WPAD Setup help [Solved]

chris4916

@maverik1:

5. I had to create a wpad host override that points to the three interface ips. I don't know if this is good/bad thing. Anyone it is working.

some thoughts…

I'm not very comfortable with such approach, frankly speaking, because I don't feel pfSense has been designed for such purpose.
i.e., at least if using DNS Resolver or Forwarder which provide very basic DNS features, achieving this is somewhat painful in your design, IMHO.
You try to maintain 3 isolated networks sharing, in parallel, same infrastructure.
This works for services designed to maintain specific configuration per listening interface only. For the remaining part, you need to invent workarounds.

An alternative approach could be to set-up DMZ , or at least dedicated network available to the 3 internal LAN from where shared services will run. This will make your life much easier as you will maintain only one web server,  one proxy.pac

The only tricky part with this proposed approach is for services running on each network. DNS Resolver and Forward can't handle it. You will need either Bind which provides "views" allowing to customize the answer depending on client IP or to deploy one local DNS on each network segment to handle "local" requests.

Of course, what I suggest as potential solution break the concept of central pfSense machine that will provide all services for all subnets. But again, I don't feel pfSense is suitable for such design.

voxeljorz

try it this way (proxy.pac)

function FindProxyForURL(url, host) {

// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "10.0.0.0", "255.255.255.224"))
//this is your gateway address/interface address for the subnet
return "PROXY 10.0.0.1:3128";

if (isInNet(myIpAddress(), "10.0.3.0", "255.255.255.224"))
//this is your gateway address/interface address for the subnet
return "PROXY 10.0.3.1:3128";

if (isInNet(myIpAddress(), "10.0.3.0", "255.255.255.224"))
//this is your gateway address/interface address for the subnet
return "PROXY 10.0.3.1:3128";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 10.0.0.1:3128";

}

doktornotor

@chris4916:

The only tricky part with this proposed approach is for services running on each network. DNS Resolver and Forward can't handle it. You will need either Bind which provides "views" allowing to customize the answer depending on client IP or to deploy one local DNS on each network segment to handle "local" requests.

You might want to see the localise-queries option for DNS forwarder.

killmasta93

Just wanted to add if anyone else had this issue?

with only WPAD

using OpenVPN having the option ticked

Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30).

then it will try to get WPAD even if i disable squid3 it wont work unless i untick on chrome the option  to automatic get proxy settings

Also tried it with L2TP and PPTP(for testing purposes)

chris4916

@killmasta93:

then it will try to get WPAD even if i disable squid3 it wont work unless i untick on chrome the option  to automatic get proxy settings

What do you mean with "it won't work"?
Browser locked and unable to browse?

BTW, even if I try to explain here and there that WPAD is the nice way to solve proxy management because transparent proxy should not be the preferred option, it has some potential drawbacks.
One is that it can be used to "attack" some locations: if your able to introduce DHCP server pushing "your" WPAD, then you will be ale to intercept HTTP flow an introduce MITM :-(
This also means that for network segments not able to benefit from your proxy, you should not push any WPAD related information, neither at DHCP nor DNS level.

For DHCP, this should be quite simple, just don't configure option 252 for this subnet.
For DNS, looking at pfSense implementation, this can be trickier as this requires to not expose some records is request come from specific subnet.

As far as I understand  ;)

killmasta93

sorry for the late reply, So what i mean it wont work i mean more about it wont let me browse. I commented to aGeekHere to see if he had this issue.

I do have WPAD working but with the issue with OpenVPN see picture for example. aGeekHere did say there is a workaround but lets say its a laptop the user moves to a different location and wont let him browse unless he uses firefox so it becomes a hassle.

If I uncheck on internet explorer to auto detect proxy settings the issue is solved but i guess the issue is that WPAD forces the VPN users.

gbreadman

I need help with my configuration coz it isn't working.. what might be the prob? Thanks:

1. Create wpad files, either use Diagnostics: Edit file or use ssh to add the files DONE

vi /usr/local/www/wpad.dat
vi /usr/local/www/wpad.da
vi /usr/local/www/proxy.pac

The code for the 3 files are

function FindProxyForURL(url, host) 
{ 
    return "PROXY 192.168.1.1:3128";
}

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: localdomain
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save DONE

4. Configure DHCP server
Services: DHCP server
Additional BOOTP/DHCP Options DONE

number: 252 type: string value: "http://192.168.1.1/wpad.dat"
number: 252 type: string value: "http://192.168.1.1/wpad.da"
number: 252 type: string value: "http://192.168.1.1/proxy.pac"

5. run some test
a. can the file be download at the following link?

http://wpad.localdomain/wpad.dat
```**NO**

http://wpad.localdomain/wpad.da

http://wpad.localdomain/proxy.pac

http://pfsense.localdomain/wpad.dat

http://pfsense.localdomain/wpad.da

http://pfsense.localdomain/proxy.pac

b. run a nslookup in cmd (windows)

nslookup wpad.localdomain

or try

nslookup pfsense.localdomain

**set pfsense Protocol to http (This is a MUST, it will not work if you do not do this)**
System: Advanced: Admin Access Protocol http **DONE**

**7\. Block lan Destination port 80 and 443 (http, https)**
Firewall: Rules lan

IPv4 TCP * * * 80 - 443 * none

or add **two rules DONE**

EDIT: I tried manually configuring the browser to use the proxy and it works, but not for automatic..
side-problem: Groups ACL isn't working but Common ACL is. LOL

chris4916

The way you tray to handle it is perhaps not the best one.

1 - First you should explain, from the introduction, that you intend to expose proxy.pac file from pfSense web sever.
I'm not sure this is the best idea but if you still want to do this, keep in mind that vhost package is not supported with pfSense 2.3
Then, I didn't check but you should ensure that pfSense web server is configured to handle *.localdomain… if you do want to achieve this the way you currently do it (which I believe is not a good idea)

2 - I also don't like the idea of allowing HTTP on pfSense (which will, BTW, allow access to admin GUI using HTTP) oly because you want to handle proxy.pac on pfSense. If you need to do this, you should configure another occurrence of httpd (can't be done using GUI however. vhost deals with this up to 2.2.6)

3 - The way you configure wpad.localdomain is wrong, IMHO

• you already have, if I understand well, pfSense listening on 192.168.1.1
• wpad.localdomain should rather be an alias rather than host (I don't think however this generate issue you currently face)

4 - what is the purpose of this :
@gbreadman:

Updated change Listen Port to 3128
Enable DNS forwarder
save DONE

I'm confused  :-[  listen port for which service ?  DNS ???

5 - BTW, do you confirm your proxy (that is also running on pfSense is [b]not running in transparent mode?

6 - you don't need to maintain 3 different "proxy.pac" files: one is enough then rather configure logical links, this will keep contents aligned  ;)

7 - if you can't resolve wpad.localdomain, then there is no chance you could access http://wpad.localdomain

8 - perhaps it would be a good idea to introduce some exceptions in your proxy.pac file so that you don't reach proxy when you want to access internal web servers… including pfSense  :)

gbreadman

Thanks for answering… but.. First of all, I'm a n00bie hahaha.
Now, if it didn't seem familiar to you, my post was "quoted" from that of OP's instructions, changing parts to match MY setup,
like changing 'mylocaldomain.local' to 'localdomain' w/c is my domain. (is this correct?)

And about the other configs, I was just immitating OP's setup, like changing DNS FORWARDER port to 3128, and setting pfSense to use HTTP...
They say (even in pfsense docs) that u gotta use HTTP for pfSense to make it work (and docs also warned us about the security)

So to wrap it up: I'm just a n00bie (student) TRYING to follow instructions (to get our project working haha)

If we could properly configure this, that'd be great. THANKS. :)

EDIT: And yes, I turned transparent proxy mode off.

chris4916

@gbreadman:

Now, if it didn't seem familiar to you, my post was "quoted" from that of OP's instructions, changing parts to match MY setup,
like changing 'mylocaldomain.local' to 'localdomain' w/c is my domain. (is this correct?)

humm… is it correct to have a local domain named "localdomain"... ?  I would not say yes  but this is mostlikely not the issue  ;)
And no I didn't realise that I already replied to similar port at the very beginning of this thread  ;D :-[

[quote]And about the other configs, I was just immitating OP's setup, like changing DNS FORWARDER port to 3128, and setting pfSense to use HTTP…
They say (even in pfsense docs) that u gotta use HTTP for pfSense to make it work (and docs also warned us about the security)

I still don't understand the purpose of the "DNS port fowarder to 3128": do you have any pointer or link to any documentation or post?

Even if "pfSense"  (who?) states that in order to have wpad working you need to enable HTTP, I'm 100% convinced this is a rather poor idea, mainly because there is only one single web listener that will handle both wpad and access to pfSense admin. I'm not comfortable with the idea do have clear text password on my LAN when accessing pfSense.

You can configure another web listener  ;)
I did it few month ago for a guy who was obliged to host WPAD on pfSense  8)
vhost package is another good idea but not after 2.2.6  :-X

In order not to waste to much time, focus first on nslookup so that you understand why wpad.localdomain can't be resolved (because this is what is preventing wpad to actually work for you).

gbreadman

@aGeekHere:

The code for the 3 files are

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";
 
    return "PROXY 192.168.1.1:3128";
}

3.Configure DNS Service
add new Host Overrides

Host: wpad
Domain: mylocaldomain.local
IP Address: 192.168.1.1
Description: WPAD Autoconfigure Host

save
Updated change Listen Port to 3128
Enable DNS forwarder
save

port set to 3128..

The GUI must also be run in HTTP mode, which is less secure. If the GUI is set to use HTTP, never open up access to the GUI over the WAN.

• https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

Any suggestions for this?
Which "another" web listener? ;)

C:\windows\system32>nslookup wpad.localdomain
Server:  pfSense.localdomain
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
*** pfSense.localdomain can't find wpad.localdomain: Non-existent domain

Clues?

PS. Is proxy filtering advisable coz it seems to slow surfing speeds pretty bad

chris4916

@gbreadman:

Updated change Listen Port to 3128
Enable DNS forwarder
save

port set to 3128..

Sorry, I'm still lost with this. Reading again the link you provided, I can't find anything stating that you should change DNS listening port (which is what you did BTW if I understand well  :o)
What would be the purpose ??? ?

The GUI must also be run in HTTP mode, which is less secure. If the GUI is set to use HTTP, never open up access to the GUI over the WAN.

• https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

Indeed!  8)

But what they don't tell you is that risk to have someone sniffing your password while accessing pfSense GUI is much higher from the LAN that from internet  :P

Any suggestions for this?
Which "another" web listener? ;)

you can (but not using GUI) launch another.
Here is an example of howto. (look at second web server section)
This approach is much netter than allowing clear HTTP, although I didn't check the very detail of this link.
You may find some other here and there.

C:\windows\system32>nslookup wpad.localdomain
Server:  pfSense.localdomain
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
*** pfSense.localdomain can't find wpad.localdomain: Non-existent domain

Clues?

hum… is your DNs client configured to request DNS on port 3128  :P
This doesn't make sense but as your DNS resolver is configured this way, it should at least be aligned isn't it?

Joke aside, revert back to standard DNS configuration and give a try  8)

PS. Is proxy filtering advisable coz it seems to slow surfing speeds pretty bad

HTTP proxy is faster only and only if:

• proxy caches pages (meaning not HTTPS
• one accesses pages (or part of pages) that are already in cache

In another way, primary purpose of HTTP proxy is not to speed-up internet browsing (this was true in the past however) but to bring filtering and access control capabilities.
BTW, at the end, if you don't benefit from infinite bandwidth, filtering and access control will bring back performance…. but not if you are the only one testing of course  ;D ;D ;D  this is true only in real life.

aGeekhere

I have added how to bypass the wpad for a VPN thanks to killmasta93

If you connect to a VPN you need to bypass the wpad for that network, Remember you need to add the correct network class either A, B or C

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

        if (isInNet(dnsResolve(host), "1.0.0.0",  "255.0.0.0" ))
        { return "DIRECT"; }

    return "PROXY 192.168.1.1:3128";
}

chris4916

@aGeekHere:

I have added how to bypass the wpad for a VPN thanks to killmasta93

Not nitpicking but you, technically, don't bypass WPAD.
WPAD is used to tell HTTP clients where to find proxy.pac.
You have to ensure that all clients know this.

Then proxy.pac contains directives to tell these HTTP clients when to use or not to use HTTP proxy.
What you may want to achieve is to go direct so that you don't use proxy for some destinations.

If you connect to a VPN you need to bypass the wpad for that network, Remember you need to add the correct network class either A, B or C

This really depends on how your VPN is configured.
Do not make it as a rule  ;)

aGeekhere

Ok, by bypass I mean go Direct instead of using the local proxy for VPNs

AR15USR

@aGeekHere:

Hi all updated my install process~~, still not working, any ideas?~~

WPAD is now workings!…

aGeekHere,

Couple quick questions if you don't mind:

• Do you have Squid set up as Transparent?

• Do you inspect https?

• Do you run the AntiVirus?

aGeekhere

Do you have Squid set up as Transparent?

No, WPAD does not use Transparent see https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

Do you inspect https

By inspect do you mean does it filter content from https sites then the answer is YES.

Do you run the AntiVirus?

I have not tried AntiVirus yet because I did not want to extra overhead

Hope this helps

aGeekhere

cleaned up OP

• Using the DNS resolver (not fowarder)

please now refer to https://forum.pfsense.org/index.php?topic=112335.0