Squid with VIP
-
The CARP one, I've tried to bind it with the loopback and adding a NAT rule but it didn't work :s
It will work if you setup squid to loopback without custom options for tcp_outgoing_address.
Check if you can fetch pages from pfsense console/ssh using links before testing squid.
Tcpdump will help you to identify what is going wrong.
post your rdr nat rule to check if there is no errors.
-
Here is the NAT rule I used:
Interface : LAN
Source : any
Source port : *
Destination : my_virtual_address/32
Destination port : *
NAT Address : 127.0.0.1/32
NAT port : *
Static port : NOI'm maybe wrong with it ? :s
-
I'm maybe wrong with it ? :s
It's just missing squid port 3128
Interface : LAN
Source : any
Source port : *
Destination : my_virtual_address/32
Destination port : 3128
NAT Address : 127.0.0.1/32
NAT port : 3128
Static port : NO -
Hey I changed my rule just like you said with adding the port 3128 and unfortunetely the problem persists. It's a NAT Outbound rule right ?
Even if on the proxy server I set up the "Proxy interface : loopback". Could it be because I use the package squid3 ?
I don't understand, when the master is off, my virtual ip can still be reach by a ping, my client can use the slave as proxy, but they cannot with the VIP… it seems that the slave uses the VIP but cannot link it to his proxy service, so it could be more than one rule that I should add ?
And by the way, when I do all of this wihout any custom options, the VIP doesn't work when a client uses it as a proxy, even if the master is up, but if I add "http_port my_virtual_ip:3128" then it works when the master is up but not on failover with only the slave up. So what are the custom options made for ?
-
Hey I changed my rule just like you said with adding the port 3128 and unfortunetely the problem persists. It's a NAT Outbound rule right ?
No. Its a rdr rule.
-
Ok maybe a really stupid question but what is a rdr rule ? On squid I can do a "Port Forward", "1:1" or "Outbound" NAT rule, which of them is a rdr one ?
-
Ok maybe a really stupid question but what is a rdr rule ? On squid I can do a "Port Forward", "1:1" or "Outbound" NAT rule, which of them is a rdr one ?
redirection rule = port forward.
-
Ok I'll try this thanks !
Also I was wondering, why while my squid's master is supposed to sync his conf, when I do a change on the squid.conf from the Web interface, I cannot see the change on the slave ?
-
Ok I'll try this thanks !
Also I was wondering, why while my squid's master is supposed to sync his conf, when I do a change on the squid.conf from the Web interface, I cannot see the change on the slave ?
It only sync changes made on package gui.
-
This thread has been alot of help.
I have a similar situation and this fixed most of my issues but broke one small thing.
My setup
2 pfSense 2.0.1 servers with CARP for failover
2 WAN connections setup with MultiWAN
Squid InstalledLAN
10.1.1.139 pfSense1
10.1.1.140 pfSense2
10.1.1.141 pfSense Virtual IPWAN
xxx.xxx.251.139 pfSense1
xxx.xxx.251.140 pfSense2
xxx.xxx.251.141 pfSense Virtual IPI removed "tcp_outgoing_address 127.0.0.1" from custom options.
added
LAN TCP * * 10.1.1.141 3128 127.0.0.1 3128
to Port Forwardand added
WAN 127.0.0.0/8 * * * xxx.xxx.251.141 * NO
to Outboundeverything is working except for when i open http://www.pfsense.org/ip.php shows my IP address as xxx.xxx.251.139 <–WRONG (should be the VIP)
when i add "tcp_outgoing_address 127.0.0.1" to custom options, http://www.pfsense.org/ip.php shows my IP address as xxx.xxx.251.141 <-- correct
however, with "tcp_outgoing_address 127.0.0.1" added to custom options i can not connect to local resources on the 10.0.0.0/8 LAN network.
any ideas?
-
I noticed marcelloc mention this on another thread
"Use squid tcp outgoing address directive to specify it.
There is a field on squid gui for custom options. Place it there."
Would this fix my problem and how would i implement this with my MultiWAN situation?
-
A load balance rule on floating tab should work for outgoing traffic.
-
A load balance rule on floating tab should work for outgoing traffic.
This is the floating rule i have
TCP * * * 80 (HTTP) MultiWAN_Comcast none
Even with this it still shows my IP address as xxx.xxx.251.139
-
Second try could be uncheck default gateway option on gateway config.
-
unchecking the default gateway had no affect.
I still have not tried
"Use squid tcp outgoing address directive to specify it.
There is a field on squid gui for custom options. Place it there."
I just need direction on how to implement this in a multiwan environment.
-
This is still a major issue for us.
routing works perfectly. However, when specifing the proxy it does not use the Virtual IP.
My setup
2 pfSense 2.0.1 servers with CARP for failover
2 WAN connections setup with MultiWAN
Squid InstalledLAN
10.1.1.139 pfSense1
10.1.1.140 pfSense2
10.1.1.141 pfSense Virtual IPWAN
xxx.xxx.251.139 pfSense1
xxx.xxx.251.140 pfSense2
xxx.xxx.251.141 pfSense Virtual IPI removed "tcp_outgoing_address 127.0.0.1" from custom options.
added
LAN TCP * * 10.1.1.141 3128 127.0.0.1 3128
to Port Forwardand added
WAN 127.0.0.0/8 * * * xxx.xxx.251.141 * NO
to OutboundI also have a load balance rule on the floating tab that allows all.
everything is working except for when i open http://www.pfsense.org/ip.php shows my IP address as xxx.xxx.251.139 <–WRONG (should be the VIP)
when i add "tcp_outgoing_address 127.0.0.1" to custom options, http://www.pfsense.org/ip.php shows my IP address as xxx.xxx.251.141 <-- correct
however, with "tcp_outgoing_address 127.0.0.1" added to custom options i can not connect to local resources on the 10.0.0.0/8 LAN network.
Any suggestions?
"Use squid tcp outgoing address directive to specify it." has been mentioned as a solution but no details on how to implement it on a multiwan environment.
-
mgrosh,
Can you check via tcpdump what ip squid is using when trying to access 10.0.0.0/8 network?
att,
Marcello Coutinho -
it is using 10.1.1.141 (my VIP)
and with "tcp_outgoing_address 127.0.0.1" added to custom options, i receive the following error page
ERROR
The requested URL could not be retrieved
–------------------------------------------------------------------------------
While trying to retrieve the URL: http://10.0.0.65/
The following error was encountered:
• Connection to FailedThe system returned:
(49) Can't assign requested address
The remote host or network may be down. Please try the request again.Your cache administrator is it@patlive.com.
Generated Thu, 10 May 2012 19:16:36 GMT by pfSense1 (squid/2.7.STABLE9)
-
Just to be sure, does your network mask on server and pfsense are /8 or something else??
-
yes they are /8 for the 10.0.0.0 network.
