Squid with multi wan doesnt work as intended

xbipin · Mar 3, 2013, 4:32 PM

i have 2 wan connections, wan1 i mainly use for voip devices and wan2 for surfing and p2p apps.

i haven't configured any gateway groups for the wan as i need to route traffic to each gateway based on where it originates from on the lan.
DNS servers i have configured without any gateways configured and dns forwarder is enabled.
i have created a alias with the lan ips of all the voip devices.
i have a rule under lan which routes all traffic out of wan2 which doesnt originate from a voip device based on the alias.
squid is configured to work as transparent proxy.
squid interface selected is lan.
squid config i have typed all voip devices ip so nothing is cached for voip devices at all.
no custom commands on squid.
AON is selected

now the issue is before i was using squid, when i used to goto an lan pc and check my wan ip it used to give the ip of wan2 connection so basically the routing was all fine, voip out of wan1 and surfing and p2p out of wan2. now with squid, if i goto any of the lan pc and try to check my wan ip its supposed to give me wan2 ip but keeps giving me wan1 ip which means the packets r going out of wan1 which r supposed to go out of wan2. what i want to know is whats missing or wrong in config or is it a bug?

athurdent · Mar 3, 2013, 5:18 PM

Have a look here, never tried it but it makes sense to me:
http://www.communig8.com/articles/64-open-source/137-pfsense-multi-wan-how-to-really-make-it-work

xbipin · Mar 4, 2013, 5:04 AM

thanks for the link but i have read those old configs before also but my setup is different, i dont want to use my multi wan as load balancer or fail over, i want to route specifically based on originating ip and if u see my rules, it works fine without squid but with squid, traffic goes out of the wrong interface

athurdent · Mar 4, 2013, 5:39 AM

Hmm, thought, that a combination of having Squid use 127.0.0.1 as outgoing address and a well crafted floating rule with gateway wan2 might work.

xbipin · Mar 4, 2013, 12:05 PM

in squid i typed this

tcp_outgoing_address 127.0.0.1;

on floating tab i created a rule

pass
quick disabled
interface wan1 and wan2
direction out
protocol tcp
source and destination any
source port any
destination port 80
gateway wan2

and i logged packet also and it seems it still goes out of wan1 instead of wan2

xbipin · Mar 4, 2013, 12:07 PM

here r some screenshots

athurdent · Mar 4, 2013, 12:22 PM

Does the rule get any hits, do you see log entries for it? Otherwise there might be interference with pfSense internal rules, I guess.

xbipin · Mar 4, 2013, 12:25 PM

yes the floating rule gets hits but interface is always shown as wan1 inspite of me routing out of wan2 using the rule so probably it has some bug i guess unless there is something else to be configured.

i use whatsmyip etc to check the ip and all say traffic is coming from wan1 instead of wan2

athurdent · Mar 4, 2013, 1:12 PM

Tried to replicate it, but I am getting the same results you get. Seems there's something more involved. When I use Quick for the rule, the traffic hits the ruleset twice and it dows not work at all. But I cannot debug this further now, sorry. I'm not at home and might lock myself out playing with the ruleset too much ;)
I remember there was something about negate rules, but I am not sure if that applies to this problem.

Edit: The "Squid-way" to solve this would simply be

tcp_outgoing_address <wan2 ip="" address="">;</wan2>

Don't know how complicated it would be to make the outgoing address an option in the Squid package, though.

xbipin · Mar 4, 2013, 1:18 PM

http://redmine.pfsense.org/issues/2854

xbipin · Mar 4, 2013, 2:17 PM

@athurdent:

Tried to replicate it, but I am getting the same results you get. Seems there's something more involved. When I use Quick for the rule, the traffic hits the ruleset twice and it dows not work at all. But I cannot debug this further now, sorry. I'm not at home and might lock myself out playing with the ruleset too much ;)
I remember there was something about negate rules, but I am not sure if that applies to this problem.

Edit: The "Squid-way" to solve this would simply be
tcp_outgoing_address <wan2 ip="" address="">;</wan2>
Don't know how complicated it would be to make the outgoing address an option in the Squid package, though.

provided the wan ip never changed

athurdent · Mar 4, 2013, 3:13 PM

Like I said, an option in the package would be needed for that.

marcelloc · Mar 19, 2013, 2:12 PM

@athurdent:

Like I said, an option in the package would be needed for that.

just put it(tcp_outgoing_address <wan2 ip="" address="">;) on custom_options.

You will need to update it every time you get a new wan address if you do not have a static wan.</wan2>

xbipin · Mar 19, 2013, 3:25 PM

thats the whole thing, i dont have a static ip so why not use some coding to feed in ip when it changes to it, mayb a drop down similar to gateway which can be selected and it changes with ip change