WPAD Setup help [Solved]
-
I am able to browse in firefox to 10.0.3.1/wpad and wpad.localdomain/wpad.dat. However, nslookup on wpad.localdomain doesnt work. Not sure if it needs to. I can ping it though.
I'm not sure your browser will try to load any wpad.* file but rather proxy.* file
WPAD acronym covers the auto discovery stuff while proy.pac (or .dat) describes browser behaviour: what is accessed directly (i.e. local files) vs. what must be accessed through proxy.
If you can resolve this name, I wonder how you can browse it ???
In order not to face all potential problems together, I would suggest, once your proxy.pac file is ready, to test it by manually configuring your browser to load this page. This bypasses the discovery step en ensures, if it works ;), that proxy.pac behaves as expected.
-
I understand how wpad works. I was making sure I had access to it. In FF I have specified http://wpad.syndicate.com/wpad.dat in the Automatic Proxy Configuration URL. It's not working as I am not getting any once doing so. I look at the squid logs and do not see anything from that network. So apparently it's not going through. I don't know where to start troubleshooting from.
I've simplified the proxy.pac to:
FindProxyForURL(url,host) { return "PROXY 10.0.3.1:3128"; }Don't believe it should be this complicated
-
I look at the squid logs and do not see anything from that network.
Before looking at Squid log, you should start with web server side.
If you don't see any access to thsi web server (for this page), no surprise if it doesn't work.
Of course, this means that, from your browser, you can resolve this URL ;) -
try
http://pfsense.syndicate.com/wpad.datGo through post 1 again, let me know how it went.
-
try
http://pfsense.syndicate.com/wpad.datGo through post 1 again, let me know how it went.
I've gone through this several times. My setup is a bit different. I have implemented vlans and there is not one main LAN that all the traffic is passing through. The following are my networks which must be passed through proxy.
10.0.0.0/24 Administrative VLAN
10.0.2.0/24 Local User VLAN
10.0.3.0/24 Guest VLANBecause I basically have three separate LANs, I am not sure what the proxy address needs to be. Do I need three? Do I also need three DNS Host Overrides?
http://pfsense.syndicate.com/wpad.datThis doesn't resolve anything in browser, However, the following three are resolved and I am prompted to download the file.
http://wpad.syndicate.com/wpad.dat http://wpad.syndicate.com/wpad.da http://wpad.syndicate.com/proxy.pac -
Because I basically have three separate LANs, I am not sure what the proxy address needs to be. Do I need three? Do I also need three DNS Host Overrides?
You need one you can resolve and reach ;)
If your VLAN are isolated, then you need 3 accesses 8) -
If your VLAN are isolated, then you need 3 accesses 8)
The problem is I don't if it's possible to have three separate proxy.pac files. I'm hosting thus file on the same server as pfsense with lighttpd.
-
try something like this
function FindProxyForURL(url, host) { if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "10.0.2.0", "255.0.0.0") || isInNet(dnsResolve(host), "10.0.3.0", "255.0.0.0")) || return "PROXY 10.0.0.0:3128"; }Not sure with vlans.
-
Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx. -
try something like this
function FindProxyForURL(url, host) { if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "10.0.2.0", "255.0.0.0") || isInNet(dnsResolve(host), "10.0.3.0", "255.0.0.0")) || return "PROXY 10.0.0.0:3128"; }Not sure with vlans.
Yah, its a bit different. This unfortunately will not work. The 10.0.2.0 and 10.0.3.0 network do not have access to the 10.0.0.0 network. At the moment I am only focusing on getting this to work with one network and then move from there. This really seems to be an issue with the silly proxy. As stated before, my proxy.pac/wpad.dat/wpad.da is as follows:
FindProxyForURL(url,host) { return "PROXY 10.0.3.1:3128"; }I am connected to the 10.0.3.0 network and in squid have enabled that interface. Transparent proxy is disabled. Port is 3128. Host override has been configured for wpad on syndicate.com on IP of 10.0.3.1. DSN Forwarder is enabled and on default port (53). DSN Resolver is disabled.
I can ping wpad.syndicate.com, I can ping 10.0.3.1, I can hit http://wpad.syndicate.com/wpad.dat in browser and am prompted for download. When I configure browser to specifically use that URL I am unable to get to Internet. It's as if traffic isn't being forwarded to the proxy. But I don't understand what it could be.
-
The problem is I don't if it's possible to have three separate proxy.pac files. I'm hosting thus file on the same server as pfsense with lighttpd.
You should not, IMHO, try to solve such problem as a whole, from scratch because there are too many things you don't know at this stage.
Do it in a different way: build you solution for one single VLAN. Once it works, you can focus on extension to the two other VLANs, either by replication or duplication, depending on your infrastructure.The potential issue here is not with WPAD but most likely with DNS and web server.
If your web server is not reachable, on one specific address by the 3 VLANs, then it means that you will have 3 different IPs for this server, then you need DNS to send back the right answer.
Or…. you VLANs are not isolated and you can reach some IPs from one VLAN to another.But this really depends on YOUR infra and doesn't related to WPAD, as far as I understand 8)
-
Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.try enabling the DNS Resolver
-
If your firewall rules don't allow those other subnets to talk to your Squid IP address then they'll all fail. You could try adding a rule on each of your vlans that allows them to talk specifically to your squid IP address & port.
-
@KOM:
If your firewall rules don't allow those other subnets to talk to your Squid IP address then they'll all fail. You could try adding a rule on each of your vlans that allows them to talk specifically to your squid IP address & port.
That would be a good idea. The problem is that squid is bound to more than one network interface. I've got it working for the most part.
I've done the following:
1. create folder /usr/local/www/wpad
2. create a proxy.pac file. Created symbolic links wpad.dat and wpad.da
3. copy /var/etc/lighty-webConfigurator.conf into the /wpad folder from above. I then modified the conf file specific to each interface. So thatbind to port (default: 80)
server.bind = "192.168.2.1" <- one of my subnet's ip.
server.port = 80I then changed the name of the conf file so I know which subnet it is for. I have a total of three. Then I started it with the following command.
/usr/local/sbin/lighttpd -f /usr/local/www/wpad/lighty-proxy-wpad_name_of_subnet.conf4. I created a script under /root that will start them all upon boot
5. I had to create a wpad host override that points to the three interface ips. I don't know if this is good/bad thing. Anyone it is working. -
Hello all, I have a problem in regards of the host overrides in DNS forwarder. Here's little bg info.
im running pfsense 2.1.5, squid3 3.1.20 pkg 2.1.2.
hostname:pfsense
domain:tik.local
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.try enabling the DNS Resolver
Thx for the reply. Now I tried to setup wpad on pfsense 2.2.4 instead. I configured the DNS resolver instead of DNS forwarder. It gave me the same result when I set the port to 3128 on DNS resolver… :-\
-
What happen is. when I set the Listen port 3128 in DNS forwarder. I don't have internet access. But when I set the Listen port to blank, it works again. I can even able to download the wpad.dat via http://wpad.tik.local/wpad.dat
Does anyone know why and how to solve it? Thx.What do you try to solve? Why would you need to change port used by either DNS forwarder or Resovler?
???
Furthermore, I don't understand what links this aspect (DNS configuration) to WPAD. I'm not saying there is no relationship but ??? saying that I don't understand problem you face. -
5. I had to create a wpad host override that points to the three interface ips. I don't know if this is good/bad thing. Anyone it is working.
some thoughts…
I'm not very comfortable with such approach, frankly speaking, because I don't feel pfSense has been designed for such purpose.
i.e., at least if using DNS Resolver or Forwarder which provide very basic DNS features, achieving this is somewhat painful in your design, IMHO.
You try to maintain 3 isolated networks sharing, in parallel, same infrastructure.
This works for services designed to maintain specific configuration per listening interface only. For the remaining part, you need to invent workarounds.An alternative approach could be to set-up DMZ , or at least dedicated network available to the 3 internal LAN from where shared services will run. This will make your life much easier as you will maintain only one web server, one proxy.pac
The only tricky part with this proposed approach is for services running on each network. DNS Resolver and Forward can't handle it. You will need either Bind which provides "views" allowing to customize the answer depending on client IP or to deploy one local DNS on each network segment to handle "local" requests.
Of course, what I suggest as potential solution break the concept of central pfSense machine that will provide all services for all subnets. But again, I don't feel pfSense is suitable for such design.
-
try it this way (proxy.pac)
function FindProxyForURL(url, host) {
// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "10.0.0.0", "255.255.255.224"))
//this is your gateway address/interface address for the subnet
return "PROXY 10.0.0.1:3128";if (isInNet(myIpAddress(), "10.0.3.0", "255.255.255.224"))
//this is your gateway address/interface address for the subnet
return "PROXY 10.0.3.1:3128";if (isInNet(myIpAddress(), "10.0.3.0", "255.255.255.224"))
//this is your gateway address/interface address for the subnet
return "PROXY 10.0.3.1:3128";// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 10.0.0.1:3128";}
-
The only tricky part with this proposed approach is for services running on each network. DNS Resolver and Forward can't handle it. You will need either Bind which provides "views" allowing to customize the answer depending on client IP or to deploy one local DNS on each network segment to handle "local" requests.
You might want to see the localise-queries option for DNS forwarder.
-
Just wanted to add if anyone else had this issue?
with only WPAD
using OpenVPN having the option ticked
Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30).
then it will try to get WPAD even if i disable squid3 it wont work unless i untick on chrome the option to automatic get proxy settings
Also tried it with L2TP and PPTP(for testing purposes)
