How to Set Up a Transparent Squid Proxy Server Using pfSense
Proxy servers act as an intermediary for clients on a network requesting resources from another server. The most common type of proxy is a web proxy.
Proxy servers can be very useful for improving the speed of an internet connection by caching, logging internet usage, or filtering the traffic. The proxy server will store local copies of HTML pages, images, and other files in its cache.
Caching proxy servers can greatly improve the internet performance of corporate networks or internet cafe's where many users may be requesting similar pages.
When a client requests a web page the proxy checks to see if has any of the files stored in cache, if it does it serves them to the client without having to download them from the web server.
This reduces latency and saves internet bandwidth. Transparent proxys route the clients traffic through the proxy server automatically, unlike traditional proxys which require configuration changes on the client systems.
If you are unfamiliar with pfSense check out an Introduction to pfSense.
The first thing you'll need to do is install the squid package in pfSense. This can be done from the package manager found under the system menu.
Locate the Squid package and click the + symbol next to it to begin the installation. The installation process normally takes a few minutes to complete.
After the installation is completed you will have a new menu option under 'Services' called 'Proxy Server'. Click on the new menu option to bring of the configuration page.
Here you will need to set the proxy interface which is typically LAN. Next check to box 'Allow users on the interface'. Then check the box 'Enable transparent proxy'. Now scroll down to the bottom and hit save. This will start the squid service using the settings you have defined.
At this point you have a fully functional transparent proxy server running on pfSense. You do not need to make any changes to the computers on your network for them to use the proxy. Any clients requesting web pages on port 80 will be automatically redirected through the proxy. The users on your network won't even know their traffic is going through a proxy!
The traffic management tab has some settings that are useful if you want to place bandwidth usage restrictions on the proxy.
Using these settings you can configure a maximum download or upload size which will restrict transfers over a certain size limit.
You can also set the proxy to throttle binary files, cd images, or any other file type that you specify. Per host throttling sets the maximum amount of bandwidth an individual host can use.
There are various options on the cache tab of the squid configuration page that you can modify to improve performance in your environment. Below are some of the settings I recommend modifying. If the computer running the proxy has a limited amount of disk and ram you should be cautious not to use overly aggressive settings. On the other hand if you have lots of resources to spare you can increase the settings to improve performance.
- Hard disk cache size - This sets the total amount of hard disk space squid will use to cache objects. If you have a large hard drive you can increase this setting to cache more objects. Just remember that objects cached in memory will be retrieved faster than objects on hard disk.
- Memory cache size - If your pfSense system has plenty of ram I recommend increasing the size of the memory cache. Objects that squid can't store in memory end up getting swapped to disk which is much slower than RAM.
- Maximum object size -The default of 4K is pretty small, I recommend increasing this to 50. You could set it larger but most cache hits tend to take place on small files anyway.
- Edit /boot/loader.conf.local - This change needs to be done via SSH. Using a text editor such as vi add kern.ipc.nmbclusters="32768" to the file then save the file and reboot the pfSense router. This increases the total amount of memory used for socket buffers to 32M.
Visit the pfSense documentation site for more Squid performance tuning tweaks.
Manually Clearing The Squid Cache
Squid has it's own system for purging old objects from the cache but occasionally you may want to clear the entire Squid cache.
I recommend logging into pfSense using SSH to run these commands. It is possible to run them using the command prompt function in the diagnostics menu but I don't advise doing so.
First you'll need to stop the proxy service.
squid -k shutdown
The command below will delete all of the files in the cache directory. This command can take a long time to run especially if you have defined a large cache size so be patient.
rm -fr /var/squid/cache/*
Before you restart Squid you should recreate the swap directly structure.
If you receive a message that Squid is already running go ahead and shutdown the service and again and rerun the command. PfSense seems to restart Squid on it's own when it notices it's not running.
Finally you can restart Squid to begin using the proxy again.
To make sure it started you can check the status on the services menu which is found under the status menu of the web interface.
If you are interested in tracking the usage of your proxy you can install an additional package called Lightsquid.
Lightsquid will generate interactive reports that track all of the websites visited by users, as well as a list of top sites.
You can even determine which IP visited a certain site, and what time it was visited.
Lightsquid can be installed through the pfSense package manager the same way you installed squid.
After installation a new menu item will be created under Status called Proxy Report.
On the settings page you can set the report refresh schedule to an interval between 10 minutes and 24 hours. This determines how often Lightsquid generates a new report. You can manually refresh the report using the refresh now button. To view the report click on the Lightsquid Report tab.
Additional pfSense Guides
- How to configure a DNS blacklist using pfSense
If your looking for an easy way to block domains on your network based on many common categories DNS blacklist can do the job easily. DNS blacklist is a package for the popular pfSense platform.
- Dual Wan Router - How to Load Balance Using pfSense
Purchasing a dual wan router can easily set you back several hundred bucks. Besides the high prices many of the models on the market lack many features. So instead of shelling out cash for a router with...
- Setting up a pfSense router
If your looking to replace your home router with something that offers more control, features, and performance pfSense is an excellent choice. pfSense can act as both a router and firewall offering lots of features for free that are often only found
I hope this hub has demonstrated how easy it is to setup a transparent proxy using the power of pfSense. Transparent proxys can add value to small home networks or large corporate networks with hundreds of users.
Feel free to comment if you have any questions and please let me know what else you would like to learn about pfSense.
If you found this hub useful please take a moment to rate it or leave a comment below.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
Questions & Answers
We have an ASA firewall on our LAN and we want to use Pfsense and the ASA at the same time, is this possible?
Yes, you can use pfSense in combination with the ASA if you wish. To use pfSense as a transparent proxy you would set the default gateway on your clients to point to the pfSense system. You would then set the gateway of pfSense to point to the ASA.
If you do not want to modify the default gateway of the clients you can modify the client proxy settings to point to pfSense. Again pfSense would need to point to the ASA as its default gateway.