Cache proxy server, blocks internet browsing when enabled

[Hemant_5400z]

Hi,

I just finished the basic setup using the documentation available.
A simple setup for caching web (not transparent). I did put my network on the allow list. Even but the client in unrestricted session.

I don't need to login so it is cleared. started the proxy service on the LAN and checked with telnet an router ip - 3128 is reachable.

However when I try to browse with Google or Edge, pages are not loaded. (windows 10)
Checked ping google which work from command line.

Did I miss something?

I have a firewall outbound rule for IP4 and 6 -> to WAN Internet *.

Any help appreciated.

Hemant

[Hemant_5400z]

Hi,

I did some addtional testing.
I can see the entries in the live view without being blocked.
I can also see the antries in the acces log like this:
9530 xxx.xxx.xxx.xxx TCP_TUNNEL/200 39 CONNECT www.google.com:443 - HIER_DIRECT/142.251.36.36 -

But the pages do not load.

The starnge thing is that it works when using Transparent proxy, but I want caching onlu for specific clients.

Hemant

[Vilhonator]

You need to follow instructions to the letter and change only local IPs if they are different from the instructions.

If you have done so.

1. Go to windows network settings and setup proxy there (Google and edge use windows proxy settings)

2. Make sure that culprit isn't DNS. Easiest way to check this, is to manually change DNS settings from your OS network settings, if it let's you access internet, then proxy isn't working as it should, if it doesn't then your browser is possibly trying to connect different DNS or doesn't have right certificate

3. Check that proxy uses HTTP AND Https, any site that uses SSL, won't work with HTTP proxies which is why you need to create certificate for proxy and add that certificate to browsers trusted certificates

4.  Add networks to whitelist (the lists which are available only contain networks for youtube, netflix and some others, but steam, Microsoft and such aren't included on those and you need to add their net blocks to whitelist manually)

Thing to keep in mind, make sure that proxy doesn't interfere with sites like banks and services, which do not support proxies (proxies use similar methods which man in the middle attacks do), for example Discord won't work in proxy networks. So you might not be able to use proxy with edge or google unless you can configure proxy settings on both of their settings.

Lastly if you want proxy to be used only by certain clients, then easiest way to do so, is to set it on separate physical or virtual network interface / VLAN, connect a switch to that and connect clients to that switch. It's also good idea to do this anyway, since if you do something very wrong, you will be locked out from management (including SSH) and only way you are able to undo it, is reseting firewall back to factory defaults or reverting to correct backup via console (opnsense does automatically backup 10 things you change by default)

Been a while since last time I played around with proxy on opnsense, but it is quite simple once you get hang of it.

[Vilhonator]

And whitelisting is extremely important. If you don't do that and one of the lists you chose doesn't contain Microsoft networks. Clients using your proxy won't be able to download Windows updates, use onedrive, Xbox LIVE, teams, Microsoft Offices online features, Microsoft store, msn mail or even logon to user accounts if they use online accounts instead of local accounts.

In short: EVERYTHING microsoft related will be blocked be it people using google accounts to connect to them or not.

Same goes for each service which isn't whitelisted. So Proxy is good when you need to forexample block access to netflix, steam etc. in school networks, but for home use, it is a way to make things like putting a gun in your mouth and pull the trigger quite attempting