Squid with Lan1 > Wan1, Lan 2 > Wan2

coemgen29

Hello, I'm using pfSense 2.1 :

With firewall rules, i can get computers A, B, C access to internet only through WAN1, and D, E, F only through WAN2.
But wen I ask Squid to bind interfaces LAN1 and LAN2, all traffic passes through only one WAN interface, which is WAN 1 (default).

How can i do? Is this possible?
Thanks for your help!  ;)

rubic

Try: Proxy server -> General settings -> Custom Options:

acl LAN1 src 192.168.1.0/24;
acl LAN2 src 172.16.0.0/16;
tcp_outgoing_address 'wan1_address' LAN1;
tcp_outgoing_address 'wan2_address' LAN2

coemgen29

it seems to work!
Thank You!  :)

coemgen29

hmm after many test, i don't think it's works as i expected.
I was misled by the squid cache when checking my wan ip on www.monip.org or http://whatismyipaddress.com.

In fact, Squid only use default wan interface specified in System > Routing and don't take care of the custom options!

rbt

It's working on 2.0.3, dual Wan (no failover, no load balancing).

Primary Lan goes through first Wan, other Lans use second Wan interface.
Squid (2.7.9 pkg v.4.3.3) and Squidguard (1.4_4 pkg v.1.9.5) packages installed.

coemgen29

@rbt:

It's working on 2.0.3, dual Wan (no failover, no load balancing).

Primary Lan goes through first Wan, other Lans use second Wan interface.
Squid (2.7.9 pkg v.4.3.3) and Squidguard (1.4_4 pkg v.1.9.5) packages installed.

How did you?
Just with squid custom options acl and tcp_outgoing_address?

Edit : I'm using Squid3 (3.1.20 pkg 2.0.6), i will try to downgrade

rbt

@coemgen29:

How did you?
Just with squid custom options acl and tcp_outgoing_address?

Yes, just as @rubic suggested.

@coemgen29:

Edit : I'm using Squid3 (3.1.20 pkg 2.0.6), i will try to downgrade

I'm running pfsense on virtual machine, so I'll make a snapshot and try to upgrade pfsense to 2.1 and after that squid to 3.x.

coemgen29

Downgraded to squid 2.7.9 pkg v.4.3.3,
it still not work  :( Squid always use default gateway

coemgen29

My Wan1 interface ip is : 10.0.0.100 (default gateway)
My Wan2 interface ip is : 192.168.1.100

Even if i just set "tcp_outgoing_address 192.168.1.100;", squid use default gateway only (10.0.0.100).

There is maybe a outgoing rule to add?

coemgen29

Nobody has an idea to make policy routing with Squid?  :-[

rubic

Just tested on 2.1.1-PRERELEASE/Squid 2.7.9. It's working.
Uncheck 'Disable X-Forward' and 'Disable VIA' on 'Proxy server: General settings', then open http://all-nettools.com/toolbox/proxy-test.php to make sure traffic not bypass squid for some reason.
The result must be: "Proxy server detected", "You came from…", "You came via..."

coemgen29

@rubic:

Just tested on 2.1.1-PRERELEASE/Squid 2.7.9. It's working.
Uncheck 'Disable X-Forward' and 'Disable VIA' on 'Proxy server: General settings', then open http://all-nettools.com/toolbox/proxy-test.php to make sure traffic not bypass squid for some reason.
The result must be: "Proxy server detected", "You came from…", "You came via..."

"Disable X-Forward" and "Disable VIA" are already unchecked (default). Obviously it's don't work.

Here is the results :

You came from 172.16.0.2(172.16.0.2)
You came via 1.1 xxxx:3128 (squid/2.7.STABLE9)
Remote address 82.x.x.x.x (WAN1 Public IP)
Remote host 82.x.x.x (WAN1 Public IP)

Remote addresses should be 109.x.x.x (WAN2 Public IP)

rubic

@coemgen29:

My Wan1 interface ip is : 10.0.0.100 (default gateway)
My Wan2 interface ip is : 192.168.1.100

The problem may be that you have the same ip subnet on different interfaces (WAN2, LAN1). Do you?

coemgen29

@rubic:

@coemgen29:

My Wan1 interface ip is : 10.0.0.100 (default gateway)
My Wan2 interface ip is : 192.168.1.100

The problem may be that you have the same ip subnet on different interfaces (WAN2, LAN1). Do you?

In fact, My LAN1 subnet is : 192.168.100.0/24, i put 192.168.1.0 in the scheme for example,
my apologies!

So i have :
WAN1 : 10.0.0.100
WAN2 : 192.168.1.100
LAN1 : 192.168.100.1/24
LAN2 : 172.16.0.1/16

Gateways :
GW1 : 10.0.0.200 (default)
GW2 : 192.168.1.200

Squid custom options :
acl LAN1 src 192.168.100.0/24;
acl LAN2 src 172.16.0.0/16;
tcp_outgoing_address 10.0.0.100 LAN1;
tcp_outgoing_address 192.168.1.100 LAN2;

"Disable X-Forward" and "Disable VIA" unchecked

If i do a tracert, everything is ok, LAN2 go out via WAN2.
If i check my public ip from LAN2 via website, it shows the WAN1 public IP instead of the WAN2.

rubic

Sorry, I ran out of ideas. It just must be working. If you will share your config backup (with all the sensitive data deleted), I'll try to help you.

coemgen29

Ok, i will go back to Factory defaults, note what i setup and then send my config file (if it does not work!)
Thanks for ur help anyway

coemgen29

Well, i made a factory reset and discovered my problem: i had a static route in 192.168.0.0/16 to a VPN Gateway. (so wan2 was in this static route! 192.168.1.100/24).

Deleted this static route and now, everything works like a charm  :)
Thanks for your help

Topic SOLVED

A Former User

how could i work around the problem, that my wan-ip changes every 24h?