Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid3 in transparant mode not working

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 6 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bruxo
      last edited by

      Hi all,
      I have some problems with squid in transparent mode. I installed the squid3 package on my pfsense 2.2.6 machine and configured squid as described in many howtos. Squid itself runs well, but when I enable transparent mode not https connection is available (browser time out). When I configure on the client the proxy config (proxy IP and Port) it works well. I read in some forum that I should reinstall pfsense. So I took a second hardware and installed pfsense totally new. Everything works fine. When I install squid3 and when I enable transparent mode, LAN clients cannot access any http webpages. When I disable transparent mode, everything works fine. When I configure LAN client browsers to use proxy manually squid works well. But I do not want to configure all browsers, coz I prefer transparent mode! When transparent mode is enabled no new entries are written to squids log files access and cache log. Furthermore, I verified pfctl rules if there is a redirect rule to 127.0.0.1:3128 and it is. So my question is what seems to be wrong with the default configuration for squid in transparent mode or did I something wrong?
      Thanks for all feedback

      1 Reply Last reply Reply Quote 0
      • M
        mehov
        last edited by

        Hello i dont know if the same case as you but in my case i only allow my lan to conect some ports to outside,i had to allow port 3128 too, and then the transparent proxy start working again..

        PS: sorry for my english it's not my primary language

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          So instead of configuring each client (or better yet, let WPAD configure it for them), you would rather have to install a pfSense SSL certificate in each client so you don't get Man in the Middle browser warnings for every HTTPS connection?  Honestly, transparent mode is the devil.  Go explicit mode with WPAD and you should only have to worry about manually configuring Android phones to use the proxy.  Everything else is automatic.

          https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            @bruxo:

            I would suggest that you first setup a firewall rule and allow "any to any" with logging enabled.

            When using squid in TRANSPARENT mode then you need to allow your LAN clients to connect to 3128 and to 3129
            And you have to enable "SSL Filtering" in the chapter "SSL Man In the Middle Filtering". Further make sure you have selected the correct interfaces for "transparent proxy interface" and "SSL intercept interface".

            1 Reply Last reply Reply Quote 0
            • S
              serangku
              last edited by

              not mean to hijack, still related with squid issue …
              its still issue when squid using with captive portal in use
              pfsense latest, squid + captive portal, simple/default transparent squid
              no internet on http connection
              its work on https connection
              is it  an issue ?

              thanks.

              1 Reply Last reply Reply Quote 0
              • A
                aGeekhere
                last edited by

                Go explicit mode with WPAD and you should only have to worry about manually configuring Android phones to use the proxy

                Also keep in mind that with android (without rooting) will only use the proxy for web browsing not apps and would need a port 80 and 443 pass rule.

                Never Fear, A Geek is Here!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.