pfSense Squid proxy configuration

Published 2 May 2014. Revised 17 January 2016 for typos and formatting.

One of the things that irks me these days is the amount of pop-ups and adverts I experience whilst surfing on my iPad. Like most people my tablet gets a lot of use due to its convenient size and portable nature. My desktop browsers run the popular Adblock plugins which clean up the surfing experience considerably but these plugins don’t work with the iPads native browser and moving to a third party browser which would enable Adblock functionality, would lose bookmark sync and native rendering performance which apple keep locked up for its own benefit.

Having recently installed a pfSense router into my home network, I wanted to utilise a plugin called Squid to use to improve my tablet surfing experience.

There are two benefits using Squid, caching and filtering. Both contribute to a quicker and more pleasant browsing experience.

To give you a taste of the improvements, this is the before and after on my iPad.


And this is the before and after on my desktop, with a comparison with Adblock too. You can see the benefit of Adblock is it rolls DIV’s up making the presentation a bit neater but the reduction in clutter is still present with Squid alone.



This setup guide assumes you have a working pfSense router configured and working already. I’m tunneling all my traffic through Air VPN’s servers these days as it continues to afford security without compromising performance.

Install packages

Install the following packages from System->Packages. Note the order which you install them is important as SquidGuard installs some older files which will be updated when you install squid3-dev.

  1. Install SARG (2.3.6 pkg v0.6.3) N.B You could use Lightsquid if you want but I prefer SARG for easily configuring log rotation and scheduling.)
  2. Install squidGuard-squid3 (1.4.4 pkg v.1.9.5)
  3. Install squid3-dev (3.3.10 pkg 2.2.2)

Configure Squid

Accessed from Services->Proxy Server

General tab

Squid General Settings

Set the options as follows:-

You can if needed select additional interfaces by holding down shift key whilst selecting interfaces. I personally only use squid on my VPN interface preferring to keep my LAN connection clear of any filtering or encryption.

Transparent Proxy Settings

SSL man in the middle

Leave the rest of this section as default, we aren’t going to use this feature.

Logging Settings

Select Local Cache tab

Squid Cache General Settings

Squid Hard Disk Cache Settings

Squid Memory Cache Settings

Dynamic and Update Content

I understand there are some bugs in this area so I’ve stayed clear from using it.

Configure SquidGuard

Accessed from Services->Proxy Filter

General Settings

LDAP Options

Logging options


Blacklist options

Blacklist tab

Target Categories

I create two lists, one to specifically whitelist some websites, and another to blacklist additional sites which may be specific to my needs and where Shalla’s list may not inlude a particular location in their default rules.

Click ‘+’ to add a new target category for our whitelist

Click ‘+’ to add a new target category for our blacklist

Common ACL tab

I’ve taken the option to permit all traffic and only block specfic areas, you can alternatively by default block everything and secifically allow sites if desired.

Click on target rules List

The target rules box at the top of this page confirms the processing rule, the order is important. Edit the order using the Target Caegroies rules ‘order’ dropdown to ensure the order is Whitelist, Blacklist, Shalla groups, Default Access.


Configure Sarg

Accessed from Status->Sarg reports


Report Settings

Schedule tab

Click + to create new rule

Click + to create new rule

Click + to create new rule

Verify you see three rules displayed summarising the above entries.

Verifying functionality

Status dashboard

Verify the Proxy server service and Proxy Server filter service have green running icons next to them. Check system log for possible reason why they may have failed to start if they have red crosses next to them.

Go to Services->Proxy Server, Real time tab

A scrolling window will summarise cache hit status of any access. Look for some TCP_HIT or TCP_MEM_HITs to verify caching is working correctly.

Alternatively, open up a SSH session and enter tail -f /var/squid/logs/access.log to observe cache accesses.

Sarg reports

Go to Status->Sarg Reports, View Report and select the latest report.

You should see a IN-CACHE-OUT column which will summarise the percentage access which are both in and out of cache.

I didnt see huge amounts of postive caching activity immediately but it has slowly improved as my cache has become populated during normal use. I’m currently seeing just under 10% after 24 hours of population.

Remember to disable any Adblock software you may be running if testing on a PC.

Verify functionality is correct by loading a web page which you know displays adverts and verify they are no longer displayed.