Nightmares from Squid3 & squidGuard-devel !



  • Hi guys,

    I'm quiet new to pfSense. Trying to configure Squid3 & squidGuard-devel for about three days, I'm having nightmares! Thats why I have a simple question.

    But first I wanna explain you my problem.

    My frist impressions of pfSense were "WOW!" So simple to use and so much possibilities. I want it! Thats why I installed my pfSense Box to secure my small home network - following that guide (only difference is that my management access is on the LAN interface):

    http://people.pharmacy.purdue.edu/~tarrh/Transparent%20Firewall-Filtering%20Bridge%20-%20pfSense%202.0.2%20By%20William%20Tarrh.pdf

    My network looks like this:

    ISP –- Router (192.168.1.1/24) --- pfSense (transparent - LAN Mgnt 192.168.1.2/24) --- Switch --- LAN (192.168.1.0/24) Clients - Smartphones, Tablet etc...)

    Having a teenager at home (as maybe some of you), I wanted to set up a simple content filter. After some researches, I decided to install Squid3 & squidGuard-devel. I installed the packeges and configured them with blacklist, common ACL, etc..

    Setting the proxy on my notebook (192.168.1.2:3128), the filter is just amazing. Everything is filtered as it should. No porn, no violence, no drugs, just the perfect world! In the next step, I only wanted to switch it into transparent mode (Webfilter for Smartphones, Tabs, don't wanna configure all devices manualy). Ticket the option in Squid proxy filter and the big disappointment "Page can't be displayed".

    Like an NSA employee, I grabbed all informations concerning that issue (there are many!) that I could find on the internet. I read hundrets of posts, threats, stalked google with my searches queries and couldn't find any solution to solve my problem. Nearly giving up, I had the idea, to set manually a NAT rule, which redirects all traffic to Squid (port 3128). Still nothing. In the Firewall logs, I see that the request passes to the mentioned port, but nothing happens.

    Returning to my first question. Is there a compatibility problem with Squid3 and pfSense 2.2.1-RELEASE (amd64) (FreeBSD 10.1-RELEASE-p6) or am I simply an idiot not figuring out, how to configure it? Is somebody out there, who is running that kind of configuration where it works? If not, is there a new version of Squid coming? Should I simply wait for the new version? It's so frustrating. I really dreamed last night about it - I should maybe stop trying to find a solution  ;D

    Many thanks for your experiences or help, if you have any idea where the problem could be.

    Inverse26



  • I use this combo:
    2.2.1-RELEASE (amd64)

    squid3         Network                         3.4.10_2 pkg 0.2.6
    squidGuard Network Management 1.4_7 pkg v.1.9.10

    in transparent mode. Work flawlessly apart from the fact that every time you reboot pfsense you need to download and install the blacklist again.



  • Hi Mir,

    Thanks for your suggestions. I will give it a try this evening. Hoping that it will resolvr my problem. Just got home from work - firstly have to enjoy my beer  ;)

    Greetz



  • Me again,

    didn't worked with your suggestions. Still the same problem. Even if reloading the black list; restarting pfSense; saving every tab one by one. reinstalled squid/squidguard. The only error message I can find (systemLog) is:

    php: squidGuard_blacklist_update.sh: The command '/usr/pbi/squid-amd64/local/sbin/squid -k reconfigure' returned exit code '1', the output was 'Shared object "libmd5.so.0" not found, required by "squid"'

    I already searched a bit in here. Seems to be a well known problem, which isn't fixed yet (or I simply didn't found the threat with a solution).

    Any other suggestions? Many thanks in advance.

    Inverse26



  • I have mine working to proxy HTTP and HTTPS in transparent mode:
    https://forum.pfsense.org/index.php?topic=90361.msg502364#msg502364
    Can I ask why you have the router at 192.168.1.1 and essentially another router at 192.168.1.2 or does your PFSense only have one NIC? The reason I ask is if all your devices gets 192.168.1.1 as it's gateway then none of your traffic is going through your PFSense box.
    Also hate to burst your bubble, but try searching for porn at images.google.com. Pretty easy unless your filter forces safe search. I am using Diladele Web Safety http://www.quintolabs.com/ which is a content filter not a URL blocker. It is a pay for but will update the blacklist at least weekly. They don't have a PFSense version for FreeBSD 10 yet though as I am trying to force a FreeBSD 9 port into submission currently. I have the PFSense 2.1.5 and Web Safety version 3.5 working at two locations at my kids school and it works great, sometimes too good. My point is if you are not looking at the content then you are only as good as the URL. You can get an eye full if you search for like MILF on images.google.com as it is HTTPS and google.com is an accepted ok site in the URL blocking.
    Anyways, I would setup PFSense to be your only router or put it on a different subnet so that you force all traffic through it. You can get dual NIC port card at Amazon for $38.

    Jim



  • From a command line:
    cd /usr/local/lib
    ln -s /usr/pbi/squid-amd64/local/lib/libecap.so.2 libecap.so.2
    ln -s /usr/pbi/squid-amd64/local/lib/libmd5.so.0 libmd5.so.0
    /usr/pbi/squid-amd64/local/sbin/squid -k reconfigure



  • Hi there,

    @Jambro:

    I only have one router (192.168.1.1). The second one is my pfsense Box in transparent mode. They are connected directly to each other (the traffic can only pass through the pfSense Box - Management can be accessed by 192.168.1.2). I couldn't set my router in bridged mode and use the pfBox as router, because the phone wouldn't work any more.

    My pfSense box has two NICs. As mentioned, setting my proxy manually, Internet content is restricted/filtered. The problem only occurs, when changing in transparent mode. I know that I can't filter google searches, but it would have been better than nothing (you can't protect your children from anything).

    @Mir:

    Entering the last command, I'm getting the following error message, but thanks for your help:

    php: squidGuard_blacklist_update.sh: The command '/usr/pbi/squid-amd64/local/sbin/squid -k reconfigure' returned exit code '1', the output was 'FATAL: Unable to open configuration file: /usr/local/etc/squid/squid.conf: (2) No such file or directory Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 0.016 seconds = 0.008 user + 0.008 sys Maximum Resident Size: 45648 KB Page faults with physical i/o: 0

    Conclusion:

    I will stop trying to find a solution. I know that this package is based on volunteers, but I would suggest adding a remark in the package infos, that there can be problems with a fresh install (or simply remove it from there). I'm really frustrated, searching, installing, uninstalling, typing in commands in my ssh shell, hoping that it will finally work with some luck. We need a stable version!

    Anyway, I wiish you all a nice evening/morning/afternoon (depending on your time zone).

    Greetz

    Inverse26



  • Maybe you simply need to save the squid config from the gui. Because your squid did not work prior to creating the links to the missing libraries simply made squid not create the config file.



  • Ready this and assuming I understand everything, there is some misunderstanding.

    HTTP proxy usage

    1 - HTTP proxy in explicit or transparent mode are two very different beast. One can't switch from one to another so easily, at least because if proxy is not deployed at your default gateway address (or if you don't deploy some nasty redirect at network level) it will just not work.

    2 - If you go for transparent proxy, either you have to block HTTPS at FW level or be sure that your teenager will quickly bypass your proxy because transparent proxy does NOT handle HTTPS. No content filtering obviously but also no URL filtering. HTTPS flow goes directly to internet

    3 - if you don't want to manually set up proxy on each device but still want to control HTTPS, the right technical approach is WPAD  ;)

    Network design

    1 - As highlighted in another post, your network design is somewhat strange. Your pfSense box with one single interface is either meaningless or over-kill. Meanigless because it doesn't act as a firewall/packet filtering or over-kill is you use pfSense as proxy server only. Furthermore, proxy server in transparent mode with one single network interface is somewhat challenging from network standpoint because packets that will come back from web server could reach browser without returning back HTTP proxy if both proxy and clients are on same network.

    2 - why not following this setting

    internet <- (your public IP) ->  your router (192.168.1.1)  <- pfSense external interface (192.168.1.2) <- pfSense server -> pfSense internal interface (192.168.2.1) <- switch -> clients on 192.168.2.0/24 network

    Then you can run proxy on pfSense in either explicit or transparent mode.

    Notice that proxy on pfSense is also not the best idea in an ideal world, with some potential side effect, although it could be acceptable for your purpose.



  • Hi Chris,

    I think there is a misunderstanding. My pfSense box has TWO network interfaces. An external one, which is driectly connected to my router and an internal one, which is connected to my internal LAN switch. All traffic is going trough it.

    My router has a public adress and an internal adress (192.168.1.1). My pfSense Box is configured to work as transparent Firewall (external interface doesn't have an IP Adress; external & internal interface are bridged –> see Link of the HowTo in my first post) Only my internal Interface has one, so that I can access my pfSense and manage it over the webgui).

    Do my router and internal LAN have to be in different subnets? Actually everything is in the same subnet. I heard about WPAD. I will have a closer look at it, maybe that would be an option. Can I configure WPAD over my pfSense?

    Have to go back to work now. Hope hearing from you.

    Greetz
    Inverse26



  • OK, got it now. I missed this URL in your first message  :-[
    I just wonder why you decided to go for such strange design that is adding some extra complexity but… why not.

    For sure it makes things less straightforward, especially when it comes to implement transparent proxy that will intercept requests on port 80 to forward it to squidguard while HTTPS requests will be redirected directly to default gateway.



  • I decided to go such a strange design, because I read in a threat/post, that if I don't set my router in brigded mode (which I actually can't - phone wouldn't work any more), the only possibility to use pfSense was, to use it as transparent Firewall (other solution would be to set my router in bridged mode and use my pfSense box as router). Am I wrong with my assumption? What would be your advise? How would you set it up?

    If you have any improvements, I would really appreciate your advices.

    Many thanks in advance.

    Greetz
    Inverse26



  • I can't help on the "bridge mode + transparent proxy" aspects  :-\ but at least your comment clarifies your landscape.
    When you write phone, do you mean VoIP ? Are you using SIP ?
    If yes, I assume you already read this.



  • Hi Chris,

    sorry for my late response. I was quiet busy the last few days.

    I could now resolve my issue, going a totally different way. I uninstalled squidGuard and installed Dansguardian instead (maybe you heard about it). I even managed, to filter the Google web/Image searches by adding this line under Services:Dansguardian:ACLs:URL Lists:Modify - it enforces Google safe search.

    "(^http://..google../.?.)"->"\1&safe=active&"

    I blocked all http and https traffic (Firewall rule) on the lan side and added an entry in my dhcp settings, pointing to my wpad.dat file which I created. If the browser is now configured to automaticaly detect the connection settings, all traffic is going through my Proxy and is filtered.

    Everything works fine except that android devices don't support automatic proxy detection (wpad.dat) :-\ I'm still looking for a solution. I will post my results.

    Inverse26



  • Why don't you use a double firewall then? Leave the phone plugged into the first router (192.168.1.1), the PFSense box on the Wan interface can either be the IP you said or get a DHCP from the first router.
    Then on the LAN side make it a 10.x.x.x IP scheme so that none of the LAN side will even see the same subnet as the first router. Then put all your computers behind the second router (PFSense).
    I have that working here at home now. I think Dansguardian would be a better choice as it is a content filter not just a DNS URL blocker.
    You will still need to have the SSL man in the middle working or google won't get filtered.

    Jim


Log in to reply