Limiter blocks internet access (Squid transparent proxy)
-
Finally the only way to fix this was installing the old version of pfsense 2.1.5. I tested with squid transparent mode, dansguardian and Limiters and everything works fine. I was reading the pfsense Digest and there are many security issues and bugs from the old version 2.1.5 to the last version 2.2.4, like a multiple Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI, and OpenSSL “FREAK” vulnerability (If packages include a web server or similar component, such as a proxy, an improper user configuration may be affected. Consult the package documentation or forum for details.)
My question, is there any secure way to keep this old version for remote access?
Regards!
-
That's a pretty strange technical debate here about rule handling access to port 3128 while idea is to use transparent proxy which is, by design, implemented in such a way that proxy port is unknown browser side and accessed only internally.
Not reading even further, when I saw such proposal in term of FW rule associated with transparent proxy, I was… :o ???.... ::)
If issue is with transparent proxy only, why don't you move to explicit proxy with is definitely far better, in any case?
-
Explicit proxy is fine for my fixed machines that won't be on another network; and it's set up on them, in fact.
Setting up explicit proxy on mobile machines tends to break them when they go elsewhere. The user base not being all that savvy, various possible schemes of network settings to implement explicit proxy here that they would change away from when elsewhere might work for 2% of them. And it would be a pain for that 2%, even - Oh, I switched networks. Now I need to switch network settings. Oh, Joy.
Auto Proxy discovery is a delightfully kludgy old process (netscape - that brings back memories) and not turned on by default for most systems.
So, for effective proxy that actually works for the majority of a mobile user-base, transparent is useful (when it works.)
Your environment may differ.
-
Also just want to point out that limiter also break NAT Reflection mode for port forwards :-[
-
Has it been solved for the new version 2.2.4?
-
nah not sure maybe for 2.2.5 :)
I would love to have limiter to work with NAT reflection
-
As far as I know this problem is punted to 2.3, unfortunately.
-
So on 2.2.2 Limiter does not have any issue with NAT reflection? on 2.2.4 still theres issues
-
I think it's 2.2.X.
-
-
Hi there,
I have got the same problem. Version 2.2.4 (64Bit) does not work with transparent proxy anymore. In version 2.1.5 it worked fine. In that version (2.1.5) it was also possible to change the port of squid to a port beneeth 100. This is not working in 2.2.4 aswell.
I guess this must be a bug. ??? :-\
-
7 months later and this issue has not been addressed yet?…not complaining tho', SmallWall has kept me happy so far.
I hope this issue will be addressed tho' would like to use pf. -
Hello,
after updating to 2.2.5 the bug ist still there. traffic-shaping does not work with proxy in transparent mode.
:-[
-
Ok, I have not tried it with the new version (2.2.5).
I also see in several post that there is a confusion, let's clarify this, the Limiter + Transparent Proxy not work, but, Limiter + Proxy NO-Transparent, work?I think it's the same problem for all Traffic Shaper.
-
This entire topic has nothing to do with proxy. Limiters are (still) broken when applied to any NAT firewall rules; this is nothing specific to transparent Squid. On 2.2.x, and I cannot see any difference on 2.3 either. Broken as in dropping traffic -> unusable.
https://redmine.pfsense.org/issues/4326
-
I meant to the subject of title (Limiter + Proxy), but, you have made it clear that it is a generalized problem from the NAT firewall rules. Thank you doktornotor
-
JAJAJA NO SOLUTION … back to 2.0.3 and fix it
-
finley SOLUTION here
https://forum.pfsense.org/index.php?topic=106640.0
-
SOLVED*
I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).
IPv4 TCP * * * 3128 * none Rule to allow transparent proxy to work
It worked and the speed limiter still works also.
Hello!
I made some adjusts to this rule, and worked! thx!
Just point the rule to 127.0.0.1, and will work!
Don't forget, the rule must be at top, and the rule with limiter must be below
Some screenshots below to help.
I hope this can help someone. Srry for my bad english.
:)
[EDIT]
Hello Again!
I tested this workaround for a few days and some apps like download managers can bypass limiters. :(
Looking for another temp solution.
Cya!
-
I suggest, as workaround, that you limit the client bandwidth through squid "Traffic Mgmt" tab, "Per-host throttling" option, on "Proxy server: General settings". For me, it is running ok. Sorry by my bad english too :-)