Thanks for the video, this is a great how to on configuring cache settings. I have a lot going on with my network including webservers under lagg, and lacp, so far after following your setup in this video i dont see any conflicting issues with my current webservers and them running their own personal ssl certificates,
Thanks for sharing this video, I'm using this to save bandwidth and it works for http however I want to cache ssl/https (facebook and youtube videos etc.) is there any possible way not to install certificate on every device? Thanks.
I must say that your method is by far the best and simplest one to filter even SSL traffic..brilliant...I have a request for you please...Can you make a video on how to configure squid on multiple interfaces with dhcp enabled on optional interfaces...meaning, excluding the LAN....
You may want to consider using NAT to force all your traffic through the proxy. I am planning on releasing another video in the coming days that will perform this type of task with DNS.
Hi ! Thanks a lot for your video. Maybe I did miss something, but how does your client knows it have to go through the transparent proxy ? in my environment I have to manually configure a proxy into my chrome browser. thanks again.
When you select your interface there is an option to enable transparent proxy. That tells pFSense and Squid to intercept the traffic and automatically redirect to the proxy server. Hope this helps ...
Love the video - thanks. I would like to see your internal IP addresses - are you double NATing or are the gateway and the client on the same LAN segment?
you are right I should have added the ip addresses so you could see the structure. Yes, the client is on the same LAN segment as the proxy server configured that is configured for transparent interception. I am double NATing but not to make the proxy work but to create a private network to make the video on.
Also, the initial test The SSL is blocking www.google.com and is filtering much of www.yahoo.com homepage. I can get to www.msn.com and others. There was a temporary DNS error. Try refreshing the page. Error Code: INET_E_RESOURCE_NOT_FOUND
No your clients will reach your proxy then your proxy will make the request by the end users. If a user is going through your proxy to get to there VPN location all traffic will be unreadable by your proxy server and bypassed "assuming the VPN client is configured correctly".
I liked the video, but having some issues. After configuring proxy Play Station Vue, Netflix, Arlo Videos Cameras stopped working. So two questions: 1. Is it practical to use proxy without FW rule forcing all be on LAN? 2. How to address problems with Play Station Vue, Netflix, Arlo Videos Cameras Overall wonder about usefulness vs problems it creates.
In my opinion if you believe all people should be using the proxy you should put a deny all and only allow the ports needed to pass through the to the proxy. Yes there are ways to make the services above work through your proxy server "e.g. might be the bypass / whitelist". There should always be consideration for security vs. usability and is it worth it to go down these paths. It really depends on what you are trying to protect and how important it is to you. I can tell you businesses want to protect their intellectual property and equipment and deploy services like proxies to help create visibility that they would not normally have. I do not want to go down a rabbit hole about security but a proxy server is one of the many strategies used to help fight against malicious activities and can be worth the time and effort to implement. Controlling who has access to what is also another use case for proxies "e.g. blocking access to certain sites" very valuable for some who need this type of security. I hope this helps your questions ...
I tried setting up squid as a transparent proxy in a similar topography but I got errors when going to certain sites despite not blocking any addresses or setting any acl's.
To answer your question no service can share the same port at the same time on the same system unless it was designed to do so. I am not sure what you are asking so my answer above is based on what I think you are asking.
Would you be up to doing a WPAD setup video. Trying to get one setup for my network and just not having luck. This one helped me config my machines. Ty
Sorry I have not set anything up but there is an opensource repository for installing 3rd party packages that support creating and deploying WPAD from PFSense.
with transparent proxy the squid package will auto intercept http and https traffic and run them through the proxy. The management ip is the pfsense lan interface ... the external ip is the wan interface. I am assuming I am understanding what you are asking ...
Basically I have 3 networks (LAN's) on my box. currently I have IPSEC setup to gain access to all 3 LAN nets remotely. I want to isolate one LAN network specifically for remote clients to access the lab network. how do I keep my current IPSEC setup and add another P2 entry to allow specific clients to the lab network?
Well, dont want to be downer, but its just not working for me, I even went for factory reset for pfsense and setup just basics then followed the video. Every browser, every system on the network complains about insecure connection. Had to disable ssh filtering. Setting up a certificate and setting splicing all, setting CA to one created,... it did not do its magic
Thanks for the video, this is a great how to on configuring cache settings. I have a lot going on with my network including webservers under lagg, and lacp, so far after following your setup in this video i dont see any conflicting issues with my current webservers and them running their own personal ssl certificates,
Thanks for sharing this video, I'm using this to save bandwidth and it works for http however I want to cache ssl/https (facebook and youtube videos etc.) is there any possible way not to install certificate on every device? Thanks.
I must say that your method is by far the best and simplest one to filter even SSL traffic..brilliant...I have a request for you please...Can you make a video on how to configure squid on multiple interfaces with dhcp enabled on optional interfaces...meaning, excluding the LAN....
You may want to consider using NAT to force all your traffic through the proxy. I am planning on releasing another video in the coming days that will perform this type of task with DNS.
Hi ! Thanks a lot for your video.
Maybe I did miss something, but how does your client knows it have to go through the transparent proxy ? in my environment I have to manually configure a proxy into my chrome browser.
thanks again.
When you select your interface there is an option to enable transparent proxy. That tells pFSense and Squid to intercept the traffic and automatically redirect to the proxy server. Hope this helps ...
Love the video - thanks. I would like to see your internal IP addresses - are you double NATing or are the gateway and the client on the same LAN segment?
you are right I should have added the ip addresses so you could see the structure. Yes, the client is on the same LAN segment as the proxy server configured that is configured for transparent interception. I am double NATing but not to make the proxy work but to create a private network to make the video on.
not able to block gmail though....any suggestion?
Google can be tricky as they use lots of DNS entries. You can perform a dns lookup and block the ip addresses.
Would using a VPN which uses its own CA cause any issues with this setup?
Also, the initial test The SSL is blocking www.google.com and is filtering much of www.yahoo.com homepage. I can get to www.msn.com and others.
There was a temporary DNS error. Try refreshing the page.
Error Code: INET_E_RESOURCE_NOT_FOUND
No your clients will reach your proxy then your proxy will make the request by the end users. If a user is going through your proxy to get to there VPN location all traffic will be unreadable by your proxy server and bypassed "assuming the VPN client is configured correctly".
make sure your clients and your PFSense box can reach DNS servers. This includes the host 127.0.0.1 on the NAT page.
I liked the video, but having some issues.
After configuring proxy Play Station Vue, Netflix, Arlo Videos Cameras stopped working.
So two questions:
1. Is it practical to use proxy without FW rule forcing all be on LAN?
2. How to address problems with Play Station Vue, Netflix, Arlo Videos Cameras
Overall wonder about usefulness vs problems it creates.
In my opinion if you believe all people should be using the proxy you should put a deny all and only allow the ports needed to pass through the to the proxy.
Yes there are ways to make the services above work through your proxy server "e.g. might be the bypass / whitelist". There should always be consideration for security vs. usability and is it worth it to go down these paths. It really depends on what you are trying to protect and how important it is to you.
I can tell you businesses want to protect their intellectual property and equipment and deploy services like proxies to help create visibility that they would not normally have. I do not want to go down a rabbit hole about security but a proxy server is one of the many strategies used to help fight against malicious activities and can be worth the time and effort to implement. Controlling who has access to what is also another use case for proxies "e.g. blocking access to certain sites" very valuable for some who need this type of security.
I hope this helps your questions ...
@@VMNerd Thx and your video is very good !
Thank You for your kind words.
VMNerd it would be great if you could do a video on how to use wireshark/tshark pls
I tried setting up squid as a transparent proxy in a similar topography but I got errors when going to certain sites despite not blocking any addresses or setting any acl's.
I am interested in your configuration reach out to me on Facebook on messenger .... facebook.com/vmnerd
can you help me to configure, windows caching?
do i have to select my country on CA config!? or I can select any
because it's not listed.
You can fill out what ever you want since the CA is yours.
VMNerd good to know
Can this configuration co-exist with nginx on port 80?
To answer your question no service can share the same port at the same time on the same system unless it was designed to do so. I am not sure what you are asking so my answer above is based on what I think you are asking.
Would you be up to doing a WPAD setup video. Trying to get one setup for my network and just not having luck. This one helped me config my machines. Ty
Maybe it would require the use of unsupported pfsense packages.
VMNerd oh ok. Been trying to get it running. But having issues. And you great videos.
Sorry I have not set anything up but there is an opensource repository for installing 3rd party packages that support creating and deploying WPAD from PFSense.
VMNerd oh interesting. Ty.
could yo tell us , what is the manager lan IP and what is gateway ?
with transparent proxy the squid package will auto intercept http and https traffic and run them through the proxy. The management ip is the pfsense lan interface ... the external ip is the wan interface. I am assuming I am understanding what you are asking ...
Awesome video!
Thanks for the feedback ...
Are you still taking video ideas?? I'm trying to figure out this issue with mutiple P2 Settings! Would love your input!
P2 settings can you provide more information ??? I am always taking ideas just have to make time for it !!
Basically I have 3 networks (LAN's) on my box. currently I have IPSEC setup to gain access to all 3 LAN nets remotely. I want to isolate one LAN network specifically for remote clients to access the lab network. how do I keep my current IPSEC setup and add another P2 entry to allow specific clients to the lab network?
what do you mean multiple P2 settings i might help if its clear to me.
How To Configure youtube cache
Well, dont want to be downer, but its just not working for me, I even went for factory reset for pfsense and setup just basics then followed the video. Every browser, every system on the network complains about insecure connection.
Had to disable ssh filtering. Setting up a certificate and setting splicing all, setting CA to one created,... it did not do its magic
I am interested in your configuration reach out to me on facebook messenger .... facebook.com/vmnerd
nice video
Your very welcome I hope you enjoy my future videos. I have one being released tonight.
thanks mas bro
nice