Load Balance and Squid does not work runnig in the same server
-
i'd suggest you try setting up a virtual machine with a basic dns server on your lan subnet (be it on windows or linux or bsd).
If that solves your problems then you can be certain it's a dns issueif you don't want to waste time setting up VM's then i suggest you add some rules to log all udp traffic on port 53
also packet captures can help figuring out where or what gets stuckOne of the things i've noticed is when you pull WAN1 interface offline, the frontpage of the pfsense gui will start to go really slow (ie. waiting for a time-out).
to work around this issue close the "system information" widget …. this checks for updates and fails because it doesn't find dnsermal,
I have configured the rule you said, balancing the DNS requests too. but it doesn't work. My DNS is in the DMZ so the connections to it can't be balanced because it don't pass trough the gateways to access. with that rule, who are out of the proxy have DNS problems too. so if I put a rule without balancing to the DMZ subnet in the floating rules before the balance rule, the normal connections work but the proxy connections still without name resolution. -
didn't work for me as well..
-
@ermal:
I just put a patch that will include localhost(127.0.0/8) on the default nat rules so AON will not be needed anymore in the configuration.
Should be easier now by just creating a floating rule and selecting the gateway group on it.Is this patch now in the public RC1 builds? I have the build from Tue Mar 15 08:53:58 EDT 2011 and when I go into the NAT rules and AON I'm not seeing any default rules for 127.0.0/8.
-
Is there anyone trying to do this with multiple vlans also? I had it working per the various posts in this thread, but it broke my ability to get to http sites on other vlans. I think having squid using 127.0.0.1 is what breaks it.
-
and when i use although havp with parent to squid????????
in this case :
tcp_outgoing_address 127.0.0.1;never_direct allow all;cache_peer 127.0.0.1 parent 4444 0 name=havp no-query no-digest no-netdb-exchange default;redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;redirector_bypass on;redirect_children 3
?????? what is with cache peer to loopback?
-
Still not work.
What is the solution? -
Heper, thanks for your guide!
What advanced option used in the "matching rule, to stop balance twice" floating rule?
I used TCP flags: out of: SYN.
It works! -
rubic:
it's possible to 'mark' packets when they hit one of your rules. Afterwards you can "search" for them packets using other rules, sort of ;)
so basically i use a floating rule to push all http traffic through de gateway-group; at the same time i 'mark' them.
i put another floating rule IN FRONT of my loadbalance-rule and added option 'quick' ; there i push packets out without going through gateway-group ; here i specify to 'match' the packets i 'marked' in my secondary rule.
see this
-
Hm… will think about... however, looking at pf packet flow diagram, I wonder if floating load-balance rule can fire twice
by the way, in my case your solution works even without binding squid to loopback ??? -
heper, you were right!
when default WAN is down, an outgoing packet hits the rule twice (both on WAN fnd OPT-WAN interface)
if you don't mind I would like to translate your how-to for russian pfSense community
thanks! -
It hits it twice but really it does not execute the policy routing the second time.
Only the nat rules are executed. -
@ermal:
Only the nat rules are executed.
There is one moment with NAT unclear to me. According to pf packet flow diagram (http://homepage.mac.com/quension/pf/flow.png) filtering happen after SNAT. That's why in the rule log we see: if:WAN src:WAN IP -> dst:remote host IP. But when packet rerouted by the policy routing rule reaches OPT-WAN outgoing chain (assuming WAN is down) it's source address appears magically restored to 127.0.0.1. Which block on the diagram do that?
-
my "how-to" can be translated in any language … it's only purpose was to return the info i got from ermal to the community ;)
-
rubic, its pfSense customized pf(4), by me. :)
This functionality can not be done with standard pf(4), at least the version that is used on FreeBSD, without too much tinkering.
-
@ermal:
rubic, its pfSense customized pf(4), by me. :)
This functionality can not be done with standard pf(4), at least the version that is used on FreeBSD, without too much tinkering.
Ok, now I see :) Thank you for your work!
translated: http://forum.pfsense.org/index.php/topic,34810.0.html -
Ok the guide works with FailOver, but for LoadBalance???? Thanks
-
Please, where I am testing the sense pf 2.0 is required to enter some sites that require https and when I configure squid with loadbalance the gateway connection changes every time, how can I fix this?
Please help.
-
Please help…Load balancing is ok...but squid is not functioning...please do some ups in the floating rule..
Thank you... -
well you could create a dedicated gateway group with failover (different tiers) and add a seperate rule for https traffic to use that gateway group …..
or you could enable 'sticky connections' in system .... but i don't know if that would solve all issues
-
Yes, BUT WITH THIS SOLUTION YOU CANT HAVP as parent for SQUID ;)