Squid non-functional in transparent mode in 2.3 and 2.3.1



  • In fresh new installation:

    Squid non-functional in transparent mode in 2.3 and 2.3.1

    I did this solution: https://redmine.pfsense.org/issues/5869

    chgrp squid /dev/pf

    but it is not solved.



  • Is this an upgrade? If so there was also a directory that needs to be purged. Look in the 2.3 development archives. There is a whole thread on squid.


  • Rebel Alliance

    for me in 8 "upgrades" (save config, install 2.3, enable trim, restore config) squid worked.

    /usr/local/etc/squid/squid.conf shows "cache_effective_group proxy"

    and

    crw-rw–--  1 root  proxy  0x5f Apr 25 07:04 /dev/pf

    what's the behavior exactly? squid via proxy setting in your browser works and transparent mode "times out"?



  • I'm having the same problem here.

    When i enable transparent mode, he doesn't get the checkbox enabled.

    I just discover another problem, i can't delete and not create any NAT rule.
    It is also not possible to create or remove firewall rules.
    –-----
    Update:

    I use the User Manager option via LDAP (Active Directory), as initial settings were made with the admin user, there was no problem.

    I did a test using the Admin user (default) and the transparent proxy settings work and other functions that I couldn't do.



  • this is not upgrade or update, it is just new installation pfsense 2.3 also I checked with 2.3.1 devepment.

    Note: during installing squid pkg, I see this message, I put part of all message:

    | ===> Creating users and/or groups.
    Creating group 'squid' with gid '100'.
    Creating user 'squid' with uid '100'.
    install: not found
    pkg: PRE-INSTALL script failed
    [12/15] Extracting squid-3.5.16: …....... done
    [13/15] Installing squidclamav-6.13…
    |

    I did this command :#  chgrp squid /dev/pf
    it was like this : crw-rw–--  1 root  proxy  /dev/pf

    but after rebooting pfsense , that was back like : root proxy /dev/pf



  • if I enable or disable transparent option, squid via proxy setting in my browser works.

    By enabled transparent option, without proxy setting in my browser, it is not working.



  • during installing squid pkg , I see this message:

    Creating group 'squid' with gid '100'.
    Creating user 'squid' with uid '100'.

    but in squid.conf file:
    cache_effective_user squid
    cache_effective_group proxy

    user and group isn't same. !





  • note:
    I create two rules in floating for bandwidth limiter

    I used two vlan: vlan5 vlan180

    em0 for LAN and em1 for WAN

    I assigned one PC for client site: 10.10.190.40

    I attached my pfsense config file

    please look it and let me know my mistake

    config-firewall2.amin.com-20160428155840.txt



  • note:

    I configured NAT manual just for this subnet : 172.30.0.0/24
    but I don't use this, just for configuration

    I used this subnet 10.10.190.32/27
    wan IP address is 10.10.184.28/27



  • Note:
    problem is configure limiter with transparent proxy.

    I found this sulution , but I didn't check yet:
    https://forum.pfsense.org/index.php?topic=106640.0



  • I found this problem: limiter with transparent proxy isn't working.
    I think this is belong to IPFW pipe and IPFW fwd command in freeBSD.

    so I made two server, one is transparent proxy and another is just limiter.
    both of them working nice.

    If anybody want to make like my solution, I will help them.



  • I also encounter transparent proxy mode not working when I upgrade to pfsense 2.3. So I install a fresh copy and discover that it's the same issue, transparent proxy doesn't work. But configure browser to use proxy on 192.168.1.1:3128 was working.

    After digging a bit and trying some crazy and mostly useless setting I discover that the "Bypass Proxy for These Destination IPs" within the "General" tab of the proxy server setting seem to be the cause. Because previously I had put some hostname (domain to be exactly steampowered.com, etc) that I wanted to directly pass thru the proxy. By removing the line, transparent proxy now working like charm.

    Hope this can help anyone.



  • it is mean, by removing Visible Hostname, is it working?!!!



  • I haven't try with using "Alias" yet. But previously I put domain name in the line and it's kind of feeling like an universal "*" which accept everything as bypass from transparent proxy.

    Temporally I remove the entire line.




  • By pass proxy , it is mean don't use proxy,
    but we want to use proxy with transparent mode.



  • I first think if it's my own problem - the transparent proxy function suddenly failed after the 2.3 upgrade.

    The solution mentioned here did not help the problem, but it's still good to find this thread.

    Though the problems remains there, I can save some time not to further dig into my setting…



  • I can only get the transparent proxy to work on the interface designated as lan.

    It will not work on opt designated interfaces.  The result is pages not loading.



  • Soooooooo. I am guessing this glitch never was resolved. Is anyone from pfsense working on this? Wish I never updated, transparent proxy was the whole reason I use a firewall.



  • @xpdos:

    Soooooooo. I am guessing this glitch never was resolved. Is anyone from pfsense working on this?

    No, because it works fine.

    Post specifics of your config, what your firewall states look like when transparent proxy is enabled (filter on 127.0.0.1 under Diag>States), and squid logs.



  • Have the same problem here: when transparent proxy is enabled, it seems no redirect/forward is created.



  • I'm also running into a problem with the transparent proxy.  As far as I can tell, it only happens when I have the limiters enabled- disabling the limiters fixes the problem.  Are those two features inherently incompatible?

    I saw the thread aminli pointed to that has a youtube video, but I have no idea what is going on in that video so I'm reluctant to try it.



  • @reggie14:

    I'm also running into a problem with the transparent proxy.  As far as I can tell, it only happens when I have the limiters enabled- disabling the limiters fixes the problem.  Are those two features inherently incompatible?

    Yes, as NAT and limiters are incompatible, and transparent proxy is NAT on LAN. https://redmine.pfsense.org/issues/4326



  • @cmb:

    @reggie14:

    I'm also running into a problem with the transparent proxy.  As far as I can tell, it only happens when I have the limiters enabled- disabling the limiters fixes the problem.  Are those two features inherently incompatible?

    Yes, as NAT and limiters are incompatible, and transparent proxy is NAT on LAN. https://redmine.pfsense.org/issues/4326

    Thanks.  I'm a bit confused, though- is this a bug in pfsense/FreeBSD that has a chance of being fixed, or is this an architectural limitation because they both use NAT?  Do you see any major problems with gmar15's workaround?

    As a side note, I noticed that recently-viewed websites still work after enabling both limiters and squid's transparent proxy.  Any idea why those still work?  Existing connections that bypass the proxy?



  • @cmb:

    @xpdos:

    Soooooooo. I am guessing this glitch never was resolved. Is anyone from pfsense working on this?

    No, because it works fine.

    Post specifics of your config, what your firewall states look like when transparent proxy is enabled (filter on 127.0.0.1 under Diag>States), and squid logs.

    Hi CMB,

    Could you please take a look at https://forum.pfsense.org/index.php?topic=87577.0 as your knowledge of how to make the transparent proxy work may help solve this long standing issue that appears to affect only i386 users.

    Thanks,

    Steve



  • squid makes an infinite loop. I fix this by adding this to iptable.
    no rdr on em1 inet proto tcp from 127.0.0.0/8 to any port = 3128



  • If any record exists for "Bypass Proxy for These Source IPs", transparent proxy does not work for me.
    If "Bypass Proxy for These Source IPs" is empty, transparent proxy works just fine.



  • I too am getting web pages that do not load up with the Transparent Proxy box checked. If this is not a bug issue, is there detailed guide regarding how to set up the Pfsense proxy server?

    As the instructions presented here do not appear to valid in order to get a functional proxy server up and running:
    https://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy



  • Use captive portal for liiter that solve. or transfer to the floating.



  • I too have upgraded to pfSense 2.3 and the transparent proxy does not work. The Diagnostics > States page shows a lot of CLOSED:SYN_SENT states with packets and bytes only sent, zero received, during a webpage load attempts.

    Related log entries (the "Real Time" tab) shows nothing.

    pfSense 2.3.2_1, Squid 0.4.23_1



  • @Deepcuts:

    If any record exists for "Bypass Proxy for These Source IPs", transparent proxy does not work for me.
    If "Bypass Proxy for These Source IPs" is empty, transparent proxy works just fine.

    How Can i Add this to pfsense iptable



  • I'm having the same problem, not sure whether I should better start a new thread.

    My Squid should be set to logging all connections as a transparent proxy. I do not want to decrypt SSL, but I do want the hostname to show up in the logs. This works perfectly fine, until I try to add a domain/IP in "Bypass Proxy for These Destination IPs". As mentioned before, setting an IP and a domain (see screenshot) seems to function like a wildcard, and no traffic is logged anymore.

    Full settings page: see attachment. The only difference between a working Squid and a non-working Squid is the "Bypass Proxy for These Destination IPs" setting. If I clear that field, hit save, then Squid starts functioning immediately.

    I am running 0.4.37.




  • Seems that when a FQDN is added which does not resolve, squid treats it as a '*'.


Log in to reply