Tuesday, March 5, 2013

Pfsense 2.0 with HAVP as transparent proxy does not work

First things first - PFsense project is AWESOME!!! 

VERY BIG THANK YOU to everybody who has been and still is (as well as will be) involved with this project and all the add-on components like HAVP, SNORT, SQUID, PFblocker, and many others.

This post only applies to setting up Pfsense 2.0.2-RELEASE (i386) with havp-0.91_1 HTTP Antivirus Proxy, and may or may not apply to other released versions... No SQUID installed!

After installing HAVP package you may realize it's not working in Transparent mode without SQUID caching proxy installed.

The workaround is to add new firewall NAT rule which will forward all local LAN HTTP requests to internal HAVP proxy port (default port is 3125) on the box.

After saving new port forwarding rule you should see corresponding (linked) entries under NAT and Firewall tables.

To test transparent antivirus proxy configuration open the web browser and try to download  fake malicious file from EICAR site... If your transparent mode is working correctly you should see HAVP block page similar to one below.

 If you need to modify HAVP reporting html templates they are located under: 
/usr/local/share/examples/havp/templates/en (your location may vary)


  1. This works like charm, but it doesn't work in case where we choose to download the eicar file from ssl enabled protocol.
    Do you have fix for this, I tried to add new rule in firewall NAT for https protocol but it doesn't work. When i am clicking on ssl file it keeps on looping and not able to download the file itself.

    1. Yes V,

      It seems that only HTTP protocol is supported... No SSL support I'm afraid.

  2. This comment has been removed by the author.

  3. If you see in log "php: rc.filter_configure_sync: Havp: Squid is already configured as transparent proxy. Use 'Standard' proxy mode." it means squid was not clearly deleted. In my case i reinstall squid, uncheck "transparent squid" and delete squid. After that havp will run in transparent mode without additional magic.

  4. YOU should be using our blacklists.