How-To: 2.0 Load-Balance + Transparent Squid (3 easy steps)
-
Step 1:
Create your Gateway Group. Put all your WAN's in Tier1 (Load-Balance)
Step 2:
Create a Floating Rule that looks like this:
It should look like this after you saved it:
Step 3:
Don't forget to tick the Squid checkbox Transparent Proxy!Add this text to Squid Custom Options:
tcp_outgoing_address 127.0.0.1
Now go and test it! It works for me (2.0-RC3 (amd64) built on Tue Jun 21 23:37:22 EDT 2011).
-
pictures don't seem to be working (not for me atleast).
thanks for sharing tho ;)
-
;) …Screen shot please...
Thank You
-
Avoid postimage.org it will never works!
Use tinypic instead.
-
Here are the images:
Step 1:
Create your Gateway Group. Put all your WAN's in Tier1 (Load-Balance)
-
Step 2:
Create a Floating Rule that looks like this:
-
It should look like this after you saved it:
-
Good work.
But i note the most rules on the firewall in lan tab not work such as DMZ, protocols dont like load balance…etc.
So i added the rules in Floating tab, and work.
Please give us more details to get more quality.
thanks -
Also appeare problem in Dynamic DNS,
Jul 21 20:01:53 php: : Curl error occurred: couldn't connect to host
Jul 21 20:01:53 php: : DynDns: Current Service: opendns
Jul 21 20:01:53 php: : DynDns: DynDns _checkStatus() starting.
Jul 21 20:00:38 php: : DynDns: DynDns _update() starting.
Jul 21 20:00:38 php: : DynDns debug information: DynDns: cacheIP != wan_ip. Updating. Cached IP: 188.161.249.229 WAN IP: 188.161.249.123
Jul 21 20:00:38 php: : DynDns: Current WAN IP: 188.161.249.123 Cached IP: 188.161.249.229
Jul 21 20:00:38 php: : DynDns debug information: 188.161.249.123 extracted from checkip.dyndns.org
Jul 21 20:00:37 php: : DynDns: updatedns() startingthanks
-
nassman for dyndns you need to override the floating rule that balances the http traffic ….
so basically you need to create a rule with destination=your_dyndns_provider to use the correct gateway
-
heper thank you, but can u give me a pic for example.
also after i installed squid, when open Dashboard, in system information some times appear this
Version 2.0-RC3 (i386)
built on Tue Jul 19 02:18:00 EDT 2011Unable to check for updates.
and some times work.
what the solution?
thanks -
heper thank you, but can u give me a pic for example.
also after i installed squid, when open Dashboard, in system information some times appear this
Version 2.0-RC3 (i386)
built on Tue Jul 19 02:18:00 EDT 2011Unable to check for updates.
and some times work.
what the solution?
Yes, it will not be able to check updates. My quick and dirty fix for this is to temporarily disable the floating rule when I want to check for updates.
thanks -
stramato,
i added floating rule and make pfsense website same as DMZ, not load balance, it work and check for update.
thanks. -
can you elaborate more?
on how the rule will look like? thanks!
-
does this mean that i dont need to create a rule on lan tab? can you show any screenies of your lan tab rule?
-
Yeah !
Thanks, it works !! -
Thak you for this how-to! It works wonderful with squid.
But it's not apply to HAVP.
We have SQUID with SQUIDguard as transparent and HAVP as it's parent.
If we set firewall rules as you show, pages load by half, styles and images miss or even some site become unaccessible (timeout).
How can we make HAVP to load balance? -
Hello,
The following aspects are not clear:
1. You're selecting only WAN1 in the "interface packets must arrive to match rule" in the floating rule. Now the questions are
(a) are you assuming that squid will always through packets on WAN1 only?
(b) does which WAN should be selected in the interfaces box depend on the default gateway setting of the pf box?
if no default gateway is selected in the pf general settings, then which interface(s) will squid output packets to? Is that random? Like in the case of 3 WANs, squid may output packets to any of the 3 WANs?
(d) if any of the 3 WANs may be used by squid, in that case do we have to multi-select all WANs in that interfaces box?
2. For loadbalancing in particular, @heper's instructions included an additional "matching rule" where he was marking packets and later on in another rule routing those marked packets - to achieve loadbalancing. But in your steps that rule is not there. So is it the case that loadbalancing may be achieved without going for such packet-marking-routing as done previously by @heper?
Dear @heper, you can also clarify please...
-
-
1a: squid will Allways TRY to go out the default gateway … assuming that is WAN1 , you only need floating rule on that one
1b: see 1a
1c: not sure but i guess the default "WAN" interface, try if you wanna be sure
1d: see 1a2. the matching rule is useless, it appeared packets were getting looped twice around the packet filter but
emal pointed out the following:It hits it twice but really it does not execute the policy routing the second time.
Only the nat rules are executed.