[pfSense] Installed but no internet

[Lilrich]

Version i would need to check as i went to

General -> Packages and installed from there.

I was under the impression that Squid was up and running....

Rich

[+BudMan MVC]

You would of had to have started it - just installing the package does not start it, and there are 2 versions of it - atleast on the 2.0 branch there is a

squid 2.7.9_4

squid3 3.1.9

I can fire up a 1.2.3 branch virtual to take a look what might be going on..

[Lilrich]

You would of had to have started it - just installing the package does not start it, and there are 2 versions of it - atleast on the 2.0 branch there is a

squid 2.7.9_4

squid3 3.1.9

I can fire up a 1.2.3 branch virtual to take a look what might be going on..

There was only one branch on mine, i am sure it was squid 2.7.9_4 but i would need to 10000% check.

I reckon i might need to start it up... :blush:

Also Neowin Search is not working for me today, keep getting DB errors, you don't know where that BBC.co.uk article is do you?

[+BudMan MVC]

Here is the thread about blocking bbc.co.uk he was trying to do it with host files and dns, etc. Which you just can not do for what he wanted which was blocking /news not the entire domain

https://www.neowin.net/forum/topic/975926-cannot-banblock-bbc-news-site/

Its a bit long - but I followed up with how to do it with squid and squidguard and showed it blocking the /news -- read through it, we got on a side track of using a firefox addon to block specific urls, he was just looking to block himself from accessing sites ;) (no willpower)

The thread got on a few different tangents on what can and can not be blocked with dns, in the end what he wanted was specific URL blocking - which you need a proxy, etc.

Here is link to last post where I show it blocking exactly what he wanted and what I installed on pfsense and the rule I created to block /news and how you could still access main site but not /news

https://www.neowin.net/forum/topic/975926-cannot-banblock-bbc-news-site/page__view__findpost__p__593706004

Here is another thread where I show output of the lightsquid reporting showing traffic from my wifes machine, etc. When I had it running from the above thread - but have removed it since, when you update pfsense before the RC1 it was reinstalling all the packages took quite a bit of time to have the machine back up and working, etc. So I removed all the packages I really didn't need

https://www.neowin.net/forum/topic/978142-website-tracking/

[Lilrich]

Thanks - will take a look at theses later.

I take it i could apply a block rule to a static ipadress (childs laptop)

Rich

[+BudMan MVC]

You can block a specific IP from accessing any specific IP or protocols all together just in the firewall, ie you could say IP 192.168.1.120 can not go outbound on port 80, 443 (http, https) for example in the normal firewall.

You would use squidgard if you want to block on categories or specific urls, but if just want to block all access, or limit access to specific IPs on specific ports this can be done in the normal firewall, you don't need a proxy to do that sort of filtering.

Squid also provides for authing to allow access if you want - and can be setup in a transparent proxy mode where all traffic will flow through it, or have to point the machine to the proxy port on the pfsense box, etc.

What exactly do you want to block or allow? And we can work out the best/easiest way to do that. Be it with normal firewall rules or with proxy.

[Lilrich]

I seeeee.

I want to block access to facebook, youtube and other such rubbish that kids should not be using on 192.168.33.100

Maybe a category would be best and i could add remove sites as and when required?

Rich

[+BudMan MVC]

yeah if your looking to just block based upon domain name, which could be a whole netblock for those types of domains it best to use a url based filter via a proxy vs a firewall rule which would be based upon ip, iprange, protocol, ports, etc.

If you didn't want say 192.168.33.100 to have ANY internet access, then that would be simple firewall rule - deny source 192.168.33.100 dest ANY port http, https

edit: now you could create a alias for the url that should work

So if only a few domains you could get by with this I would think.

[Lilrich]

Fantastic thanks mate :D

I have now checked Squid and it is running before i enable SquidGuard and i still get the error.

[+BudMan MVC]

quick read of the error shows something about blacklist file not being there, did you tell it to use a blacklist without downloading them first?

Let me look at the error again.

When exactly do you get that error, check that enabled, then click apply, then click save.

[Lilrich]

When i first installed it it said there was no blacklist file available but after reading the wiki today it does say i should of downloaded one from the GUI.

I am downloading one now and will try again in a second to see if that has resolved the error.

:whistle:

EDIT: Error has gone however when i turn on SquidGuard EVERYTHING gets blocked.

[+BudMan MVC]

post up your settings from the squidguard page and the squid page, when you add squidguard it ads a filter to the squid page.

[Lilrich]

Had to turn squidguard off to post this

[+BudMan MVC]

Ok -- let me reinstall this, cus nothing jumping out at me.

[Lilrich]

Ok -- thankyou :D

[+BudMan MVC]

Ok I bet I know what you didn't do ;)

You need to click into cache and click SAVE, and then access control and click SAVE!

Then if need be try restarting the proxy.

[Lilrich]

Okay tried that -- didn't work :(

Tried restarting the proxy but it wouldnt come back up, disabled the proxy then started the service which worked and repeated the steps you gave me.

Still neowin.net is blocked along with everything else :(

[+BudMan MVC]

I had the same issue with everything being blocked, just with squid installed - went into disk cache and saved, then access control then saved - and working.

before I did that everywhere just sent me to the pfsense page. Uninstall the squidguard until you have squid working.

Like I said im on 2.0 code, I can fire up a 1.2.3 box in virtual later tonight.

Other thing I noticed is Im pointing to my pfsense box as dns. In that alternate dns near the bottom of the page, I point to my pfsense IP for dns 192.168.1.253 in my case.

[Lilrich]

Squidguard has now been removed i have entered my pfsense ip into that alternate DNS box at the bottom of the page like you said, gone to cache mgmt and SAVED gone to access control and clicked SAVE and now i am here typing this so that appears to be working.

Is there a specific way i can check if Squid is working on it's own before i put squidguard back on?

Rich

[Lilrich]

Found the problem, when i turn squidguard on it puts this in the custom options on the squid page

If i remove this it works, but my question is what does it do?

redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;redirector_bypass on;redirect_children 3

Edit: If you remove this from the custom options SquidGuard changes to STOPPED.

[+BudMan MVC]

you need those for quidguard to work.. But sure you can block something just in squid to verify its working.

Ok now that you have squid up and running and internet access is working, let me install the squidgard and see whats up with it.

http://doc.pfsense.org/index.php/SquidGuard_package

edit: ok installed the package, went through the instructions for squidguard, not even using blacklists

Then

created custom list,

And put in facebook.com and looks what you get

[Lilrich]

I have just tried it in Squid itself and it blocks successfully.

Squidguard it the problem

[+BudMan MVC]

to get blacklist to work, once you have downloaded and picked what categories.. make sure on the bottom of general proxy filter page you put in the location LOCAL

note: bottom of page says

Enter FTP, HTTP or LOCAL (pfSense) URL blacklist archive, or leave blank.

Once you have a black listed loaded under targets you should see all the categories and you can set to block, allow, etc

also make sure once you make any changes to anything on the proxy filter to hit the apply button in the general proxy filter page and then save. Working smooth as silk here!

And then sure on the bottom of the proxy server page you should see the custom stuff

redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;redirector_bypass on;redirect_children 3

[Lilrich]

you need those for quidguard to work.. But sure you can block something just in squid to verify its working.

Ok now that you have squid up and running and internet access is working, let me install the squidgard and see whats up with it.

http://doc.pfsense.org/index.php/SquidGuard_package

edit: ok installed the package, went through the instructions for squidguard, not even using blacklists

Then

created custom list,

And put in facebook.com and looks what you get

It just isn't working, i disabled the blocklist tried a custom filter everything is blocked.

What is in your custom options?

[+BudMan MVC]

you have to set default to ALLOW if using squidguard.

I posted options off squid page in the post above on an edit.

If you want open up pfsense gui to remote access and PM the details ip and username and pass and will take a look.