can apply the limiter rule.
-
the order of the actual pf rules must be the issue then, perhaps someone can post the pf rules of working 2.1.5 and not working 2.2.x
-
Not "solved" and the rule change does not "solve" it. Looks like it just bypasses the limiter.
Tried on 2.2.4, squid 3 (what was installed, has not been transparent since I decided that limiter fairness beat the heck out of squid caching if I had to pick only one of those) - traffic limited at 10 and running 10.6 shot above 12, quality shot from 40 to 1500 ms.
Uninstalled squid 3, installed 2.7.9.
Traffic again shot above 12, quality went to 400, then 1200 ms.
Turned off transparent and disabled firewall rule. Traffic remained high, quality low, so I reset states as well to flush it out.
Back to 10.4 and 27 ms.
Guess I'll have to find a second box to run an independent squid instance between pfSense and the rest of the LAN, since this is not remotely working (on older versions I could have both work, but only when cache hits were shaped, which was NOT the point, and the workarounds some claimed to work for that always left me with a locked up system and no network access.
I have been running the limiter (and basically no squid, or only non-transparent squid which is functionally like no squid) since last spring with excellent results on getting fairness while allowing most of the BW to be used (one user gets it all (minus limiter overhead to make the limiter work at all), two users share evenly, 80 users share evenly) and holding quality to a reasonable level.
"Quality to a reasonable level" is basically tuning the main limiters' in/out values that are then divided among users.
-
Finally the only way to fix this was installing the old version of pfsense 2.1.5. I tested with squid transparent mode, dansguardian and Limiters and everything works fine. I was reading the pfsense Digest and there are many security issues and bugs from the old version 2.1.5 to the last version 2.2.4, like a multiple Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI, and OpenSSL “FREAK” vulnerability (If packages include a web server or similar component, such as a proxy, an improper user configuration may be affected. Consult the package documentation or forum for details.)
My question, is there any secure way to keep this old version for remote access?
Regards!
-
That's a pretty strange technical debate here about rule handling access to port 3128 while idea is to use transparent proxy which is, by design, implemented in such a way that proxy port is unknown browser side and accessed only internally.
Not reading even further, when I saw such proposal in term of FW rule associated with transparent proxy, I was… :o ???.... ::)
If issue is with transparent proxy only, why don't you move to explicit proxy with is definitely far better, in any case?
-
Explicit proxy is fine for my fixed machines that won't be on another network; and it's set up on them, in fact.
Setting up explicit proxy on mobile machines tends to break them when they go elsewhere. The user base not being all that savvy, various possible schemes of network settings to implement explicit proxy here that they would change away from when elsewhere might work for 2% of them. And it would be a pain for that 2%, even - Oh, I switched networks. Now I need to switch network settings. Oh, Joy.
Auto Proxy discovery is a delightfully kludgy old process (netscape - that brings back memories) and not turned on by default for most systems.
So, for effective proxy that actually works for the majority of a mobile user-base, transparent is useful (when it works.)
Your environment may differ.
-
Also just want to point out that limiter also break NAT Reflection mode for port forwards :-[
-
Has it been solved for the new version 2.2.4?
-
nah not sure maybe for 2.2.5 :)
I would love to have limiter to work with NAT reflection
-
As far as I know this problem is punted to 2.3, unfortunately.
-
So on 2.2.2 Limiter does not have any issue with NAT reflection? on 2.2.4 still theres issues
-
I think it's 2.2.X.
-
