Note<\/p>\n
To use the web server on the firewall to serve this data, the GUI must run in HTTP mode, or the vhosts package may be used to setup an alternate HTTP server on port 80. Neither of these are recommended as much as running a separate local web server for this task.<\/p>\n<\/div>\n
This process is known as WPAD, short for\u00a0Web Proxy AutoDiscovery Protocol<\/a>. If a web browser is configured for autodiscovery, it will try a few methods to figure out a proxy\u2019s location.<\/p>\n A WPAD host may be supplied via DHCP numbered option 252 (string value containing the entire URL to the WPAD file) or DNS, which is easy to do with the built-in DNS forwarder.<\/p>\n To use squid authentication, squid cannot be used in transparent mode. HTTPS traffic also cannot be filtered using transparent mode. When squid is run in normal mode, a proxy IP and port must be configured on each client machine, which can be tedious. This can also cause problems on road warrior laptops that come in and out of the network. Rather than resetting their proxy configuration each time they enter and leave, autoconfigure will let them come and go without much trouble.<\/p>\n Most, if not all, modern browsers ship with the autoconfigure setting turned off, so it may still be necessary to push\/enter this setting to client PCs. Even so, another advantage of using autoconfigure is that should squid move to another IP address, only one file must be changed to inform the clients of the updated IP address. (This may be easy to pull off in a windows domain with AD, but not for many others!)<\/p>\n<\/div>\n This How-To assumes squid is already operating in a non-transparent configuration. For help with that, look elsewhere in this documentation and on the Forums.<\/p>\n<\/div>\n Before starting, a\u00a0wpad.dat<\/em>\u00a0file must be crafted. This is a single file with a JavaScript function which tells the browser how to find a proxy hostname and port. This function can be as simple or as complex as desired, there are many examples on the web. In this example, all clients will be directed to the squid instance on the firewall.<\/p>\n The contents of the example\u00a0wpad.dat<\/em>\u00a0file are:<\/p>\n The function in that file tells the browser to look for a proxy on\u00a0192.168.1.1<\/em>\u00a0at port\u00a03128<\/em>.<\/p>\n Now upload that file to pfSense or another locally accessible web server with scp, or create it using the built-in file editor. The file must go in\u00a0\/usr\/local\/www\/<\/em>.<\/p>\n Due to the different ways that various browser versions try to access the file, this same code should exist in at least three different places:<\/p>\n (More advanced users might do this from the shell and use\u00a0ln<\/em>\u00a0to link the files.)<\/p>\n We recommend pointing\u00a0wpad.<\/em>\u00a0to an internal web server which can answer requests for the\u00a0wpad.dat<\/em>\u00a0and associated files. It can be any web server, but typically must be served from both the default\u00a0VirtualHost<\/em>\u00a0as well as one named\u00a0wpad<\/em>, due to differences in how browsers request the file.<\/p>\n To make this work using pfSense to serve the file, local IP addresses will need to be able to access the local interface IP address of the pfSense router. They do not need to access the WebGUI with a password, this file will be served without authentication. The GUI must also be run in HTTP mode, which is less secure. If the GUI is set to use HTTP, never open up access to the GUI over the WAN.<\/p>\n<\/div>\n Now to setup the DNS portion. WPAD will take the domain name given to the machine, likely assigned by DHCP, and prepend\u00a0wpad.<\/em>. If the domain is\u00a0example.com<\/em>, it will look for\u00a0wpad.example.com<\/em>. This task may be accomplished with the DNS Forwarder\/DNS Resolver in pfSense or with another internal DNS server used by client PCs.<\/p>\n A client browser will ultimately try to access\u00a0http:\/\/wpad.example.com\/wpad.dat<\/em>\u00a0– among others. More details on the hostnames tried by WPAD are available in the\u00a0WPAD article on Wikipedia<\/a>.<\/p>\n To add the entry using the DNS forwarder on pfSense, navigate to\u00a0Services > DNS Forwarder<\/strong>. Click\u00a0 Enter the following (Replace the domain and IP address with their actual values):<\/p>\n Click\u00a0Save<\/strong>.<\/p>\n<\/div>\n Create a firewall rule at the TOP of the LAN tab (or appropriate interface) that blocks anything from\u00a0<internal subnet><\/strong>\u00a0to * on port 80.<\/p>\n Note<\/p>\n If the firewall is used to serve WPAD and the WebGUI anti-lockout rule has been disabled, web traffic must also be allowed to the pfSense firewall GUI port. If this is not acceptable, point\u00a0wpad.<\/em>\u00a0to another internal web server which can answer requests for the\u00a0wpad.dat<\/em>\u00a0and associated files.<\/p>\n<\/div>\n<\/div>\nWhy would this be done?<\/h2>\n
Prerequisites<\/h2>\n
Create wpad.dat<\/h2>\n
function<\/span> FindProxyForURL<\/span>(<\/span>url<\/span>,<\/span>host<\/span>)<\/span>\r\n{<\/span>\r\nreturn<\/span> \"PROXY 192.168.1.1:3128\"<\/span>;<\/span>\r\n}<\/span>\r\n<\/pre>\n<\/div>\n<\/div>\n\/<\/span>usr<\/span>\/<\/span>local<\/span>\/<\/span>www<\/span>\/<\/span>wpad<\/span>.<\/span>dat<\/span>\r\n\/<\/span>usr<\/span>\/<\/span>local<\/span>\/<\/span>www<\/span>\/<\/span>wpad<\/span>.<\/span>da<\/span>\r\n\/<\/span>usr<\/span>\/<\/span>local<\/span>\/<\/span>www<\/span>\/<\/span>proxy<\/span>.<\/span>pac<\/span>\r\n<\/pre>\n<\/div>\n<\/div>\nConfigure DNS<\/h2>\n
![\"fa-plus\"](\"https:\/\/www.netgate.com\/docs\/pfsense\/_images\/fa-plus.png\")
\u00a0to add a new\u00a0Host Override<\/strong>.<\/p>\n\n
Block Port 80 Out from LAN<\/h2>\n