WPAD Setup help [Solved]

aGeekhere

It is the DNS forwarder that needs the Host Override configuration.

irajames

@User43617:

@aGeekHere:

2. Disable DNS Resolver Updated needs to be on

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: mylocaldomain.local
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save

Quick question, for clarification on the above quote, please:
I currently have DNS Resolver off and DNS forwarder on with the above Host Override configured on the DNS Forwarder.

Which one did you apply the Host Override configuration?

Which one did you change to listen on port 3128 (same as Squid3, unless you changed that.  I don't think you did, based on your proxy.pac code).

I add the Firewall rules for blocking HTTP and HTTPS and I can't load internet pages.  I can still get to local servers.  Nothing's being filtered by Squidguard.  Or, at least, it's not showing up in the logs.  Wondering if that's my problem now.

I'm also wondering do I put listen to 3128 in DNS Forwarder or in DNS Resolver?

aGeekhere

I'm also wondering do I put listen to 3128 in DNS Forwarder or in DNS Resolver?

see above post :)

And while I am here, there is an issue that remains with this setup is that programs that have no proxy settings and want to connect directly will get blocked by the port 80 rule.

If someone has any advice on how to solve this i'll update the first post.

KOM

If someone has any advice on how to solve this i'll update the first post.

Add a firewall rule(s) to allow specified LAN IPs to connect to specified destination IPs via 80.  Put it above the HTTP/S block.  Use an alias to hold the LAN IPs of your clients that have apps that don't support proxy, and an alias to hold all the IPs of the servers they need to talk to.  That's it.

aGeekhere

and an alias to hold all the IPs of the servers they need to talk to

The problem is first finding the server that they need to talk to, then updating that rule when they change it. If the destination server is dynamic then you will never know the destination server.

But I guess that is all we can do.

KOM

But I guess that is all we can do.

Them's the breaks.

enrique.perezrul

@aGeekHere:

2. Disable DNS Resolver Updated needs to be on

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: mylocaldomain.local
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save

This is working on my machine but I will like to know if you can help me understand why do you need to enable DNS forwarder and set listening port to 3128. I have pfsense 2.2.4 DNS Resolver is enable by default and DNS forwarder is disable. I have created the host override on DNS resolver for it to work and enable DNS Forwarder service on port 3128.

Also why do you need the host override if dhcp is configured with the ip address and not a domain name? I will appreciate if you help me understand this.

aGeekhere

Hi enrique.perezrul

Hmm some hard questions there, will do my best, lets start with reading from the wiki

https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

WPAD will take the domain name given to the machine, likely assigned by DHCP, and prepend wpad.. If the domain is example.com, it will look for wpad.example.com. This task may be accomplished with the DNS Forwarder/DNS Resolver in pfSense or with another internal DNS server used by client PCs.

why do you need to enable DNS forwarder

Because you need to create a Host Override for the wpad.

…set listening port to 3128

Because I wanted to use port 53 for the DNS Resolver (Will need to look more into why I used port 3128)

Also why do you need the host override if dhcp is configured with the ip address and not a domain name

Some web browsers use DNS to configure them others use dhcp so both are needed.

maverik1

Looking for a well documented guide or video to help configure wpad. Do any exist?

chavarriaa

@maverik1:

Looking for a well documented guide or video to help configure wpad. Do any exist?

With this Post i configurate WPAD, but if you have problems, create your own post. Problems never are the same.

KOM

Looking for a well documented guide or video to help configure wpad. Do any exist?

Look at the post above yours, specifically the link to WPAD Autoconfigure for Squid.

maverik1

I've checked that out but it's quite vague. For example, I run vlans on pfsense. My guest network is 10.0.0.0/24 and my home lan is 192.168.2.0/24.

In the wpad file what do I need to specify as the proxy address?  I have configured pfsense such that guest vlan cannot access home vlan and vice versa. As I do not have a separate box I will have to host the wpad on the pfsense box.

function FindProxyForURL(url,host)
{

return "PROXY 192.168.2.1:3128";  What does this need to be to support both vlans?
}

aGeekhere

try this

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

    return "PROXY 192.168.1.1:3128";
}

KOM

In the wpad file what do I need to specify as the proxy address?

Whatever the IP address is of the interface that Squid is listening on.  Usually your LAN NIC.

I have configured pfsense such that guest vlan cannot access home vlan and vice versa.

Add a firewall rule above your vlan blocks that allows the guest vlan to talk to squid.

As I do not have a separate box I will have to host the wpad on the pfsense box.

So do that then.  I host wpad.dat and proxy.pac on my pfSense box.  Note that it won't work if you have WebGUI running in HTTPS mode.

maverik1

Is there a command or configuration page to see what interface squid is listening on? As mentioned previously I have vlans running. The default LAN is disabled.

Vlan10 is admin
Vlan20 is guest
Vlan30 is home

I configured squid to bind to vlan20 and vlan30.

You mention that if WebGUI is running over https I cannot host the proxy.pac. Can this be overcome by changing the port from 443 to 444?

KOM

Is there a command or configuration page to see what interface squid is listening on?

Services - Proxy server - General.  What's the very first thing you see, starting at the top?

Can this be overcome by changing the port from 443 to 444?

I don't think so.  It's not the port that's the problem, it's the protocol.

chavarriaa

@maverik1:

Is there a command or configuration page to see what interface squid is listening on? As mentioned previously I have vlans running. The default LAN is disabled.
…

http://findproxyforurl.com/pac-functions/ <- shows some Function to that.

Try this. Where 192.168.0.0 is your network that you want to have direct access.

function FindProxyForURL(url,host){
if (isInNet(myIpAddress(), "192.168.0.1", "255.255.255.0"))
    return DIRECT;

return "PROXY 192.168.10.10:3128";
}

Or Services >> Proxy Server >> General >> Proxy interface(s) and choose your Networks

maverik1

@KOM:

Is there a command or configuration page to see what interface squid is listening on?

Services - Proxy server - General.  What's the very first thing you see, starting at the top?

Proxy interfaces shows:
Home    -> "for reference only" (192.168.2.0/24)
Guest    -> "for reference only"  (10.0.0.0/24)

So back to my original question regarding the wpad file. Does the "return PROXY" statement need to point to the Home, Guest or both interfaces? I want both subnets going through the proxy.

maverik1

I am trying to configure wpad and am testing it out but haven't got it working.

I have configured the following discovery file:

[2.2.4-RELEASE][root@pfSense.localdomain]/root: cat /usr/local/www/wpad/proxy.pac
FindProxyForURL(url,host)
{
  if(isPlainHostName(host))
  {
    return "DIRECT";
  }

  if(isInNet(host,"127.0.0.1","255.255.255.0"))
  {
    return "DIRECT";
  }

  return "PROXY 10.0.3.1:3128";        

}

ls -la
-rw-r–r--  1 root  wheel  200 Sep 19 17:01 proxy.pac
lrwxr-xr-x  1 root  wheel    9 Sep 19 15:06 wpad.da -> proxy.pac
lrwxr-xr-x  1 root  wheel    9 Sep 19 15:05 wpad.dat -> proxy.pac

I copied and made some changed to lighttpd configuration file and put it in /usr/local/www/wpad. The changes I made were:

server.document-root = "/usr/local/www/wpad/"
server.errorlog = "/var/log/lighty-proxy-wpad.log"

Added file types:
".dat"          =>      "application/x-ns-proxy-autoconfig",
".da"          =>      "application/x-ns-proxy-autoconfig",
".pac"          =>      "application/x-ns-proxy-autoconfig",

server.bind = "10.0.3.1"
server.port = 80

Verified it worked by starting second lighttpd instance:
[2.2.4-RELEASE][root@pfSense.localdomain]/usr/local/www/wpad: ps aux | grep -i "lighttpd"
root  26067  0.0  0.2 13152  6012  -  S    4:08PM  0:00.86 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
root  45296  0.0  0.2 13152  4968  -  S    5:32PM  0:00.02 /usr/local/sbin/lighttpd -f /usr/local/www/wpad/lighty-proxy-wpad.conf

I created a hosts override option in DNS Fowarder, configured necessary settings in dhcp "bootp/dhcp" section.

I am able to browse in firefox to 10.0.3.1/wpad and wpad.localdomain/wpad.dat. However, nslookup on wpad.localdomain doesnt work. Not sure if it needs to. I can ping it though.

I have squid3 installed. Its bound to Guest Interface (10.0.3.0/24) on port 3128. Allow users on this interface enabled. Transparent HTTP Proxy is Disabled and so is SSL MiTM. In ACLs tab I entered: 10.0.3.0/24

For testing purposes, I have crated a fw rule that allows anything from this network to pass so I can get internet. When I put in the proxy auto configure url in firefox the internet no longer works.

Any suggestions? This process is very frustrating

chris4916

@maverik1:

I am able to browse in firefox to 10.0.3.1/wpad and wpad.localdomain/wpad.dat. However, nslookup on wpad.localdomain doesnt work. Not sure if it needs to. I can ping it though.

I'm not sure your browser will try to load any wpad.* file but rather proxy.* file

WPAD acronym covers the auto discovery stuff while proy.pac (or .dat) describes browser behaviour: what is accessed directly (i.e. local files) vs. what must be accessed through proxy.

If you can resolve this name, I wonder how you can browse it  ???

In order not to face all potential problems together, I would suggest, once your proxy.pac file is ready, to test it by manually configuring your browser to load this page. This bypasses the discovery step en ensures, if it works  ;), that proxy.pac behaves as expected.