NEED HELP – Squid with Squid Guard

  • Good morning ladies and germs, I had a solid need for some assistance, please read the entire post. Here in my home, I have been running pfsense on a home built router with snort on a 100mbit connection and everything has been running fine but considering I have two kids who are home school I had been looking ad some additional features to this router. So, last night I chatted with a pfsense support rep and he recommended squid and squid guard and sent me some links for setup: and I reviewed these and followed them to the letter while used the MESD black list.

    Since setting this up I and rebooting the router several times, I have noticed a few issues that I hope you guys can help with. First, on my smart TV, I have a Netflix and It can log it but not stream a movie. Second issue, MY PS4 cannot connect to PSN. Last issue I have notice is that that even though is not black listed, I get a certificate error page when I try to go to it and when I click to continue to site, it is blocked by the proxy.

    The above issues may poise some folks to ask me why I am running these devices on the same connection as my PC and the answer is simple, I live in base housing, I run pfsense for home use and the base housing office doesn't allow the use of cabling outside of what is already installed in the walls. This in mind, I have to connect everything to the internet using home plug adapters and because of the limited setups available using the adapters, I have to have everything running off the LAN port of my router.

    Anyhow, how do I resolve these issue and even though I am running squid as transparent, do I need to enter a proxy address to my TV and PS4? If so, what is the proxy address and port given that I followed the instructions above?

  • Running squid in transparent mode is not recommended.  First off, are you running squid2 or squid3?  Squid3 is preferred.  Next, you will want to run in explicit mode or you will have endless headaches with certificates and browser warnings on your clients.  Use WPAD to enable auto-detection of the proxy.  Get squid3 working first and then add squidGuard.

  • Thank you for the reply. I am using squid 3. How do I enable explicit mode and WPAD as I don't see an option for this? Will I have to put a proxy address in my browsers?

  • Explicit mode is the opposite of transparent mode.  Uncheck the Transparent HTTP proxy and HTTPS/SSL interception checkbox and that's it.  You can read up on WPAD at the link I helpfully embedded in my reply.

  • I apologize for no getting back to you very quickly. I read through the steps you posted for enable WPAD but it goes over my head and pfsense is my first and only experience with BSD. So, what I would like to do, is start over so I deleted squid and squid guard and restored to a previous backup to remove and residual software. Now that that is done, I will be reinstalling just squid this evening. When I do, aside form the steps in the guide links I added in my original post, what would you recommend I do? Secondly, I have enable the DHCP service on my software but when I set my computers to use DHCP instead of a static address, the computer shows no internet connection. That leads me to believe that some other issue may be going on or my overall setup is in correct. Big picture, I am also using snort on this setup that seems to working as advertised but is it possible that some other conflict exists as a result?

  • Reading these various posts, I suspect you're facing multiple (and different) issues and suggest you try to fix it one by one.

    • the very first aspect is to ensure that infrastructure, without HTTP proxy, works as expected. Even without proxy and WPAD, DHCP does help a lot, as well as internal DNS. You should first focus on this set-up, ensuring that pfSense (if your choice is to rely on it in order to provide DHCP and DNS service) is correctly configured.
    • once this works, (which is pretty straight forward) you can set-up HTTP proxy. As already explain, do not enable transparent proxy  ;)  You can test it using your preferred browser with proxy explicitly defined. This will help you to test filtering and access control features at proxy level
    • once done, you can work on WPAD (which has nothing to do with pfSense itself, although pfSense web server can handle it).
    • next step could be to fine-tune proxy.pac content (aligned with FW settings), in order, f.i., to allow proxy by-pass for devices that may not support proxy. This is done using "DIRECT" directive in proxy.pac in addition to specific FW rule allowing this flow, this assuming that even using DHCP, you configured reserved IP address for related MAC address.

    I hope this helps  8)

  • can I use explicit without WPAD? I mean, can I simply just input the proxy information into my browsers vs creating an auto-config file which I have never done before… ever? I have been doing lots of reading and simply searching WPAD in google seems to return a few hacking related links. Not something I am interested in at all. I really do appreciate your assistance but working with in my know how is what I am limited to. After doing a little tinkering, I turned off transparent proxy, and rebooted my pfsense box and I am still able to access the web even without inputting proxy info into my browsers connection setting. That's obviously not right.

  • can I use explicit without WPAD?

    Yes you can, but it makes much more inconvenient for administering since you have to manually twiddle every client that comes along.  If you have a small, static set of users the manual config may be more suitable for you.

    simply searching WPAD in google seems to return a few hacking related links

    Would you prefer pfSense docs about WPAD?  WPAD Autoconfigure for Squid

    It's really not that hard.  A DNS entry, a wpad.dat text file and a DHCP entry are all you need.

    I am still able to access the web even without inputting proxy info into my browsers connection setting

    Running a proxy doesn't magically stop Internet access on ports 80 & 443.  You need to add a block rule on LAN for that.  Create an Alias called WebPorts and stuff it with 80,443.  Then add a LAN rule that blocks all LAN clients from WebPorts.

    I have read that WPAD can easily be exploited if the .dat file becomes exposed.

    You have read some alarmist nonsense, I suspect.  WPAD is the global default web proxy autoconfig scheme.  The wpad.dat file lives on a web server on your LAN and uses private IP space.  How is it supposed to be exploited??  If external attackers have cracked your web server that wpad.dat lives on, you have much bigger problems to worry about.  The wpad.dat file only lists the available proxies and the conditions under which they should be used.

  • @jbhowlesr
    There are also two books out:
    pfsense the definitive guide
    Squid Proxy Server 3.1: Beginner's Guide

    It may helps you faster go deep into the things

Log in to reply