@jon what happens if you disable transparent proxy? Can your client use it successfully in this case?
The transparent proxy has been disabled since I started my experimenting. All of my experiments are on the BLUE network. ( I’ll do GREEN once I figure out what is not working. )
In the non-transparent mode
Depending on which firewall rule I am experimenting with - sometimes things work and sometimes not. I am having trouble figuring out if I am fighting against the Squid Proxy cache or fighting the browser cache or fighting a Firewall rule.
This is my current rule (current experiment!). I think it is similar to your description in Post #7. I wasn’t sure if your Firewall Rule (FR) RED is Standard RED of Firewall RED. So I just picked one.
That’s correct. The group Web_proxy is composed of TCP 80 and 443, right? If yes, your rule is identical to mine.
Maybe you can figure out if the client is connecting to the proxy by looking at squid/access.log
tail -f /var/log/squid/access.log
while you connect with the client’s browser to a website
Thanks. That’s been running since the beginning also.
(Browsers are WAY too busy when they should be sitting idle…)
what was done to setup the HTTPS side of the proxy server?
Allowed SSL ports, one per line
443 # https
563 # snews
I have Authentication method set to none, in case this is the problem.
1 Like
Mine is already set-up that way:
Was anything added to the pac/wpad file? I see this:
function FindProxyForURL(url, host)
{
if (
(isPlainHostName(host)) ||
(isInNet(host, "127.0.0.1", "255.0.0.0")) ||
(isInNet(host, "192.168.6.0", "255.255.255.0")) ||
(isInNet(host, "192.168.66.0", "255.255.255.0")) ||
(isInNet(host, "10.10.10.0", "255.255.255.0")) ||
(isInNet(host, "169.254.0.0", "255.255.0.0"))
)
return "DIRECT";
else
if (
(isInNet(myIpAddress(), "192.168.6.0", "255.255.255.0"))
)
return "PROXY 192.168.6.1:800";
else
if (
(isInNet(myIpAddress(), "192.168.66.0", "255.255.255.0"))
)
return "PROXY 192.168.66.1:800";
}
Mine is the same…
This is mine:
function FindProxyForURL(url, host)
{
if (
(isPlainHostName(host)) ||
(isInNet(host, "127.0.0.1", "255.0.0.0")) ||
(isInNet(host, "10.1.1.0", "255.255.255.0")) ||
(isInNet(host, "10.1.3.0", "255.255.255.0")) ||
(isInNet(host, "10.1.2.0", "255.255.255.0")) ||
(isInNet(host, "169.254.0.0", "255.255.0.0"))
)
return "DIRECT";
else
if (
(isInNet(myIpAddress(), "10.1.1.0", "255.255.255.0")) ||
(isInNet(myIpAddress(), "10.1.4.0", "255.255.255.0"))
)
return "PROXY 10.1.1.1:800";
else
if (
(isInNet(myIpAddress(), "10.1.3.0", "255.255.255.0"))
)
return "PROXY 10.1.3.1:800";
}
1 Like
they look very similar except for the IP address. Thanks for posting!
Just wanted to add an update… I was getting frustrated with setting up the proxy so I figured I’d walk away for a few days and do something else.
I have the non-transparent (conventional) proxy running and things still don’t seem to be running correctly. I was hoping updating the CU 171 (test) might change something but still no joy.
I am guessing I have something configured incorrectly but I do not know what.
Right now browsing the Internet is painfully slow. To load a new web page takes about 30 seconds. If I enable transparent mode all of the slow disappears. I think it is my firewall rule but only because that is a big unknown for me.
My current firewall rule is in Post 9.
Can someone post a picture/screenshot of their entire Firewall Rule for blocking port 80 & Port 443?
I did the opposit. I do only allow a handfull of ports that are needed. Why should I keep every windows and door open? That’s just a security risk. So my default outgoing firewall settings is set to “blocked”.
I have 4 subnets for each green and blue.
- is for stationary knows and trustfull infrastructure network members without internet access
- is for stationary knows and trustfull enduser network members that must use the non-transparent proxy (otherwise no internet access)
- is for mobile and trustfull enduser network members (may or may not use the non-transparent proxy, transparent proxy working for internet access)
- is for any new/unknows network members (no internet access)
“Trustfull network members” are defined in the firewall hosts, therefore IP and MAC need to fit.
For a working internet access, it needs only rules for ICMP, NTP, DNS, HTTP and HTTPS (+ in our case ports for Email because of Thunderbird/Outlook):
1 Like
Hi @jon.
I have it this way:
I have it in non-transparent mode and it works like a shot.
I hope that sooner rather than later, you find a solution. 
Greetings.
@jon there is one thing that I do not understand with your setting. Transparent mode works only for unencrypted traffic. What happens to the https traffic when you enable transparent proxy, it still goes through the proxy or it goes directly? Because if it is the latter you then not only activate transparent proxy, but also you disable the firewall rule in post 9. Do I understand your setting correctly?
This is the direction I am slowly heading. But without a basic understanding of the proxy I am very reluctant to do FORWARD Blocked and OUTGOING Blocked.
Currently these are set to FORWARD Allowed and OUTGOING Allowed. And this may be the crux of the issue! With one rule hopefully blocking 80 & 443.
This is more advanced than my network. I just have one subnet for green and a separate subnet for blue. Green is a wired ethernet (no WiFi). Blue is mostly wireless (WiFi).
Thank you for posting!
2 Likes
I’ll double check. I assume you are talking about with the proxy settings enable for the client. And the Firewall Rule block 80 & 443 enabled.
Most of the time (99.999%) the Transparent mode is disabled. I enable it for a few seconds just to try things as a quick test.
so with the:
- transparent proxy enabled
- AND proxy settings enabled for the client
- AND Firewall Rule block 80 & 443 enabled
things still show up in the Proxy log viewer.
Does this sound right?
not sure I understand this part…
Yes. To be clear, I was think to this normalization of the browsing speed you observe when you activate the transparent proxy. My hypothesis was that the speed of your browsing would go up to normal value because you would only do transparent proxy, while the 443 encrypted web surfing would go direct.
If this hypothesis were correct, then the problem would have been restricted to the the proxy function dealing with the encrypted communication.
As it is, what you said proved my hypothesis wrong. Then let’s formulate the alternative one.
If all the premises are correct, the logical conclusion is that the slow speed problem is related to the port 80 traffic and not the 443 traffic. If this assumption is correct, then disabling the proxy only on port 80 and allowing the clients to go direct on the unencrypted traffic only (in other words, removing the block on port 80 on your firewall) should get you to the same result you observe with transparent proxy: namely normal speed.
I would test this, because if it is true than you can restrict the problem considerably.
I hope I managed to convey my thought in a more clear way than last time.
Good luck.
I think this is what I see. There are only URLs with :443 as the port. There are no URLs with no port at the end (no http://test.com URLs) for port 80.
Anyway, I think I am going to start from scratch. I’ve made too many changes over the past month or so.
Another question - I am wondering if a requirement for non-Transparent (conventional) mode is to do FORWARD Blocked and OUTGOING Blocked?? If so, then this should be big & bold in the Wiki.