How-To: 2.0 Load-Balance + Transparent Squid (3 easy steps)
-
Avoid postimage.org it will never works!
Use tinypic instead.
-
Here are the images:
Step 1:
Create your Gateway Group. Put all your WAN's in Tier1 (Load-Balance)
-
Step 2:
Create a Floating Rule that looks like this:
-
It should look like this after you saved it:
-
Good work.
But i note the most rules on the firewall in lan tab not work such as DMZ, protocols dont like load balance…etc.
So i added the rules in Floating tab, and work.
Please give us more details to get more quality.
thanks -
Also appeare problem in Dynamic DNS,
Jul 21 20:01:53 php: : Curl error occurred: couldn't connect to host
Jul 21 20:01:53 php: : DynDns: Current Service: opendns
Jul 21 20:01:53 php: : DynDns: DynDns _checkStatus() starting.
Jul 21 20:00:38 php: : DynDns: DynDns _update() starting.
Jul 21 20:00:38 php: : DynDns debug information: DynDns: cacheIP != wan_ip. Updating. Cached IP: 188.161.249.229 WAN IP: 188.161.249.123
Jul 21 20:00:38 php: : DynDns: Current WAN IP: 188.161.249.123 Cached IP: 188.161.249.229
Jul 21 20:00:38 php: : DynDns debug information: 188.161.249.123 extracted from checkip.dyndns.org
Jul 21 20:00:37 php: : DynDns: updatedns() startingthanks
-
nassman for dyndns you need to override the floating rule that balances the http traffic ….
so basically you need to create a rule with destination=your_dyndns_provider to use the correct gateway
-
heper thank you, but can u give me a pic for example.
also after i installed squid, when open Dashboard, in system information some times appear this
Version 2.0-RC3 (i386)
built on Tue Jul 19 02:18:00 EDT 2011Unable to check for updates.
and some times work.
what the solution?
thanks -
heper thank you, but can u give me a pic for example.
also after i installed squid, when open Dashboard, in system information some times appear this
Version 2.0-RC3 (i386)
built on Tue Jul 19 02:18:00 EDT 2011Unable to check for updates.
and some times work.
what the solution?
Yes, it will not be able to check updates. My quick and dirty fix for this is to temporarily disable the floating rule when I want to check for updates.
thanks -
stramato,
i added floating rule and make pfsense website same as DMZ, not load balance, it work and check for update.
thanks. -
can you elaborate more?
on how the rule will look like? thanks!
-
does this mean that i dont need to create a rule on lan tab? can you show any screenies of your lan tab rule?
-
Yeah !
Thanks, it works !! -
Thak you for this how-to! It works wonderful with squid.
But it's not apply to HAVP.
We have SQUID with SQUIDguard as transparent and HAVP as it's parent.
If we set firewall rules as you show, pages load by half, styles and images miss or even some site become unaccessible (timeout).
How can we make HAVP to load balance? -
Hello,
The following aspects are not clear:
1. You're selecting only WAN1 in the "interface packets must arrive to match rule" in the floating rule. Now the questions are
(a) are you assuming that squid will always through packets on WAN1 only?
(b) does which WAN should be selected in the interfaces box depend on the default gateway setting of the pf box?
if no default gateway is selected in the pf general settings, then which interface(s) will squid output packets to? Is that random? Like in the case of 3 WANs, squid may output packets to any of the 3 WANs?(d) if any of the 3 WANs may be used by squid, in that case do we have to multi-select all WANs in that interfaces box?
2. For loadbalancing in particular, @heper's instructions included an additional "matching rule" where he was marking packets and later on in another rule routing those marked packets - to achieve loadbalancing. But in your steps that rule is not there. So is it the case that loadbalancing may be achieved without going for such packet-marking-routing as done previously by @heper?
Dear @heper, you can also clarify please...
-
-
1a: squid will Allways TRY to go out the default gateway … assuming that is WAN1 , you only need floating rule on that one
1b: see 1a
1c: not sure but i guess the default "WAN" interface, try if you wanna be sure
1d: see 1a2. the matching rule is useless, it appeared packets were getting looped twice around the packet filter but
emal pointed out the following:It hits it twice but really it does not execute the policy routing the second time.
Only the nat rules are executed. -
Thanks for your answers, @heper - really appreciate this.
We're in the process of extensively testing our triple-WAN, load-balancing with transparent squid and will report back if there's any case where it doesn't function as expected.
-
@heper will any of the above change when the squid is not transparent?
-
I read this thread and was able to get loadbalancing squid working using the post of the OP.
But in my multi-LAN multi-WAN environment I don't want to run squid as a transparent proxy on ALL interfaces.I'm now afraid some packets that are going out to port 80 and not coming from squid are loadbalanced as well…
I don't want this as I have issues with round-robin on certain websites.....I took a look at the approach heper did and am now doing the following....
mark all TCP packets going to port 80 coming from 127.0.0.0/8
on the interface of the default gateway send the marked packages to loadbalance.
I have not switched to AON (manual NAT) nor did I select localhost as one of the proxy's interface...Could someone please comment?
BTW... it's still not actually working here...
EDIT:
I did some more testing....
If I route all TCP out packets to port 80 to the round-robin interface, it is working... But because I'm logging it I also know that packets not coming from squid are using round-robin as well.
I don't want this....If I also check the marking of the packets, it doesn't detect any of them and nothing goes through the round-robin interface.
It seems that marking of the packets coming from 127.0.0.1 doesn't work....In combination with the absence of the lo0 interface in the pfsense webif it makes me think there's no firewall between the local interface and the rest....
HELP?
