Squid Multi-WAN patch

Waldemar

Hi!

Firstly thanks for the huge amount of work you guys have invested in this wonderful project!

I would like to use squid acls to route different clients through different routes. The same sort of idea might work with load balancing, but I haven't tried it yet. I am pasting my short patch to filter.inc below which basically adds a few source routes. After this tcp_outgoing_address custom commands can be used for the squid package config in order to get different routes for different client source addresses (or any other acl).

--- filter.inc.orig     2008-01-25 18:33:41.000000000 +0100
+++ filter.inc  2008-01-25 18:36:00.000000000 +0100
@@ -2948,7 +2948,21 @@
        for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++)
                $ifdescrs['opt' . $j] = "opt" . $j;

-       /* go through primary and optional interfaces */
+       /* SSH Hack */
+        /* go through primary and optional interfaces */
+        foreach ($ifdescrs as $ifdescr => $ifname) {   
+                $return_gateway = $config['interfaces'][$ifname]['gateway'];
+                if ($return_gateway) {
+                        $int = filter_translate_type_to_real_interface($ifname);
+                        update_filter_reload_status("Creating source routes...");
+                        $ip = find_interface_ip($int);
+                        $sn = $config['interfaces'][$ifname]['subnet'];
+                        $sa = gen_subnet($ip, $sn);
+                        $rule .= "pass out quick route-to ( {$int} {$return_gateway} ) from {$ip} to ! {$sa}/{$sn} keep state label \"Source route for squid\"\n";
+                } 
+        }
+        /* End SSH Hack */
+        /* go through primary and optional interfaces */
        foreach ($ifdescrs as $ifdescr => $ifname) {
                $return_gateway = $config['interfaces'][$ifname]['gateway'];
                $ints = array();

My custom squid config e.g. then looks like this:

acl slow src 192.168.100.0/255.255.255.0;tcp_outgoing_address 10.10.1.1 slow;tcp_outgoing_address 10.10.1.1

This makes routes the slow subnet through one WAN link and everything else through the other (both not the default WAN link).

Cheers,
Waldemar

eri--

On RELENG_1 you can create such rules from the GUI. So no need for the hack.

Waldemar

I doubt that you can create "pass out" rules. If you can, please tell me how. All rules created by pfSense in the frontend are "pass in" rules.

eri--

RELENG_1 is the branch that is to become pfSense 1.3.

Waldemar

Ah, ok, so the new version will support "pass out"s that's great then!

Thanks!

Waldemar

One thing that needs to be noted though, is that these rules need to be added before other "firewallout" rules, otherwise it won't work. I am not sure if that will be possible in 1.3…

Guest

Hi

I hope this patch work with failover and 1.2 release
I will test soon !!
I can't wait for 1.3 sorry

THx