pfSense 2.3.1 Security : Explicit Squid Proxy, WPAD, SquidGuard, Lightsquid, and Static ARP (Part 1 of 2)

Skip and go to Part 2

Prerequisite : 

You must have installed atleast pfSense 2.3.1 already to do this setup.

Installing Squid

Go to System > Package Manager > Available Packages then click  + Install  aligned with Squid. Then click Confirm.

When you see Success at the bottom of the installation log,
go to Services > Squid Proxy Server > Local Cache
set Hard Disk Cache Size to at most 60% of the storage capacity.
set Memory Cache Size to  at most 50%  of the installed RAM capacity then click Save.

Now click the General tab of the Proxy Server then tick Enable Squid Proxy.
Scroll down to Logging Settings and tick Enable Access Logging and
set Rotate Logs to 7 then click Save.

To test the proxy server, you need to connect to it. Using Google Chrome, go to Settings then below click Show advanced settings... Scroll down to Network section and click Change proxy settings...
When the Internet Properties Window comes out, click LAN settings.
Now tick Use a proxy server for your LAN and fill the Address: box with the router's LAN Address and the Port: with the Proxy's Port number which is 3128.

You can try to browse now and see if your proxy works. You can set your firewall rules to fully restrict your firewall rules to the proxy. This can be done by going to
Firewall > Rules > LAN. Then click the pencil or edit your Default allow LAN to any rule. Set the Destination to any and change the Description to Default allow LAN to LAN rule to remind you then click Save. Click Apply Settings. You can also notice here that I removed my IPv6 default rule.

Test by browsing again. You have successfully setup your Squid Proxy Server. Now you need to allow LAN connections to any destination again by reverting your LAN rules to Destination : any. Then reset your proxy settings in Google Chrome by going to the proxy settings again and removing your entries and as well as ticking Automatically detect settings.

The WPAD Mystery

Now we are going to setup WPAD. This is difficult to setup since this service is handled differently by different browsers. First, we need to set the pfSense Webconfigurator to HTTP to support WPAD hosting. Go to System > Advanced then set Protocol to HTTP under webconfigurator.

You need to create a PAC or WPAD file first. 3 files will be created to support different browsers. Go to Diagnostics > Edit File. Type this in the Edit Box:

function FindProxyForURL(url, host) {
  if (isPlainHostName(host) || shExpMatch(host, "192.168.1.*")) return "DIRECT";
  return "PROXY 192.168.1.1:3128";
}

Then type the address and filename of the file /usr/local/www/proxy.pac then click Save.
Edit the filename again twice to wpad.dat and wpad.da for more browser support.
The address /usr/local/www is the web address or public_html of the webconfigurator. We are using the internal web server of the pfsense webconfigurator to serve WPAD files to the network.

3 WPAD Files including their address.
/usr/local/www/proxy.pac
/usr/local/www/wpad.dat
/usr/local/www/wpad.da

Next step is to add the WPAD mime-type to let the web server recognize the files created. Still at Diagnostics > Edit File, browse to /usr/local/etc/nginx then open the mime.types file. Add the highlighted lines to this file then Save. Reboot pfSense by going to Diagnostics > Reboot to apply the new settings.

Now you need to distribute WPAD or PAC files through DNS and DHCP. Go to Services > DNS Resolver, then add a new host at the Host Overrides list by clicking the  + Add  button. Fill in the following then click Save.

Host : wpad
Domain : yourdomain.com
IP Address : 192.168.1.1 (Your router's LAN interface IP Address)
Description : WPAD Server (Optional)

Go to Services > DHCP Server, click  * Display Advanced  at the Additional BOOTP/DHCP Options item. Add 3 Options by clicking  + Add  then fill these in. Click Save.

252           String     "http://wpad/wpad.dat"
252           String     "http://wpad/wpad.da"
252           String     "http://wpad/proxy.pac"
Number    Type        Value

WPAD Shooting Trouble

Launch a Command Prompt then try an nslookup of your WPAD to test the DNS Host Override that you added. You can confirm the lookup by browsing to "http://wpad/wpad.dat" in a chrome browser. If the wpad.dat file downloads then the DNS exposure of the WPAD files work. The output may look like this.

C:\>nslookup wpad
Server:  pfsense.yourdomain.com
Address:  192.168.1.1

Name:  wpad.yourdomain.com
Address:  192.168.1.1

C:/>

To see if chrome successfully downloads the WPAD files, open your Chrome browser and visit "chrome://net-internals/#proxy" and you can see the Effective proxy settings section shows a WPAD/PAC File.

If the effective setting is Direct and not any WPAD file, you can fix this by clearing the cache of the browser and resetting Internet Properties. If the browser drops the WPAD file or if you are using Safari, you can manually add the configuration url "http://wpad/wpad.dat" to your browser settings. Another issue is that some hosts fail to get the WPAD file when they are not registered in the DHCP Server.

Now we can go to the Filtering part of the setup.