PfSense 2.1 Floating rules for Multi Wan doesn't work.

miami71it · Sep 20, 2013, 10:09 AM

scusa non capisco provo a postarti le cose che ho fatto

alias : host(s) e poi sotto ho aggiunto www.speedtest.net
ruels : Pass - LAN - IMCP - any - 192.168.0.15 - speedtest.net - GTWOPT1

la regola l'ho messa anche in varie posizioni ma non va se vado su speedtest mi mostra l'ip della WAN e non della OPT1 e funziona se spendo la WAN mi va in failover e solo in quel caso va in OPT1

ma la mia domanda era oltre a fare la regola su ruels devo fare qualcosa su out/nat ecc ecc?

doktornotor · Sep 20, 2013, 10:27 AM

Uh, English please!

hyrol · Sep 23, 2013, 3:16 AM

I have been using another method "Use sticky connections", but not Load Balacing i want, it is just temporary use.

![Use sticky connections.png](/public/imported_attachments/1/Use sticky connections.png)
![Use sticky connections.png_thumb](/public/imported_attachments/1/Use sticky connections.png_thumb)

technical · Sep 26, 2013, 4:32 PM

i stuck that problem to 2.1

squid - (wpad configured) - loadbalance not working.

gautham1435 · Sep 28, 2013, 11:48 AM

Hi..

I've done extensive tests on pfSense 2.1 with multiwan load balancing, squid and squidguard. I've followed the same configuration which was working on pfSense 2.0.3 (with floating rules, manual NAT, tcp_outgoing_traffic 127.0.0.1 custom option, etc.,).

But now in 2.1 load balancing is not working with squid, it only uses the default gateway.
Failover is working with squid.

Load balancing and failover mutiwan works perfectly fine without squid.

Is there any specific configuration required for making squid use the load balancing feature and in 2.1 version.

Please help!!

fisi91 · Oct 8, 2013, 6:56 PM

I've got the same problem with squid and multiWAN since Upgrade to 2.1…
Only WAN(1) default WAN is used by squid, not WAN2 + WAN3 into Gateway-Group on Same
Tier1.

klazoid · Oct 12, 2013, 6:03 PM

I didn't have a two-WAN setup prior to 2.1.
Now I have two WAN and I tried to setup one using the pdf from Dimitri S.
Like others already mentioned, only the default gateway is used.
From the moment I define floating rules (the solution in 2.x), all hell brakes lose and connections time-out.
Without floating rules, default gateway is used.

WAN 1 = DHCP
WAN 2 = local ip of ISP router as gateway with FULL NAT to pfSense

Squid isn't transparant and listens to port 8080.

I'm now even in a situation where my https filter got broken :(
Blame me for not taking a snapshot prior to this change.

This guy is having the same problems: http://forum.pfsense.org/index.php/topic,67215.0.html

On top of this, I noticed that when running squid (2.7 and 3), the multi-wan environment seems to not work. Even after trying the well written guides on the forum. As an example, without squid, I can get speedtest results that reflect wan1 + wan2 + wan3. With squid enabled, I just get a speedtest result of wan1 (the default gateway). And if wan1 is switched off, internet access dies with it.

Is there someone with a working loadbalance setup on 2.1?

klazoid · Oct 14, 2013, 4:38 PM

I did a totally clean setup last Saturday when I left the office. When I came back on Monday, I saw +5GB traffic on the traffic summary of both interfaces. I opened the traffic graphs and saw traffic on both interfaces. Not sure why it suddenly worked. No floating rules, no custom options on squid, default allow –> gateway, sticky connections and switch gateway is on.

gautham1435 · Oct 21, 2013, 7:46 AM

Hi klazoid,

I think some other service/application/browser must have used the bandwidth without proxy..

ruggero · Oct 25, 2013, 6:46 PM

i think i have a solution :
instead of squid use squid3_dev .

in custom options :
"
acl venticinque random 1/4
acl settantacinquediv2 random 0.5

tcp_outgoing_address 192.168.4.1 venticinque

tcp_outgoing_address 192.168.3.1 settantacinquediv2

tcp_outgoing_address 192.168.2.1

"

i have three wan with different speed so i try to balance the throughput with different weigth

gautham1435 · Oct 26, 2013, 5:35 AM

Hi Ruggero,

Can you write this in clear steps..

Thanks in advance..

ruggero · Oct 26, 2013, 5:54 PM

first install squid3-dev from available packages.

++++++in this way you can use configuration directive acl random .
from squid doc :
changes in 3.2 acl : random

New type random. Pseudo-randomly match requests based on a configured probability .

now you can do all the configuration you need for multiwan in Custom options - Custom setting of proxy server.

in my situation ( 3 wan ) :

"
acl venticinque random 1/4
acl settantacinquediv2 random 0.5

tcp_outgoing_address 192.168.4.254 venticinque

tcp_outgoing_address 192.168.3.254 settantacinquediv2

tcp_outgoing_address 192.168.2.254

"

192.168.4.254 = ipv4 address wan 1
192.168.3.254 = ipv4 address wan 2
192.168.2.254 = ipv4 address wan 3

random 1/4 = 25 % = wan1 25% of traffic
random 0.5 = (100-25)/2 = wan2 37,5 % of traffic
else = wan3 37,5 % of traffic

i do this because my 3 wan are not equal.

in case of 2 wan :

"
acl cinquanta random 0.5

tcp_outgoing_address 192.168.4.254 cinquanta

tcp_outgoing_address 192.168.2.254

"

you do not need extra rule on firewall ( floating rule ) .
Also it bypass gateway groups.

hyrol · Oct 28, 2013, 2:49 AM

Squid3 not stable, i try install i check in services, always stop services, how about when i have PPPoE Multi-WAN dynamic IP. Can u screen capture in Custom options.

ruggero · Oct 28, 2013, 3:15 AM

squid3 need lib update.
check squid 3.3.4 package for pfsense with ssl filtering

technical · Oct 28, 2013, 8:42 AM

So i understand but some ppl using wan interface for bridge mode (pppoe) .
what they can do bridge (pppoe) users.
and some ppl have dynamic wan ip adresses.

@ruggero:

first install squid3-dev from available packages.

++++++in this way you can use configuration directive acl random .
from squid doc :
changes in 3.2 acl : random

New type random. Pseudo-randomly match requests based on a configured probability .

now you can do all the configuration you need for multiwan in Custom options - Custom setting of proxy server.

in my situation ( 3 wan ) :

"
acl venticinque random 1/4
acl settantacinquediv2 random 0.5

tcp_outgoing_address 192.168.4.254 venticinque

tcp_outgoing_address 192.168.3.254 settantacinquediv2

tcp_outgoing_address 192.168.2.254

"

192.168.4.254 = ipv4 address wan 1
192.168.3.254 = ipv4 address wan 2
192.168.2.254 = ipv4 address wan 3

random 1/4 = 25 % = wan1 25% of traffic
random 0.5 = (100-25)/2 = wan2 37,5 % of traffic
else = wan3 37,5 % of traffic

i do this because my 3 wan are not equal.

in case of 2 wan :

"
acl cinquanta random 0.5

tcp_outgoing_address 192.168.4.254 cinquanta

tcp_outgoing_address 192.168.2.254

"

you do not need extra rule on firewall ( floating rule ) .
Also it bypass gateway groups.

ataru75 · Dec 3, 2013, 12:06 AM

hi, here it does not work the "acl random" always comes out with the wan1.
I have version 2.1 and squid pfsense 3.3.8-dev pkg 2.2.

here is my custom options

acl fifty random 0.5 (I also tried 1/2 instead of 0.5)
tcp_outgoing_address fifty 192.168.100.2 (no gateway ip, ip pfsense wan1)
tcp_outgoing_address 192.168.2.3 (not ip gateway, ip pfsense WAN2)

here continue to browse only the wan1 while if I disable the transparent proxy balancing works well.
Works to you?
how did you set the "outbound nat" in automatic or manual?
thanks
bye

–-------------------------------------------------------------------------------------
correction, with the "Automatic outbound NAT rule generation" everything works.

Thank you, Regards

Reiner030 · Dec 3, 2013, 2:04 PM

Hi,

nice idea with the different tcp_outgoing addresses…
I found yesterday also a site which show this option (before I found this thread ^^):
http://linuxaria.com/pills/setup-squid-to-use-multiple-outgoing-ip-addresses

This thread seems the only one (with "content") who mentioned that there is a bug in pfSense 2.1 with floating rules.
Because of right topic I add my information here, too.

Since update from 2.0.1 to 2.1.0 we have in remote office also the problem that only our default WAN interface is accessible from outside... :( Here my test from yesterday night; we are using there 1st WAN with PPPoE, 2nd WAN with local modem-router.

Here each a test to http://ident.me :

21:48:14.600710 IP 177.103.xxx.xxx.51527 > 176.58.123.25.32362: Flags [s], seq 1591963423, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1064842937 ecr 0], length 0
21:48:17.599925 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1064845937 ecr 0], length 0
21:48:20.799857 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1064849137 ecr 0], length 0
21:48:23.999792 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,sackOK,eol], length 0
21:48:27.199723 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,sackOK,eol], length 0
21:48:30.399660 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,sackOK,eol], length 0

[code]21:51:46.841211 IP 192.168.0.2.1286 > 176.58.123.25.24577: Flags [s], seq 187921402, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1065055182 ecr 0], length 0
21:51:49.840521 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1065058182 ecr 0], length 0
21:51:53.040452 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1065061382 ecr 0], length 0
21:51:56.240386 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,sackOK,eol], length 0
21:51:59.440321 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,sackOK,eol], length 0

Interesting part: the 1st line connects over backup WAN Interface with right IP but to wrong destination port... and every repeated initializing packet goes to right destination port but over wrong main WAN interface ?

I was thinking about testing today if there is a difference between localhost and lan interface by accessing remote pbx but I forgot to deactivate floating rules so the employees had tested it before I had time for it ^^.

Using normal rules works nice so it must be a floating rule bug... 
=> Is it perhaps possible easy to fix it with a "remote github" patch ?

First I was not sure if it's really a floating rule bug because
[list]
[li] incoming connections to firewall on slave WAN interface are unusable since update, too.
If you have same problems here the solution:
=> I fixed it with NATting:[list]
[li]WAN1:22   => localhost:22,[/li]
[li]WAN1:443 => localhost:443,[/li]
[li]WAN2:22   => localhost:22 and[/li]
[li]WAN2:443 => localhost:443.[/li]
[/list][/li]
[li]DynDNS service can't be updated anymore, too...
But the service should be bound on 2nd WAN interface directly?[/li]
[/list]

Bests[/s][/s][/s][/s][/s][/code][/s][/s][/s][/s][/s][/s]

Reiner030 · Dec 3, 2013, 5:14 PM

mmh… addititional strange behavior... I manually run / later re-checked on webgui.
The registered dynamic name service is registered to use WAN2 ... but got IP from WAN1 and switched here to wrong IP

Dec 3 14:55:58	php: rc.dyndns.update: phpDynDNS (xxx.no-ip.org): (Success) DNS hostname update successful.
Dec 3 14:55:58	php: rc.dyndns.update: phpDynDNS: updating cache file /conf/dyndns_wannoip'xxx.no-ip.org'0.cache: 177.103.xxx.xxx
Dec 3 14:55:57	php: rc.dyndns.update: DynDns (xxx.no-ip.org): 177.103.xxx.xxx extracted from checkip.dyndns.org
Dec 3 14:55:57	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): Current Service: noip
Dec 3 14:55:57	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): DynDns _checkStatus() starting.
Dec 3 14:55:56	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): DynDns _update() starting.
Dec 3 14:55:56	php: rc.dyndns.update: DynDns (xxx.no-ip.org): DynDns: cacheIP != wan_ip. Updating. Cached IP: 201.83.xxx.xxx WAN IP: 177.103.xxx.xxx
Dec 3 14:55:56	php: rc.dyndns.update: DynDns (xxx.no-ip.org): Current WAN IP: 177.103.xxx.xxx Cached IP: 201.83.xxx.xxx
Dec 3 14:55:56	php: rc.dyndns.update: DynDns (xxx.no-ip.org): 177.103.xxx.xxx extracted from checkip.dyndns.org
Dec 3 14:55:53	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): running get_failover_interface for wan. found re0
Dec 3 14:55:53	php: rc.dyndns.update: DynDns (xxx.no-ip.org): 177.103.xxx.xxx extracted from checkip.dyndns.org
Dec 3 14:55:53	php: rc.dyndns.update: DynDns: updatedns() starting

Perhaps better for a new thread:
Why is checkip.dyndns.org used for other dyndns services ?
Would be nice if checking service can be made selectable.

I knew its is / was a nice service. But since yesterday I don't think so anymore…
I used them for my SQuiD loadbalancing tests... and got 127.0.0.1 back :D

Also DynDNS won't check IPv6 addresses because they say in their supportforum it would always stay same IP.
Ok this should be normally the case (especially for firewalls) but it would be nice service to get them either in response for re-check settings.

http://ident.me offer IPv6/IPv4 address and showed me yesterday 127.0.0.1 and the right local IP address in answer page.
http://v4.ident.me only IPv4
http://v6.ident.me only IPv6

Reiner030 · Dec 3, 2013, 8:19 PM

Hi,

on normal usage a very nice option ;)

@ruggero:

i think i have a solution :
instead of squid use squid3_dev .

in custom options :
"
acl venticinque random 1/4
acl settantacinquediv2 random 0.5

tcp_outgoing_address 192.168.4.1 venticinque
tcp_outgoing_address 192.168.3.1 settantacinquediv2
tcp_outgoing_address 192.168.2.1

I justed tested it with this additional ACL RegEx (needs perhaps some improvements) so we can let Youtube videos through the good line and block it in the not so good backup line:

acl_youtube urlpath_regex http://www.youtube.com/watch\?v=.*
acl wan2 random 1/2

tcp_outgoing_address <wan1 ip=""> youtube
tcp_outgoing_address <wan2 ip=""> wan2
tcp_outgoing_address <wan1 ip=""></wan1></wan2></wan1>

Pitily there is a problem if one of the lines are down… then every x request is timing out... :(

Is it perhaps possible to let SQuiD know by local files/checks what lines are up?

Not very RAM friendly would be a solution to run for each WAN interface a SQuiD instance and in front of it the main SQuiD with these SQuiDs as parents... then he can auto-select/fallback as he is allowed to ask them by rule.

Reiner030 · Dec 4, 2013, 7:15 PM

@Reiner030:

acl_youtube urlpath_regex http://www.youtube.com/watch\?v=.*
acl wan2 random 1/2

tcp_outgoing_address <wan1 ip=""> youtube
tcp_outgoing_address <wan2 ip=""> wan2
tcp_outgoing_address <wan1 ip=""></wan1></wan2></wan1>

ah, squid3-dev matches irregulary in transparent mode also urlpath_regex - correct is url_regex.
And I added further sniffed URLs also for HTML5 blocking (perhaps too much, but better than too few ;)):

acl Youtube_Streams url_regex (youtube.com|youtube.be|m.ytimg.com|s.ytimg.com|s2.ytimg.com|s3.ytimg.com|googlevideo.com)/(.*\.(flv|swf)|player204|stream_204|watchtime|generate_204|videoplayback)

tcp_outgoing_address <wan2 ip=""> Youtube_Streams</wan2>

Actual my testing "live" pfSense goes out only on WAN1 even I set tcp_outgoing_address onto WAN2 IP ???.
So I can't test it correctly but I guess it can be made shorter like this with ReGex:

acl Youtube_Streams url_regex (youtube.com|youtube.be|m.ytimg.com|s\d*.ytimg.com|i\d*.ytimg.com|googlevideo.com)/(.*\.(flv|swf)|(player|stream_|generate_)204|watchtime|videoplayback)