Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Limiter blocks internet access (Squid transparent proxy)

    Traffic Shaping
    34
    73
    22765
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cmutwiwa last edited by

      Hi,
      I'm trying to configure the limiter as demonstrated by "foxale08" here: https://forum.pfsense.org/index.php?topic=63531.0
      However, I can't access any web page with the limiters enabled, they seem to block all traffic but I can ping hosts.
      I'm using squid in transparent mode.
      How can I make the limiter work? I did some research on the forum and found other cases of limiter not working with transparent proxy but can't find a solution.
      Kindly guide me on how to make both work, I wouldnt like to drop one.

      Regards

      Cosmas.

      1 Reply Last reply Reply Quote 0
      • C
        cmutwiwa last edited by

        Hi guys,
        so Limiter + Transparent Squid…is it really workable? or they dont just mix...
        I'm trying to share bandwidth evenly on LAN as demonstrated by "foxale08" in the post I've linked above and at the same time use squid for caching purposes given my very limited bandwidth.

        Kindly advice...

        1 Reply Last reply Reply Quote 0
        • S
          Shuon last edited by

          I can fully confirm the same issue. Once the squid process is stopped, the limiter works again.

          Will be testing with DansGuardian later today to see if I have the same issue. If not, looks like I might need to switch my content filtering utility.

          ~Shu

          Edit: Blah - Dunno why I mentioned DG. That's a filter - the issue is with the proxy service itself….

          1 Reply Last reply Reply Quote 0
          • C
            cmutwiwa last edited by

            Atleast now I'm not the only one experiencing this, Shuon kindly let me know of any developments.

            1 Reply Last reply Reply Quote 0
            • S
              Shuon last edited by

              I don't think there is anything I/you/we can do about the compatibility issue. I can get the limiter to work by simply changing the squid binding to the loopback, without disabling it. This tells me there is some sort of binding issue with how squid works now and the limiter feature of pfSense. Something is getting goofed in the stack.

              For now, I'll likely use the captive portal to perform some bandwidth limiting. If I had a spare machine, I would setup a second instance of pfSense - one as a UTM and the other as the limiter.

              All I can think of doing is putting in a report with the Squid devs to see if they are aware of the issue. Seems this issue is specific to Squid3, also. I don't recall having it with the prior version of Squid.

              Maybe if I get some time I'll work on testing the older version of Squid/squidguard and the limiter. I'll let you know the results.

              1 Reply Last reply Reply Quote 0
              • S
                Shuon last edited by

                Good News! I've got it working!
                Bad News? I had to roll-back to pfSense 2.5.1. On this version, I'm able to use squid + traffic shaping to limit bandwidth.

                1 Reply Last reply Reply Quote 0
                • C
                  cmutwiwa last edited by

                  @Shuon:

                  Good News! I've got it working!
                  Bad News? I had to roll-back to pfSense 2.5.1. On this version, I'm able to use squid + traffic shaping to limit bandwidth.

                  sounds promising, I don't think its a problem for me to use and old version since I'm not using pfsense for alot of things, only the traffic shaper and squid. I'm curious tho', are you using squid in transparent mode? also I only tried with squid3 will try with squid stable version and report results.

                  update:
                  I've tried squid stable version but its still not working for me, I still can't use squid with the Limiter, I disabled squid transparent mode and I could access internet without proxy settings on browser but squid wasnt caching anything. I really would like this to work for me even if with an older version of pfsense that's why I would like to know if in your case squid is in transparent mode or what you are using squid for.

                  1 Reply Last reply Reply Quote 0
                  • S
                    Shuon last edited by

                    Yup, squid is in transparent mode. I'm using a fresh/clean install of 2.5.1. It could also be an issue with your configuration. If you were in messing with some of the settings, that could also be messing with ya right now.

                    Here is the general setup/what I have running right now. Very basic, since it is a clean install, but it works. I might try to do a clean/fresh install to 2.2.1 (rather than the upgrade) and see if that makes any difference. I'd rather be running the latest/greatest of pfSense rather than an older version, simply due to bug / security fixes.

                    https://www.walj.us/rand/pfs/pfsense-squid-limiter.cfm

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmutwiwa last edited by

                      Thanks Shuon, this is very helpful. I'm suspecting I have something wrong with the firewall rule, I have a very simple limiter and squid setup, will do everything afresh and see.

                      Update:
                      I can confirm that squid + limiter works on 2.5.1, I couldn't get it working on 2.2 & 2.2.1…guess I'm going to stick with 2.5.1 for a while atleast until someones confirms this setup works with any newer version of pf.

                      Thanks alot Shuon

                      1 Reply Last reply Reply Quote 0
                      • R
                        Riroxi last edited by

                        I having same issue here.

                        2.2.1 i cant limit with squid

                        A old 2.1.5 runs perfectly.

                        Anyone more had this issue?

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned last edited by

                          Known issue, nothing new here.

                          1 Reply Last reply Reply Quote 0
                          • G
                            Gig11gs last edited by

                            @doktornotor:

                            Known issue, nothing new here.

                            Hello is there any temp work around? I really need this.
                            Thanks

                            1 Reply Last reply Reply Quote 0
                            • D
                              doktornotor Banned last edited by

                              No.

                              1 Reply Last reply Reply Quote 0
                              • vallum
                                vallum last edited by

                                doktornotor  ,    Please Share the reason , why it is working on 2.1  and not in 2.2 .  I'm using squid 2.7.9 with pfsense 2.2.1 and facing the same issue.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  doktornotor Banned last edited by

                                  Because it's broken. SIGDUH! If the devs knew what's broken where, they'd fix it.

                                  1 Reply Last reply Reply Quote 0
                                  • vallum
                                    vallum last edited by

                                    Thank You doktornotor,

                                    I want to restrict Bandwidth and At the same time URL filtering for LAN users .

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      doktornotor Banned last edited by

                                      Well then stick with 2.1.5 until fixed.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned last edited by

                                        Just a thought…. in 2.2.x they introduced Unbound as the default resolver.

                                        Could it be related to that?

                                        If changing DNS forwarder to the former one also available in the GUI, will it work??

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          doktornotor Banned last edited by

                                          Hmmm? Not really sure how's this related to unbound, or even any resolver at all? When I put limiters on a NAT firewall rule, the traffic stop flowing. As simple as that.

                                          1 Reply Last reply Reply Quote 0
                                          • G
                                            gringo13 last edited by

                                            I have same problem.
                                            Firstly i am sorry for my english.
                                            I install squid+transparent mode. Filter active and  everything works good.
                                            When i do limiter activate, then i cant internet access.

                                            In proxy server, disable transparent mode; then internet can access and works fine limiter. But filter doesnt works.
                                            What is problem and what can i do?
                                            Help pls.  Regard.

                                            1 Reply Last reply Reply Quote 0
                                            • D
                                              doktornotor Banned last edited by

                                              @gringo13:

                                              What is problem

                                              It is broken! Did you read the thread?

                                              @gringo13:

                                              and what can i do?

                                              Ditch the proxy, or wait, or get debugging and coding.

                                              1 Reply Last reply Reply Quote 0
                                              • G
                                                gringo13 last edited by

                                                @doktornotor:

                                                @gringo13:

                                                What is problem

                                                It is broken! Did you read the thread?

                                                @gringo13:

                                                and what can i do?

                                                Ditch the proxy, or wait, or get debugging and coding.

                                                Problem is at the same time transparent mode and traffic shapper doesnt works.
                                                If i disable limiter then no block internet. But i enable limiter block internet.
                                                Or i disable transparent mode and enable limiter then works fine but doesnt work filter.

                                                What do I need to work both at the same time?

                                                1 Reply Last reply Reply Quote 0
                                                • D
                                                  doktornotor Banned last edited by

                                                  @gringo13:

                                                  What do I need to work both at the same time?

                                                  Go re-read the previous reply a couple of times.

                                                  1 Reply Last reply Reply Quote 0
                                                  • R
                                                    Riroxi last edited by

                                                    This issue persists on 2.2.2? Oh Crap :(

                                                    1 Reply Last reply Reply Quote 0
                                                    • S
                                                      Skegton last edited by

                                                      I also noticed this yesterday. After limiters added to pass all rule and logging enabled, the rule blocks all traffic for that interface and fills up the System logs.

                                                      1 Reply Last reply Reply Quote 0
                                                      • D
                                                        doktornotor Banned last edited by

                                                        Your "fills up the System logs" non-issue has nothing to do with the topic here. When you log ALL passed traffic, then yeah, your logs are going to fill up, limiters or not.

                                                        1 Reply Last reply Reply Quote 0
                                                        • E
                                                          eri-- last edited by

                                                          @doktornotor:

                                                          Hmmm? Not really sure how's this related to unbound, or even any resolver at all? When I put limiters on a NAT firewall rule, the traffic stop flowing. As simple as that.

                                                          This should be fixed in 2.2.3 snapshots.

                                                          1 Reply Last reply Reply Quote 0
                                                          • D
                                                            doktornotor Banned last edited by

                                                            Thanks, will test as soon as nanobsd becomes usable again…  :D

                                                            1 Reply Last reply Reply Quote 0
                                                            • cwagz
                                                              cwagz last edited by

                                                              @ermal:

                                                              @doktornotor:

                                                              Hmmm? Not really sure how's this related to unbound, or even any resolver at all? When I put limiters on a NAT firewall rule, the traffic stop flowing. As simple as that.

                                                              This should be fixed in 2.2.3 snapshots.

                                                              I am seeing this problem on 2.2.3-DEVELOPMENT (amd64) built on Fri Jun 19 14:25:29 CDT 2015 FreeBSD 10.1-RELEASE-p13.  No traffic with limiter and transparent proxy.

                                                              1 Reply Last reply Reply Quote 0
                                                              • D
                                                                doktornotor Banned last edited by

                                                                Yeah this is still broken. Don't use limiters on NAT.

                                                                https://redmine.pfsense.org/issues/4596
                                                                https://redmine.pfsense.org/issues/4590

                                                                1 Reply Last reply Reply Quote 0
                                                                • N
                                                                  NABAMB last edited by

                                                                  Still not working on Pfsense 2.2.3 final release. I need both, limiter and  transparent squid proxy to work together for my scenario.

                                                                  Regards,

                                                                  Nabeel

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • A
                                                                    Alfanetindo last edited by

                                                                    I have been having this problem also. It's a BIG problem actually for me. Does anyone know if it's been fixed yet, and if not if it's been brought to the developers attention ?

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • Derelict
                                                                      Derelict LAYER 8 Netgate last edited by

                                                                      Apparently the changes to fix this are significant so they have pushed it to 2.3.  I see they're planning a 2.2.5 first so you're looking at months (at least) before limiters are usable again. Use 2.1.5 and hope no significant vulnerabilities appear since they have stated they will not be patched.  Or evaluate other options, as I am.

                                                                      2.2 is, for the most part, useless if you rely on dummynet limiters.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • A
                                                                        Abhishek last edited by

                                                                        @doktornotor:

                                                                        Well then stick with 2.1.5 until fixed.

                                                                        Can any1 share 2.1.5 v pfsense usb image ?

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • Derelict
                                                                          Derelict LAYER 8 Netgate last edited by

                                                                          That's a pretty good question.

                                                                          I just clicked around and couldn't find a 2.1.5 download.

                                                                          You might want to start thinking about other products/distros if you can't wait months for the functionality you need.

                                                                          I <3 pfSense but this limiter shit is getting old.

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • D
                                                                            doktornotor Banned last edited by

                                                                            @Derelict:

                                                                            That's a pretty good question.

                                                                            I just clicked around and couldn't find a 2.1.5 download.

                                                                            You clicking skills suck.  ;D :P

                                                                            Just click on the "Just show me the mirrors" on the download page. Select one, and go to "old" dir.

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • Derelict
                                                                              Derelict LAYER 8 Netgate last edited by

                                                                              Didn't see the old dir.  Knew it was there somewhere.  Thanks.

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • A
                                                                                Alfanetindo last edited by

                                                                                SOLVED*

                                                                                I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

                                                                                IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

                                                                                It worked and the speed limiter still works also.

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • A
                                                                                  Abhishek last edited by

                                                                                  @Alfanetindo:

                                                                                  SOLVED*

                                                                                  I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

                                                                                  IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

                                                                                  It worked and the speed limiter still works also.

                                                                                  anyone else tested this ?

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • G
                                                                                    gringo13 last edited by

                                                                                    @Abhishek:

                                                                                    @Alfanetindo:

                                                                                    SOLVED*

                                                                                    I managed to find a simple fix. All I needed to do was create a pass all firewall rule on the (LAN) interface for port 3128 (my proxy port).

                                                                                    IPv4 TCP * * * 3128 * none   Rule to allow transparent proxy to work

                                                                                    It worked and the speed limiter still works also.

                                                                                    anyone else tested this ?

                                                                                    Limiter still not working!

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post

                                                                                    Products

                                                                                    • Platform Overview
                                                                                    • TNSR
                                                                                    • pfSense Plus
                                                                                    • Appliances

                                                                                    Services

                                                                                    • Training
                                                                                    • Professional Services

                                                                                    Support

                                                                                    • Subscription Plans
                                                                                    • Contact Support
                                                                                    • Product Lifecycle
                                                                                    • Documentation

                                                                                    News

                                                                                    • Media Coverage
                                                                                    • Press
                                                                                    • Events

                                                                                    Resources

                                                                                    • Blog
                                                                                    • FAQ
                                                                                    • Find a Partner
                                                                                    • Resource Library
                                                                                    • Security Information

                                                                                    Company

                                                                                    • About Us
                                                                                    • Careers
                                                                                    • Partners
                                                                                    • Contact Us
                                                                                    • Legal
                                                                                    Our Mission

                                                                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                                    Subscribe to our Newsletter

                                                                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                                    © 2021 Rubicon Communications, LLC | Privacy Policy