Transparent Squid behind pfSense

tonezzz

Hi Friends,

Now I'm reasonably familiar with psSense and start playing around with Squid to speed up my office's web browsing.  I've just installed a Squid box and finding out way to config it properly.

I'm just confused how to setup Transparent Squid.

I have a Squid server setting up at IP 192.168.1.55:3128 on LAN side.

If I setup Port Forward from port 80 to Squid server port 3128.  How can my Squid server connect via port 80 to outside server?  Would it be redirected back to the Squid server itself?

Am I just over thinking?  How is the practical setup should be?

Thanks,
Tony.

trendchiller

why don't you use the pfsense squid package with transparent mode ?
just enable the transparent button and see it working… :-)

dwadson

After struggling with how to redirect to a separate Squid box, I think i have it figured out now.

Services –> Load Balancer--> Pools --> add a new pool
  Name: Squid Proxy
  Type: Gateway
  Monitor IP: <ip of="" the="" squid="" box="">IP: <ip of="" the="" squid="" box="">Click "Add to Pool" and then Save.

Firewall --> Rules --> LAN --> add new rule
  Action: Pass
  Interface: LAN
  Protocol: TCP
  Source: check "not"
      Type: Single host or alias
      Address: <ip of="" squid="" box="">Destination port range: HTTP
  Gateway: the Squid pool you set up in Load Balancer

Setting it up like that redirects the traffic, from everything but Squid, to the Squid box without doing any sort of NAT on the source IP addresses so you will have accurate Squid logs.</ip></ip></ip>

hoba

That's actually a great way to do this! Never thought of this. You even could create a failoverpool to send out requests directly unproxied if the squid box is down by adding the wan gateway as second gateway to the pool.

tonezzz

Hi Trendchiller, where can I find the option I'm using ver 1.0.1

Hi Dwadson, Thanks I'll try it tomorrow (my time GMT+7).

Hi Hoba, You're the best.  That's what I was worrying you just enlighted me.  I'll try it and let you know the result.

tonezzz

Hi Dwadson

I setup Rules as the following:
Interface: LAN
Protocal: TCP
Source: Not 192.168.1.55
Destination: any
Destination port range: HTTP to HTTP
Gateway: Squid proxy

I setup Load Balancer as the following:
Name: Squid proxy
Type: Gateway
Monitor: TCP
Monitor IP: 192.168.1.55 (my squid box)
IP: 192.168.1.55

You didn't mentioned the port for the Load Balancing then I tried from None,80 and 3128 but all doesn't work for me.  What did I do  wrong or where should I check further.

Thanks,
Tony.

dwadson

I had just left the port field empty.

Are you using a snapshot release? The load balancer config options have changed and it's been giving me some grief. Or it's just this dual-wan setup in general that is causing me headaches now…

tonezzz

I use this "pfSense-1.0.1-LiveCD-Installer.iso.gz"

tonezzz

More info:

Setup 1
1. I added port 80 so now my Squid box is listening on prot 80 and 3128
2. When I manually setup IE to use my Squid box as a proxy server it works perfectly both on port 80 and 3128
3. The Squid LAN routing rule still doesn't work.

This means that the Squid box is running ok but there's something wrong about the way pfSense route the packet.

Setup 2
1. Same as situation(1)
2. I setup my Squid box with public IP let it access the Internet bypassing the pfSense box.
3. I use NAT port forwarding and it works.

This narrow the scope of the problem to the way pfSense route the packet only.

Basically the Setup #2 is ok but not the best coz the statistics won't show the real requester it just show pfSense IP.

Anybody have any idea?

trendchiller

tonezzz: you need to install the squid-package (from the package menu). This only works on non-embedded-installs…

the squid package really works fine

dwadson

What platform is your Squid box running on?

Mine is running on CentOS Linux and I have one firewall rule that is loaded from /etc/rc.d/rc.local after it boots up:

iptables -t nat -A PREROUTING -i eth0 -d ! <squid_ip>-p tcp –dport 80 -j REDIRECT --to-ports 3128

That rule redirects the traffic to the proper port for Squid. Kind of an important thing that I had forgotten about.  :)  If your Squid box is running on BSD, I'm not sure exactly how to accomplish that but that Squid FAQ on transparent proxy has some examples on how to do it:

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy

My Squid is still set to my old router, so I'm not 100% sure that the redirect rule on the pfSense box will pass the HTTP traffic from the Squid box properly. The rule SHOULD pass it...</squid_ip>

dwadson

@trendchiller:

tonezzz: you need to install the squid-package (from the package menu). This only works on non-embedded-installs…

the squid package really works fine

Personally, I'm avoiding the built-in Squid proxy because it's more load on the router and the webGUI doesn't encompass all the options that Squid has. If you want to have custom ACLs for particular workstations (based on their MAC address), you end up having to edit the Squid configuration files directly.

Plus, I also use a program called MySAR for analyzing the Squid logs that requires MySQL and a webserver. I really don't want to have that running on my router as well. I think I could run those on a separate box from the Squid proxy itself, but if I need to do that…I might as well move Squid off the router too.

tonezzz

Thanks dwadson.  Mine is running on Debian GNU/Linux 3.1.  I'm very new on Linux anyway.  Your idea sounds good, I'll check it when I come back to work on Monday.  It's 21:23 of Friday night here and I'm still setting up 2 notebooks for my colleagues.  I want to go windsurfing tomorrow, it's windy everyday ;-)

Enjoy your weekend.

tonezzz

Hi dwason,  I just type exactly the same command (iptables -t …....) and it works!!!
I tried to find the rc.local file but I cannot find it.  I'm using Debian GNU/Linux 3.1 where should I put the command?  Anybody please help.

dwadson

http://www.justlinux.com/nhf/Distribution_Specific/Debian_GNULinux/Debian__Startup_Commands.html

Or Google "debian startup script" and you'll get a steer in the right direction.

tonezzz

I followed the first link.  There is an error message "You must specify –to-source" but it works anyway.  Thanks dwadson.

dwadson

The changed load balancer in the snapshot releases doesn't seem to allow this technique to work. You can no longer enter an IP address for the gateway/proxy - that capability has been replaced with the "Interface Name" menu. Tried doing it with it set as a server rather than a gateway but that doesn't seem to work either - traffic doesn't get redirected.

Looks like I'm gonna roll back to 1.0.1 so this will work. It's more important to have this working than improved load balancing…

hoba

You can manually edit the config.xml and exchange the interfacename with the IP-Adress and reupload the config. Just don't touch this pool with the gui again and it should work with the newer versions.