Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Limiter blocks internet access (Squid transparent proxy)

    Traffic Shaping
    34
    73
    22765
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Abhishek last edited by

      @doktornotor:

      Well then stick with 2.1.5 until fixed.

      Can any1 share 2.1.5 v pfsense usb image ?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        That's a pretty good question.

        I just clicked around and couldn't find a 2.1.5 download.

        You might want to start thinking about other products/distros if you can't wait months for the functionality you need.

        I <3 pfSense but this limiter shit is getting old.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned last edited by

          @Derelict:

          That's a pretty good question.

          I just clicked around and couldn't find a 2.1.5 download.

          You clicking skills suck.  ;D :P

          Just click on the "Just show me the mirrors" on the download page. Select one, and go to "old" dir.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Didn't see the old dir.  Knew it was there somewhere.  Thanks.

            1 Reply Last reply Reply Quote 0
            • A
              Alfanetindo last edited by

              SOLVED*

              I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

              IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

              It worked and the speed limiter still works also.

              1 Reply Last reply Reply Quote 0
              • A
                Abhishek last edited by

                @Alfanetindo:

                SOLVED*

                I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

                IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

                It worked and the speed limiter still works also.

                anyone else tested this ?

                1 Reply Last reply Reply Quote 0
                • G
                  gringo13 last edited by

                  @Abhishek:

                  @Alfanetindo:

                  SOLVED*

                  I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

                  IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

                  It worked and the speed limiter still works also.

                  anyone else tested this ?

                  Limiter still not working!

                  1 Reply Last reply Reply Quote 0
                  • T
                    techgs last edited by

                    I can confirm that the issue solved 100 %

                    My configuration :

                    1.  Pfsense Version :  2.2.4-RELEASE (amd64)
                    built on Sat Jul 25 19:57:37 CDT 2015

                    2.  Packages Installed :  A.  Squid :  2.7.9 pkg v.4.3.6  ( Do not install squid3 – its very buggy )
                    b.  Squidguard : 1.9.14  -- squid configured as a transparent proxy on lan interface  - rest are default settings.

                    3.  Memory : 1 GB

                    4.  Bandwidth Available :  4 MB

                    5.  Limiter applies for testing :  only to 1 ip  ( 256 kb download and 1 mb upload )

                    6.  Result  tested with speed.net  (  Worked exactly as expected )

                    7.  All test carried when no one else using internet ( doubly confirmed )

                    Please mark that this issue is fully resolved.

                    Kudos and special thanks to  Alfanetindo  for a simple but a great solution.

                    Steps need to be taken...

                    1.  Following rule must be first rule

                    IPv4 TCP    *    *    *    3128    *    none        Rule to allow transparent proxy to work

                    2.  Then you can apply the limiter rule.






                    1 Reply Last reply Reply Quote 0
                    • D
                      djzort last edited by

                      the order of the actual pf rules must be the issue then, perhaps someone can post the pf rules of working 2.1.5 and not working 2.2.x

                      1 Reply Last reply Reply Quote 0
                      • E
                        Ecnerwal last edited by

                        Not "solved" and the rule change does not "solve" it. Looks like it just bypasses the limiter.

                        Tried on 2.2.4, squid 3 (what was installed, has not been transparent since I decided that limiter fairness beat the heck out of squid caching if I had to pick only one of those) - traffic limited at 10 and running 10.6 shot above 12, quality shot from 40 to 1500 ms.

                        Uninstalled squid 3, installed 2.7.9.

                        Traffic again shot above 12, quality went to 400, then 1200 ms.

                        Turned off transparent and disabled firewall rule. Traffic remained high, quality low, so I reset states as well to flush it out.

                        Back to 10.4 and 27 ms.

                        Guess I'll have to find a second box to run an independent squid instance between pfSense and the rest of the LAN, since this is not remotely working (on older versions I could have both work, but only when cache hits were shaped, which was NOT the point, and the workarounds some claimed to work for that always left me with a locked up system and no network access.

                        I have been running the limiter (and basically no squid, or only non-transparent squid which is functionally like no squid) since last spring with excellent results on getting fairness while allowing most of the BW to be used (one user gets it all (minus limiter overhead to make the limiter work at all), two users share evenly, 80 users share evenly) and holding quality to a reasonable level.

                        "Quality to a reasonable level" is basically tuning the main limiters' in/out values that are then divided among users.

                        1 Reply Last reply Reply Quote 0
                        • D
                          debianxp last edited by

                          Finally the only way to fix this was installing the old version of pfsense 2.1.5. I tested with squid transparent mode, dansguardian and Limiters and everything works fine. I was reading the pfsense Digest and there are many security issues and bugs from the old version 2.1.5 to the last version 2.2.4, like a multiple Cross-Site Scripting (XSS) vulnerabilities were found in the pfSense WebGUI, and OpenSSL “FREAK” vulnerability (If packages include a web server or similar component, such as a proxy, an improper user configuration may be affected. Consult the package documentation or forum for details.)

                          My question, is there any secure way to keep this old version for remote access?

                          Regards!

                          1 Reply Last reply Reply Quote 0
                          • C
                            chris4916 last edited by

                            That's a pretty strange technical debate here about rule handling access to port 3128 while idea is to use transparent proxy which is, by design, implemented in such a way that proxy port is unknown browser side and accessed only internally.

                            Not reading even further, when I saw such proposal in term of FW rule associated with transparent proxy, I was…  :o ???....  ::)

                            If issue is with transparent proxy only, why don't you move to explicit proxy with is definitely far better, in any case?

                            1 Reply Last reply Reply Quote 0
                            • E
                              Ecnerwal last edited by

                              Explicit proxy is fine for my fixed machines that won't be on another network; and it's set up on them, in fact.

                              Setting up explicit proxy on mobile machines tends to break them when they go elsewhere. The user base not being all that savvy, various possible schemes of network settings to implement explicit proxy here that they would change away from when elsewhere might work for 2% of them. And it would be a pain for that 2%, even - Oh, I switched networks. Now I need to switch network settings. Oh, Joy.

                              Auto Proxy discovery is a delightfully kludgy old process (netscape - that brings back memories) and not turned on by default for most systems.

                              So, for effective proxy that actually works for the majority of a mobile user-base, transparent is useful (when it works.)

                              Your environment may differ.

                              1 Reply Last reply Reply Quote 0
                              • K
                                killmasta93 last edited by

                                Also just want to point out that limiter also break NAT Reflection mode for port forwards  :-[

                                1 Reply Last reply Reply Quote 0
                                • J
                                  JDvD last edited by

                                  Has it been solved for the new version 2.2.4?

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    killmasta93 last edited by

                                    nah not sure  maybe for 2.2.5 :)

                                    I would love to have limiter to work with NAT reflection

                                    1 Reply Last reply Reply Quote 0
                                    • Derelict
                                      Derelict LAYER 8 Netgate last edited by

                                      As far as I know this problem is punted to 2.3, unfortunately.

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        killmasta93 last edited by

                                        So on 2.2.2 Limiter does not have any issue with NAT reflection? on 2.2.4 still theres issues

                                        1 Reply Last reply Reply Quote 0
                                        • Derelict
                                          Derelict LAYER 8 Netgate last edited by

                                          I think it's 2.2.X.

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            Ecnerwal last edited by

                                            @JDvD:

                                            Has it been solved for the new version 2.2.4?

                                            I'm having the problem on 2.2.4, so, no.

                                            1 Reply Last reply Reply Quote 0
                                            • F
                                              foresthus last edited by

                                              Hi there,

                                              I have got the same problem. Version 2.2.4 (64Bit) does not work with transparent proxy anymore. In version 2.1.5 it worked fine. In that version (2.1.5) it was also possible to change the port of squid to a port beneeth 100. This is not working in 2.2.4 aswell.

                                              I guess this must be a bug.  ??? :-\

                                              1 Reply Last reply Reply Quote 0
                                              • C
                                                cmutwiwa last edited by

                                                7 months later and this issue has not been addressed yet?…not complaining tho', SmallWall has kept me happy so far.
                                                I hope this issue will be addressed tho' would like to use pf.

                                                1 Reply Last reply Reply Quote 0
                                                • F
                                                  foresthus last edited by

                                                  Hello,

                                                  after updating to 2.2.5 the bug ist still there. traffic-shaping does not work with proxy in transparent mode.

                                                  :-[

                                                  1 Reply Last reply Reply Quote 0
                                                  • J
                                                    JDvD last edited by

                                                    Ok, I have not tried it with the new version (2.2.5).
                                                    I also see in several post that there is a confusion, let's clarify this, the Limiter + Transparent Proxy not work, but, Limiter + Proxy NO-Transparent, work?

                                                    I think it's the same problem for all Traffic Shaper.

                                                    1 Reply Last reply Reply Quote 0
                                                    • D
                                                      doktornotor Banned last edited by

                                                      This entire topic has nothing to do with proxy. Limiters are (still) broken when applied to any NAT firewall rules; this is nothing specific to transparent Squid. On 2.2.x, and I cannot see any difference on 2.3 either. Broken as in dropping traffic -> unusable.

                                                      https://redmine.pfsense.org/issues/4326

                                                      1 Reply Last reply Reply Quote 0
                                                      • J
                                                        JDvD last edited by

                                                        I meant to the subject of title (Limiter + Proxy), but, you have made it clear that it is a generalized problem from the NAT firewall rules. Thank you doktornotor

                                                        1 Reply Last reply Reply Quote 0
                                                        • H
                                                          herymulyo last edited by

                                                          JAJAJA NO SOLUTION … back to 2.0.3 and fix it

                                                          1 Reply Last reply Reply Quote 0
                                                          • G
                                                            gmar15 last edited by

                                                            finley SOLUTION  here

                                                            https://forum.pfsense.org/index.php?topic=106640.0

                                                            1 Reply Last reply Reply Quote 0
                                                            • R
                                                              Riroxi last edited by

                                                              @Alfanetindo:

                                                              SOLVED*

                                                              I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

                                                              IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

                                                              It worked and the speed limiter still works also.

                                                              Hello!

                                                              I made some adjusts to this rule, and worked! thx!

                                                              Just point the rule to 127.0.0.1, and will work!

                                                              Don't forget, the rule must be at top, and the rule with limiter must be below

                                                              Some screenshots below to help.

                                                              I hope this can help someone. Srry for my bad english.

                                                              :)

                                                              [EDIT]

                                                              Hello Again!

                                                              I tested this workaround for a few days and some apps like download managers can bypass limiters. :(

                                                              Looking for another temp solution.

                                                              Cya!








                                                              1 Reply Last reply Reply Quote 0
                                                              • G
                                                                geovaneg last edited by

                                                                I suggest, as workaround, that you limit the client bandwidth through squid "Traffic Mgmt" tab, "Per-host throttling" option, on "Proxy server: General settings". For me, it is running ok. Sorry by my bad english too :-)

                                                                1 Reply Last reply Reply Quote 0
                                                                • O
                                                                  ohbobva last edited by

                                                                  For years, I've limited Squid (transparent) bandwidth using Squid "delay pools" in "Custom Options" on the "General" tab of Squid's settings.  I researched and set this up years ago, and don't remember the details, so you'll need to check Squid's documentation for info on the various options.  Here is what I've been using in the "Custom Options" box…

                                                                  positive_dns_ttl 90 seconds
                                                                  delay_class 1 3
                                                                  delay_parameters 1 1572864/1966080 1572864/1966080 524288/655360
                                                                  quick_abort_min 1024 KB
                                                                  quick_abort_max 2048 KB
                                                                  quick_abort_pct 90

                                                                  If I remember correctly, among other things, this limits the download speed of the browser, but allows some amount of bursting.

                                                                  More info at http://wiki.squid-cache.org/Features/DelayPools

                                                                  It looks like this when added to the "Custom Options" box on the "General" tab of Squid's settings in PFSense's GUI...

                                                                  positive_dns_ttl 90 seconds;delay_class 1 3;delay_parameters 1 1572864/1966080 1572864/1966080 524288/655360;quick_abort_min 1024 KB;quick_abort_max 2048 KB;quick_abort_pct 90
                                                                  
                                                                  1 Reply Last reply Reply Quote 0
                                                                  • G
                                                                    GraKa last edited by

                                                                    Hello,

                                                                    is the problem, that the Limiters are not working with the transparent proxy solved in pfSense 2.3?
                                                                    And I mean without any workarounds.

                                                                    Thanks!

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • J
                                                                      JDvD last edited by

                                                                      @GraKa:

                                                                      Hello,

                                                                      is the problem, that the Limiters are not working with the transparent proxy solved in pfSense 2.3?
                                                                      And I mean without any workarounds.

                                                                      Thanks!

                                                                      No yet. Unfortunately…

                                                                      @gmar15:

                                                                      finley SOLUTION  here

                                                                      And the gmar15 solution not work for each IP, only makes a single pipe…

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • A
                                                                        alfredopea last edited by

                                                                        Check this issue:

                                                                        https://redmine.pfsense.org/issues/4325

                                                                        Just change the transfer rate from megabits to kilobits in you limiters (download/upload) and everything will work fine again.

                                                                        The problem is with squid 2.7.9+ and ipfw limiters.

                                                                        Example 1.5 Mbps (1536 Kbps) Download and 1 Mbps (1024 Kbps) limiters:

                                                                        Hope this help and sorry about my english.




                                                                        1 Reply Last reply Reply Quote 0
                                                                        • F
                                                                          felipemb last edited by

                                                                          Hi Alfredo,

                                                                          This solution not worked on 2.3.1  :(

                                                                          In this video: https://www.youtube.com/watch?v=wcSyGDXkJ9A

                                                                          How i create queue on interface LAN in 2.3.1?

                                                                          Thanks for the help!!

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • E
                                                                            elic last edited by

                                                                            Any solution?

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • C
                                                                              Cergoo last edited by

                                                                              2.3.2-RELEASE  Limiter+Squid still not working

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • J
                                                                                jbx907 last edited by

                                                                                hi guys, some showed me this link and am also have problems, it is mostly with slow site links, facebook youtube opens but slow sites it does not open, im using 2.3.2 latest but still no luck, i have to just give up squid since the limiter already save the bandwidth

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • S
                                                                                  shapoval last edited by

                                                                                  Working (for me on 2.3.2) by simply adding a LAN rule at the top, Destination, Any, From (other) 3128 to (other) 3128 Custom.

                                                                                  Credit to: Adrea Guglielmini http://guglio.xyz/pfsense-2-3-limiters-and-squid-bugfix/

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • C
                                                                                    Cergoo last edited by

                                                                                    @shapoval:

                                                                                    Working (for me on 2.3.2) by simply adding a LAN rule at the top, Destination, Any, From (other) 3128 to (other) 3128 Custom.

                                                                                    Credit to: Adrea Guglielmini http://guglio.xyz/pfsense-2-3-limiters-and-squid-bugfix/

                                                                                    It really works. Thank you for your message.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post

                                                                                    Products

                                                                                    • Platform Overview
                                                                                    • TNSR
                                                                                    • pfSense Plus
                                                                                    • Appliances

                                                                                    Services

                                                                                    • Training
                                                                                    • Professional Services

                                                                                    Support

                                                                                    • Subscription Plans
                                                                                    • Contact Support
                                                                                    • Product Lifecycle
                                                                                    • Documentation

                                                                                    News

                                                                                    • Media Coverage
                                                                                    • Press
                                                                                    • Events

                                                                                    Resources

                                                                                    • Blog
                                                                                    • FAQ
                                                                                    • Find a Partner
                                                                                    • Resource Library
                                                                                    • Security Information

                                                                                    Company

                                                                                    • About Us
                                                                                    • Careers
                                                                                    • Partners
                                                                                    • Contact Us
                                                                                    • Legal
                                                                                    Our Mission

                                                                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                                    Subscribe to our Newsletter

                                                                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                                    © 2021 Rubicon Communications, LLC | Privacy Policy