Anyone actually got upstream proxy working on 2.0 using 2 pfSense boxes?

luke240778

@marcelloc:

The cache server can have only wan.  The problem is how to intercept all traffic but not from cache server.
with LAN Wan + DMZ on main firewall you can do this.

Second point is that sarg(I know you prefer lightsquid ;)) package now is able to compact log files to reduce disk usage as well protect reports display with pfsense auth.

Ok good. then my cache server has only WAN which is correct.. the rest i don't really understand.. how do i get it so that the first box stores all cache on the second box properly?
I also don't have anything against Sarg, just haven't used it enough to know much about it.. Lightsquid at least gives me what i need.. just to see what IP as been using how much bandwidth, and what percentage has been taken from cache.

marcelloc

The setup I'm suggesting is this:

Your network –--->----LAN-----pfsense------WAN-------internet
                                                    ||
                                                    ||
                                                  OPT1
                                                    ||
                                                    ||                               
                                        pfsense with squid

This way you can forward http data to second box with nat on first pfsense and squid in transparent mode on second box.

luke240778

Ok i see.. so have a third virtual NIC (OPT1) that is just a connection from BOX1 to the cache box.  so that would have to be another subnet i am guessing?

What settings do i need to set on both boxes?  does squid and lightsquid need to be installed on both boxes?  does transparent mode need to be activated on the first box also?  or do i somehow get all data to pass through box 2?

marcelloc

@luke240778:

does squid and lightsquid need to be installed on both boxes?
does transparent mode need to be activated on the first box also?
or do i somehow get all data to pass through box 2?

You can use nat on main firewall to do the transparente forward or squid with parent proxy listening only on lan.
The second pfsense does not need transparent mode enabled as it will receive requests on 3128.

remx_james

Hi all,

with this SetUp architecture (like @marcelloc have explained) is it possible to activate authentication on the second proxy server (which is in DMZ) ?
In this manner, all web traffic incoming in  the principal Pfsense router (set up with squid in transparent mode) will be forwarded to the second server (via upstream configuration) and this second proxy can apply restrictions on traffic based on user or group for example. (please stop me if i'm wrong).

My goal with this configuration architecture is to firstly offload the principal PFSense router particulary on cache management, and secondly avoid to configure any individual web browser (or use WPAC system), but still use authentication with Squid.

Thanks in advance!

marcelloc

With a transparent squid on first box you will not be able to authenticate. (ident may work but it's really easy to forge ident responses)

wpad, pac, client proxy settings are the way to use squid with auth.

remx_james

ah ook!!
i hav omitted this detail! ???

thanks

luke240778

@marcelloc:

@luke240778:

does squid and lightsquid need to be installed on both boxes?
does transparent mode need to be activated on the first box also?
or do i somehow get all data to pass through box 2?

You can use nat on main firewall to do the transparente forward or squid with parent proxy listening only on lan.
The second pfsense does not need transparent mode enabled as it will receive requests on 3128.

If possible can you explain how to do this? like what settings and all that do i need?  I dont really know how to do what you have mentioned.

marcelloc

On first Box, create a nat rule with
source LAN nat
destination any
Destination port 80
server ip second pfsense on dmz
Server port 3128

On second box enable squid.

luke240778

@marcelloc:

On first Box, create a nat rule with
source LAN nat
destination any
Destination port 80
server ip second pfsense on dmz
Server port 3128

On second box enable squid.

So.. squid in transparent mode and all that setup on the first box?  As in, all of the cache management settings have to be setup on the first box ?
Lightsquid setup on which box?  If it has to be that cache and lightsquid need to be setup on the second box, how can i transfer all lightsquid logs from the first box to the second one?  i would like that all of the data that i see now in my lightsquid reports, still be on the new setup, combined with all new data.

In the past i think you mentioned that in this setup squid needs to be installed on both boxes.. i just wonder where all the settings for cache management need to be setup, i would guess the second box, but i dont see how i can have squid enabled on the first box without any settings.