How-To: 2.0 Load-Balance + Transparent Squid (3 easy steps)

heper

@frater

i honestly have trouble seeing the meaning in what you are trying to do …

-transparent squid will only accepts http traffic ... so no https is going over squid.
-you can set different gateway groups per interface and you can apply different gw groups to different rules on the same interface
-in theory if you use loadbalancing on port 80 and transparent squid is enabled on the interface, all http traffic will go over squid to loadbalancer.

Could you clearify why u'd want to "identify" squid traffic and mark them ?

frater

I want to use squid for only a few LAN interfaces.

Now all traffic to port 80 will go to the loadbalancing gateway.
Even if I set it to a certain gateway before.
I guess that traffic gets intercepted by this reroute rule.
I don't want this.

I just want the traffic coming from squid go through the loadbalancer..
I can't use the source-address (127.0.0.1) anymore as the source-address is already the WAN-IP.

I just mentioned https because they more often have problems with loadbalancing.

But do you know enough about pf to confirm/deny that the tagging rule will never be executed because it is later in the rule-list?

heper

https does not go over port 80, so that rule will only affect http

did you set the "tcp_outgoing_address 127.0.0.1" in squid ? I'd think you should be able to use it as a source address in your floating rule

frater

@heper:

https does not go over port 80, so that rule will only affect http

I know it doesn't (at least normally).
Please forget I ever mentioned it….  As I said... I just mentioned https because these sites have even more problems with round-robin.
This issue with squid has nothing to do with https nor did I think it had.

did you set the "tcp_outgoing_address 127.0.0.1" in squid ? I'd think you should be able to use it as a source address in your floating rule

Yes, I did.
It IS working (the loadbalancing), but it's loadbalancing all traffic to port 80.
I think most people either use squid on all LAN-interfaces or they don't use it.

This traffic is indeed coming from 127.0.0.1, but not anymore when that rule is applied.
Turn on logging and check it.
The moment that floating rule is executed, the source address is the WAN-IP (as you can see, when you log it).
The filter is apparently between the WAN-IP and the WAN-gateway, which makes sense.
So I have no way of distinguishing between the normal traffic going to port 80 and the traffic to port 80 coming from squid.

I think it even would work if I am able to get it like this:

pass out log on lo0 all flags S/SA route-to { (pppoe0 217.16.40.239), (dc0_vlan13 89.250.180.1), (dc0_vlan10 89.250.179.1) } round-robin inet proto tcp from any to any port = http flags S/SA keep state label "loadbalance for Squid"
pass out on lo0 all flags S/SA keep state label "pass loopback"

The webif doesn't let me control the lo0 interface and that second line is being put there by the system.

azizth

This tutorial work in case of gateway fail-over? Wan1 -> tier1 and Wan2 -> tier2

MrsPotter

Just to answer my own question I posted earlier:

@heper will any of the above change when the squid is not transparent?

No, from what I'm experiencing - runnning squid non-transparently does not change the way you set it up. I've got it running and it performs rather well.  ;D

See http://forum.pfsense.org/index.php/topic,43420.msg243601.html#msg243601

DimitriS

Hello pfSense users around the world!

Since I wrote the "pfSense Squid Web Proxy with multi-WAN links" (http://forum.pfsense.org/index.php/topic,37083.0.html), I noticed some issue whith the DNS. When my default Gateway failed, following problems appears:

• SQUID proxy won't work anymore
• pfSense Configuration interface is very slow
• DNS solving is not working (or working very slow) : https://PFSENSE_IP/diag_dns.php

To bypass this problem, I update my configuration:

• Configure two open DNS servers (Google DNS : 8.8.8.8 and L3 DNS : 4.2.2.2)
• Force theses DNS in the Proxy Server config. (may not required, but it might helps)
• Create and new floating rule to correctly failover DNS solving (most important thing)

See attached pictures for details here : http://forum.pfsense.org/index.php/topic,37083.msg299568.html#msg299568

Regards (your feedback is always appreciated!),

Dimitri Souleliac

tupm

Why create a "Floating Rule"?, Is it necessary?

Why put static IP's on WAN connections if you said you were DHCP?

In my case, I have the same configuration as you, but the swing is BAD.

I have two links are exactly the same, both are cable modem, the DHCP (ISP) set ip for a WAN1 and WAN2 …

The problem is that I see pfsense  always use more than the other (for example 70% trafic route to WAN and 30% route to WAN2), I mean do not use 50% and 50% to say ... for what ?????

In my case, my lan, is just one a couple of devices ....

I need that for every request to the web, send one for WAN1 WAN2 and the other (for example) whether they come from the same IP source. Most of the time I have one client, (so I).

example:

WAN1 DHCP
WAN2 DHCP
LAN static
ONLY ONE CLIENT (my laptop for example)

Start download kernel.org .... ok I want pfsente route to X wan, for example WAN1

and, start download cisco.com... ok I want pfsense route to WAN2 !! not wan1 ....

HOWTO ?

thanks, sorry for my english...

fabianoheringer

Hi, for some reason this setup don´t work with 2.0.3 version, only 2.0.2 or less…any suggestions?
Thks

Kababayan

It works for me using pf 2.0.3. Make sure to make Gateway Groups, say we name it "GWbalance", in your lan firewall rule add:  
       proto=* source=* port* dest=* port=* gateway=GWbalance que=none   description= allow LAN to any rule  on GWbalance

on floating rule add this assuming 3128 is your squid proxy port:
proto=* source=* port=* dest=pfsense_IP dest=3128 gateway=GWBalance que=none   description=Squid

interface is lan. Hope that helps. To check if your wan gateways are working, open a torrent file (I use utorrent) change preference to use proxy and put your squid proxy config in your torrent program downloader. get  a fast torrent file(many seeders) and start downloading. add traffic graph in your pfsense dashboard and expand all interface to see all graph if traffic.

biolinh

Step 3:
Don't forget to tick the Squid checkbox Transparent Proxy!

Add this text to Squid Custom Options:

tcp_outgoing_address 127.0.0.1

My Squid version is 0.4.36_2.

Then I expand Advanced Features:
I saw three options:

• Custom Options (Before Auth)
  Custom Options (After Auth)
  Custom Options (SSL/MITM

So what box I should enter this command?

doktornotor

Sir, this thread is about pfSense 2.0 and has been resting in peace for 4 years until you've summoned the zombies.