Quote from: bpill on November 27, 2025, 08:59:49 AMHello there!
i im trying to configure the squid web proxy to achieve the following goals:
- Transparent proxy (Gateway on the Clients is set to the opnesense ip)
- Block everything by default (HTTPS/HTTP)
- Allow specific domains only (HTTPS/HTTP)
I managed to configure the system
- "Enable Transparent HTTP proxy" -> true
- "Enable SSL inspection" -> true
- "Log SNI Information only" -> true
- "Ca to use" -> created and imported on th eclients
- "SSL no bump sites" currently empty
- NAT Rules to the proxy are created
- ACL: "Whitelist" contains only "nuget.org"
- ACL: "Blacklist" contains ".*" to block everything
The Problem:
If i open https://nuget.org i will get the message:
"The following error was encountered while trying to retrieve the URL: https://172.183.192.203/* Access Denied."
I do not understand why it would ?redirect? to the ip instead the hostname?
If i remove the ".*" from the blacklist it works.
What am i doing wrong? Is there another better way?
Thanks!
Benjamin
Quote from: TheSHAD0W on June 17, 2026, 05:16:07 PMThing is, as I said, other devices and OSes are able to do a much better job at connecting and keeping the lease up, and there's no reason for opnsense to be more fragile.
interface "re0" {
# timing values
# custom options
request subnet-mask, routers;
require subnet-mask, routers;
send dhcp-lease-time 3600;
# standard settings
script "/usr/local/opnsense/scripts/interfaces/dhclient-script";
supersede interface-mtu 0;
}Quotetcpdump: listening on re0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:03:41.409243 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xa7f96e94, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Requested-IP (50), length 4: aaa.bbb.ccc.ddd
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
09:03:41.409292 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xa7f96e94, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Requested-IP (50), length 4: aaa.bbb.ccc.ddd
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
Quote from: xtom42x on June 17, 2026, 03:50:24 PMthe thing is I imported the firewall settings from an older "silbling" OPNsense where these settings worked (let traffic pass)
so the settings that worked before stopped working silently (was a hell to figure out the reason). Don't think that's how it should be (esp. if you use these options for what they are intended to do)