Squid not listening on interface with IPv6.

correajl · Feb 17, 2016, 3:32 PM

Hi! I'm using pfSense 2.2.6-RELEASE with squid3 package 0.4.7 (3.4 Branch). I've a LAN interface with static IPv4 and IPv6. IPv4 address has the 3128 port listening normally, as says netstat, but IPv6 one does not have this port. I can see other services like 80, 443 and 22 listening on IPv6 address. The network connectivity is ok. I can traverse my firewall, to do pings etc. The proxy is working fine with IPv4. My interfaces are all configured with IPv4 and IPv6.

Is there some trick to enable Squid Proxy to listen on IPv6 addresses? On package configuration interface I can see the option:

Allow Users on Interface: If checked, the users connected to the interface(s) selected in the 'Proxy interface(s)' field will be allowed to use the proxy. There will be no need to add the interface's subnet to the list of allowed subnets.

This works for IPv4 but I'm not getting the same function with IPv6.

In /usr/pbi/squid-amd64/local/etc/squid/squid.conf I didn't found any IPv6 reference. It appears that the pfSense scripts read the IPv4 interfaces address and build this file just considering the IPv4 information.

Thanks!
:)

correajl · Feb 18, 2016, 1:32 PM

I found some pieces of code. Here they are.

In /etc/inc/interfaces.inc we have:

function get_interface_ip($interface = "wan") {

and

function get_interface_ipv6($interface = "wan", $flush = false) {

These are functions to get IPv4 and IPv6 from interfaces.

In /usr/local/pkg/squid.inc we have:

/* Get interface IP and netmask for Squid interfaces */
function squid_get_real_interface_address($iface) {
        if (!function_exists("get_interface_ip")) {
                require_once("interfaces.inc");
        }

        return array(get_interface_ip($iface), gen_subnet_mask(get_interface_subnet($iface)));
}

The function squid_get_real_interface_address calls "get_interface_ip". But this function returns an array of IPv4 addresses. I think here it's necessary to check for IPv6 existence. Some code that uses

And here we have the code that builds squid.conf. It should consider the IPv6 information.

        // check all proxy interfaces selected
        foreach ($proxy_ifaces as $iface) {
                $iface_ip = squid_get_real_interface_address($iface);
                if ($iface_ip[0]) {
                        // do not add loopback twice when transparent proxy is enabled
                        if ($iface_ip[0] == "127.0.0.1" && $settings['transparent_proxy'] == "on") {
                                continue;
                        } else {
                                $real_ifaces[] = $iface_ip;
                                if (in_array($iface, $ssl_ifaces)) {
                                        $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n";
                                } else {
                                        $conf .= "http_port {$iface_ip[0]}:{$port}\n";
                                }
                        }
                }
        }

I'm going to find how to report this to Squid Package manteiners. If someone know how to do that quickly, this post brings the information.

lexxai · Apr 29, 2016, 10:26 PM

need just add to squid.conf manually

http_port 3128
```  for listening at all interfaces  ipv4 and ipv6
or```
http_port [ipv6]:3128
```or listening additional on ipv6 interface
and restart service by```
service squid.sh restart

But after tune setting of Squid via pfSence GUI this settings overwritten to only ipv4.
For prevent it add http_port to area for custom options of setting Squid pfSence GUI.
After it in squid.conf http_port option added was after ```

Package Integration


Tested at pfSence 2.3.