New HOWTO: pfSense Squid Web Proxy with multi-WAN links (it works!)

a_ghellam

**Dear,
Thanks a lot for your post,
  I would like to know if it works also for multiwan loadbalancing (NOT FAILOVER), because when i used to config multi wan (WAN1= 1 Mb and WAN2= 1Mb from two different ISP) and add a rule in LAN interface for multigateway, my download reach the 2 Mb without installing SQUID and other dependencies. However when i install the squid and it's dependencies and configure it on lan and transparent proxy my download limit reach 1 Mb.
  I read that Squid doesn't allow multigateway, So if i can have a solution for my problem i'll appreciate a lot.

Best Regards,**

pubmsu

Based on this HOW TO and the other 3-easy-steps HOW TO, I have the questions as posted in this other thread:

http://forum.pfsense.org/index.php/topic,38882.msg233730.html#msg233730

So what's the current status and conclusion on this topic? Does it do loadbalancing?

skyrice

Have set up my failovers etc all work fine. I have default rule for everyone to use WAN1 failover to WAN2 and then have a few select ip addresses using WAN2 failover to WAN1 (these are IP's with large upload rates so dont affect others internet performance). So far none of the threads on this issue have gotten this setup to work. Everything ends up through WAN1.
About to attempt converting to VM and having 3 virtual pfSense boxes. 1 for multiwan and then 2 others as squid boxes for each connection

LAN –> pfSense1(Multiwan) --> pfSense2(Squid+SquidGuard) --> WAN1
                                      --> pfSense3(Squid+SquidGuard) --> WAN2

anyone with a more elegant solution to this please post the answer soon as the above just looks painful (2 lots of proxies to configure keep up-to-date + having to setup 3 VM machines).

twinfield

@skyrice

I appear to be in the same situation.  Is there a particular reason you are putting your proxies on the WAN side rather than the following:

/–--> WAN0
LAN -----> Proxy -----> pfsense MultiWAN ---+
                                                                ----> WAN1

Is there a performance improvement to using a separate proxy for each WAN?  I was intending to set things up this way for my purposes but would like to know if there is any advantage to your method.  Thanks

M4estre

its works with balance only, failover and squid cant work together, someone else have this problem too?

pccom

I learn set up multi-wan from this video.
http://www.youtube.com/watch?v=exa9OxyZ84U&feature=related
Why this video did not use floating rule?

I found Squid not working when Samba started. I manually run squid -z then /usr/local/etc/rc.d/squid.sh restart
Now it is working.

manfisto

@twinfield:

@skyrice

I appear to be in the same situation.  Is there a particular reason you are putting your proxies on the WAN side rather than the following:

/–--> WAN0
LAN -----> Proxy -----> pfsense MultiWAN ---+
                                                                ----> WAN1

Is there a performance improvement to using a separate proxy for each WAN?  I was intending to set things up this way for my purposes but would like to know if there is any advantage to your method.  Thanks

I am having the same setup as yours just that its different appliance.

|–---> WAN0
                                                                                    |-----> WAN1
LAN -----> Pfsense Squid Proxy -----> MultiWAN Appliance ---+
                                                                                    |-----> WAN2
                                                                                    |-----> WAN3

Currently it is working fine but its not gonna be long once the campus subscribe to 4 x 40mb lines = 160mbps.
My appliance is running on a 100based which the LAN port will become the bottleneck if i continue to use the appliance.
However, my Pfsense is running on R300 server with multiple network gigabit network ports.
Therefore, I am looking at this solution as well, anyone been able to make it work,
as in Pfsense + Squid +SquidGuard + MultiWAN loadBalance + Failover?

jikjik101

try the HOWTO except step 3.
for step 4, select LAN only, do not include LOOP.
tcp_outgoing_address 127.0.0.1 will be automatically added.

darkknight

Hi all!

And, what about:

VLAN1 (failover A)\                                                                                                              * WAN 1
VLAN2 (failover B) _____________________\ Squid Proxy Server__________\ pfSense 2.0.1/ * WAN 2 (default gateway)
VLAN3 (failover C) /                                      /                                          /                        \  * WAN 3
VLAN4 (failover C)/

(there's no network on LAN, except the VLAN'S)

Here, for a while, we'll use the proxy in not the transparent mode.
i.e., I'm in the VLAN1, proxy is in the VLAN2. When I set the proxy settings into the browser, I access the internet through VLAN2's gateway.
Is there a better way to do this?

Sorry the English…

DimitriS

Hello pfSense users around the world!

I'm back for another mission in Haiti dealing with pfSense firewall and Multiwan!!

Since I wrote the "pfSense Squid Web Proxy with multi-WAN links", I noticed some issue whith the DNS. When my default Gateway failed, following problems appears:

• SQUID proxy won't work anymore
• pfSense Configuration interface is very slow
• DNS solving is not working (or working very slow) : https://PFSENSE_IP/diag_dns.php

To bypass this problem, I update my configuration:

• Configure two open DNS servers (Google DNS : 8.8.8.8 and L3 DNS : 4.2.2.2)
• Force theses DNS in the Proxy Server config. (may not required, but it might helps)
• Create and new floating rule to correctly failover DNS solving (most important thing)

See attached pictures for details.

Regards (your feedback is always appreciated!),

Dimitri Souleliac


hyrol

Hi all,

In my observation proxy slowed, starting at floating rules.  ???

karlmathew

Hi Dimitris,

Thanks for the post, I have been working with this one for almost a month now but i still can't get it right for the pfsense multi-wan with squid. But I have tried your configuration with-out squid, it works perfectly fine..

Can you explain in much more detail about your post and what is the use of each..

like for example
the use of floating rules. (Why have floating rules added?)
why change NAT outbound to Manual?
why add loopback?

and others..

thanks!

dpreviatti

Hello!

I did this configuration and it works!
But when I create a NAT rule to forward a port of WAN1 to a desktop on the LAN, it simply dont work!

I attach screen of the NAT rule and a tcpdump of the port when I try to connect from the outside.

Can anyone help me?


deepakthai

Hi,

Can someone guide me how to fix my issue with mutli wan switching with proxy. Though the floating rules are applied the switching is not working on web browser. Please find the details in my post at the below URL

http://forum.pfsense.org/index.php/topic,57606.0.html

Thanks

athenaxds

Hello guys.

Lately I was searching for answers on how to make squid/lusca run on load balance smoothly.

I have seen DmitriS post and I was convince that it was the solution that I have been searching for.

Anyways I would also like to share a simple way of managing ports in groups by using aliases

CDuv

I'm having concerns with DimitriS's tutorial regarding the NAT Outbound part: is it safe (and not too cumbersome) to switch to a manual (Manual Outbound NAT rule generation / AON - Advanced Outbound NAT) setting ?

I'm actually using Automatic outbound NAT rule generation on my setup which is the following:

,–---{WAN0 interface}–[ ISP0's Modem ]
                                                      /    ,–{WAN1 interface}–[ ISP1's Modem ]
[ LAN switch ]–-{LAN interface}–-[ pfSense ]
                                                      \    –{_WAN2_ interface}–[ ISP2's Modem ]                                                        –---{WAN3 interface}–[ ISP3's Modem ]

I have a load balacing over each WAN0-3 with a Gateway group named GW_LoadBalancing that is used in the following Firewall rule:

| ID | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule |
| | * | LAN net | * | * | * | GW_LoadBalancing | none | |

No servers are housed behind pfSense, appart the IPSec and PPTP VPNs (served by pfSense itself).

Edit: I've tried the "Manual Outbound NAT" setting with advised floating firewall rule and NAT rules: no luck (any proxied request always goes through the same WAN connection) :-/

ccastillop

Hello
I am very glad to use this manual: http://securite-ti.com/pfSense_Web_Proxy_with_multi-WAN_links.pdf
But I spent several hour trying to figure out this error at Squid Proxy response: "invalid request"

So, I have just unchecked "loopback" option inside "Proxy Server" configurations and every thing works as indeed.

Thank you!

hyrol

http://forum.pfsense.org/index.php/topic,59605.0.html

ovi_diu

Hi !

I have 2.0.2 version dual wan with load balancing
Policy-based-route are working great
With squid thinks goes bad
I want Client_1 to pass out from Opt1
I have these confs, but they don't work

LAN: 192.168.0.0/24
WAN1: 89.X.X.X
OPT1: 82.X.X.X

acl Client_1 src 192.168.0.2
tcp_outgoing_address 82.X.X.X Client_1
tcp_outgoing_address 127.0.0.1

What i'm missing ?

Thank you !

jikjik101

put a subnet mask for Client_1.
example:
acl Client_1 src 192.168.0.2/24