Squid3 in transparant mode not working



  • Hi all,
    I have some problems with squid in transparent mode. I installed the squid3 package on my pfsense 2.2.6 machine and configured squid as described in many howtos. Squid itself runs well, but when I enable transparent mode not https connection is available (browser time out). When I configure on the client the proxy config (proxy IP and Port) it works well. I read in some forum that I should reinstall pfsense. So I took a second hardware and installed pfsense totally new. Everything works fine. When I install squid3 and when I enable transparent mode, LAN clients cannot access any http webpages. When I disable transparent mode, everything works fine. When I configure LAN client browsers to use proxy manually squid works well. But I do not want to configure all browsers, coz I prefer transparent mode! When transparent mode is enabled no new entries are written to squids log files access and cache log. Furthermore, I verified pfctl rules if there is a redirect rule to 127.0.0.1:3128 and it is. So my question is what seems to be wrong with the default configuration for squid in transparent mode or did I something wrong?
    Thanks for all feedback



  • Hello i dont know if the same case as you but in my case i only allow my lan to conect some ports to outside,i had to allow port 3128 too, and then the transparent proxy start working again..

    PS: sorry for my english it's not my primary language



  • So instead of configuring each client (or better yet, let WPAD configure it for them), you would rather have to install a pfSense SSL certificate in each client so you don't get Man in the Middle browser warnings for every HTTPS connection?  Honestly, transparent mode is the devil.  Go explicit mode with WPAD and you should only have to worry about manually configuring Android phones to use the proxy.  Everything else is automatic.

    https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid



  • @bruxo:

    I would suggest that you first setup a firewall rule and allow "any to any" with logging enabled.

    When using squid in TRANSPARENT mode then you need to allow your LAN clients to connect to 3128 and to 3129
    And you have to enable "SSL Filtering" in the chapter "SSL Man In the Middle Filtering". Further make sure you have selected the correct interfaces for "transparent proxy interface" and "SSL intercept interface".



  • not mean to hijack, still related with squid issue …
    its still issue when squid using with captive portal in use
    pfsense latest, squid + captive portal, simple/default transparent squid
    no internet on http connection
    its work on https connection
    is it  an issue ?

    thanks.



  • Go explicit mode with WPAD and you should only have to worry about manually configuring Android phones to use the proxy

    Also keep in mind that with android (without rooting) will only use the proxy for web browsing not apps and would need a port 80 and 443 pass rule.