WPAD Setup help [Solved]
-
Thanks for answering… but.. First of all, I'm a n00bie hahaha.
Now, if it didn't seem familiar to you, my post was "quoted" from that of OP's instructions, changing parts to match MY setup,
like changing 'mylocaldomain.local' to 'localdomain' w/c is my domain. (is this correct?)And about the other configs, I was just immitating OP's setup, like changing DNS FORWARDER port to 3128, and setting pfSense to use HTTP...
They say (even in pfsense docs) that u gotta use HTTP for pfSense to make it work (and docs also warned us about the security)So to wrap it up: I'm just a n00bie (student) TRYING to follow instructions (to get our project working haha)
If we could properly configure this, that'd be great. THANKS. :)
EDIT: And yes, I turned transparent proxy mode off.
-
Now, if it didn't seem familiar to you, my post was "quoted" from that of OP's instructions, changing parts to match MY setup,
like changing 'mylocaldomain.local' to 'localdomain' w/c is my domain. (is this correct?)humm… is it correct to have a local domain named "localdomain"... ? I would not say yes but this is mostlikely not the issue ;)
And no I didn't realise that I already replied to similar port at the very beginning of this thread ;D :-[[quote]And about the other configs, I was just immitating OP's setup, like changing DNS FORWARDER port to 3128, and setting pfSense to use HTTP…
They say (even in pfsense docs) that u gotta use HTTP for pfSense to make it work (and docs also warned us about the security)I still don't understand the purpose of the "DNS port fowarder to 3128": do you have any pointer or link to any documentation or post?
Even if "pfSense" (who?) states that in order to have wpad working you need to enable HTTP, I'm 100% convinced this is a rather poor idea, mainly because there is only one single web listener that will handle both wpad and access to pfSense admin. I'm not comfortable with the idea do have clear text password on my LAN when accessing pfSense.
You can configure another web listener ;)
I did it few month ago for a guy who was obliged to host WPAD on pfSense 8)
vhost package is another good idea but not after 2.2.6 :-XIn order not to waste to much time, focus first on nslookup so that you understand why wpad.localdomain can't be resolved (because this is what is preventing wpad to actually work for you).
-
The code for the 3 files are
function FindProxyForURL(url, host) { if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "192.168.1.0", "255.255.255.0")) return "DIRECT"; return "PROXY 192.168.1.1:3128"; }3.Configure DNS Service
add new Host OverridesHost: wpad Domain: mylocaldomain.local IP Address: 192.168.1.1 Description: WPAD Autoconfigure Hostsave
Updated change Listen Port to 3128
Enable DNS forwarder
saveport set to 3128..
The GUI must also be run in HTTP mode, which is less secure. If the GUI is set to use HTTP, never open up access to the GUI over the WAN.
- https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
Any suggestions for this?
Which "another" web listener? ;)C:\windows\system32>nslookup wpad.localdomain Server: pfSense.localdomain Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. *** pfSense.localdomain can't find wpad.localdomain: Non-existent domainClues?
PS. Is proxy filtering advisable coz it seems to slow surfing speeds pretty bad
-
Updated change Listen Port to 3128
Enable DNS forwarder
saveport set to 3128..
Sorry, I'm still lost with this. Reading again the link you provided, I can't find anything stating that you should change DNS listening port (which is what you did BTW if I understand well :o)
What would be the purpose ??? ?The GUI must also be run in HTTP mode, which is less secure. If the GUI is set to use HTTP, never open up access to the GUI over the WAN.
- https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
Indeed! 8)
But what they don't tell you is that risk to have someone sniffing your password while accessing pfSense GUI is much higher from the LAN that from internet :P
Any suggestions for this?
Which "another" web listener? ;)you can (but not using GUI) launch another.
Here is an example of howto. (look at second web server section)
This approach is much netter than allowing clear HTTP, although I didn't check the very detail of this link.
You may find some other here and there.C:\windows\system32>nslookup wpad.localdomain Server: pfSense.localdomain Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. *** pfSense.localdomain can't find wpad.localdomain: Non-existent domainClues?
hum… is your DNs client configured to request DNS on port 3128 :P
This doesn't make sense but as your DNS resolver is configured this way, it should at least be aligned isn't it?Joke aside, revert back to standard DNS configuration and give a try 8)
PS. Is proxy filtering advisable coz it seems to slow surfing speeds pretty bad
HTTP proxy is faster only and only if:
- proxy caches pages (meaning not HTTPS
- one accesses pages (or part of pages) that are already in cache
In another way, primary purpose of HTTP proxy is not to speed-up internet browsing (this was true in the past however) but to bring filtering and access control capabilities.
BTW, at the end, if you don't benefit from infinite bandwidth, filtering and access control will bring back performance…. but not if you are the only one testing of course ;D ;D ;D this is true only in real life. -
I have added how to bypass the wpad for a VPN thanks to killmasta93
If you connect to a VPN you need to bypass the wpad for that network, Remember you need to add the correct network class either A, B or C
function FindProxyForURL(url, host) { if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "192.168.1.0", "255.255.255.0")) return "DIRECT"; if (isInNet(dnsResolve(host), "1.0.0.0", "255.0.0.0" )) { return "DIRECT"; } return "PROXY 192.168.1.1:3128"; } -
I have added how to bypass the wpad for a VPN thanks to killmasta93
Not nitpicking but you, technically, don't bypass WPAD.
WPAD is used to tell HTTP clients where to find proxy.pac.
You have to ensure that all clients know this.Then proxy.pac contains directives to tell these HTTP clients when to use or not to use HTTP proxy.
What you may want to achieve is to go direct so that you don't use proxy for some destinations.If you connect to a VPN you need to bypass the wpad for that network, Remember you need to add the correct network class either A, B or C
This really depends on how your VPN is configured.
Do not make it as a rule ;) -
Ok, by bypass I mean go Direct instead of using the local proxy for VPNs
-
Hi all updated my install process~~, still not working, any ideas?~~
WPAD is now workings!…
aGeekHere,
Couple quick questions if you don't mind:
-
Do you have Squid set up as Transparent?
-
Do you inspect https?
-
Do you run the AntiVirus?
-
-
Do you have Squid set up as Transparent?
No, WPAD does not use Transparent see https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
Do you inspect https
By inspect do you mean does it filter content from https sites then the answer is YES.
Do you run the AntiVirus?
I have not tried AntiVirus yet because I did not want to extra overhead
Hope this helps
-
cleaned up OP
- Using the DNS resolver (not fowarder)
please now refer to https://forum.pfsense.org/index.php?topic=112335.0