Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Transparent HTTP Proxy with CARP HA VIP

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 1 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      patd
      last edited by

      This is my current setup, these are not my production IPs, these are just to serve as my example:

      Primary Firewall:

      WAN VIP: 1.1.1.146/29
      Physical WAN Interface IP: 1.1.1.147/29
      LAN VIP: 192.168.1.1/24
      Physical LAN Interface IP: 192.168.1.2/24

      Backup Firewall:

      WAN VIP: 1.1.1.146/29
      Physical WAN Interface IP: 1.1.1.148/29
      LAN VIP: 192.168.1.1/24
      Physical LAN Interface IP: 192.168.1.3/29

      Both Firewalls are setup with NAT and failover has been configured and works flawlessly

      Recently I enabled Squid's Transparent HTTP Proxy, to take advantage of ClamAV.  Now since enabling this feature, I am have a problem where all HTTP traffic for whatever reason wants to use the Physical WAN Interface IP of the firewall and not the VIP of 1.1.1.146.  This is a huge problem as all of our resources that our office accesses are only permitted to accept incoming HTTP sessions from the VIP of 1.1.1.146.

      I should mention that prior to enabling this feature, all traffic NAT'd out the 1.1.1.146 IP, so this issue to me doesn't appear to be related to NAT.

      As a work around, I see some people have used the http_port <ip>3128 function to force HTTP to go out on their VIP, but this isn't working for me.

      I might be unclear as to where to enable that function in the squid advanced options.  I have tried http_port 1.1.1.146 3128 in both the Before Auth and After Auth fields, still no change.

      Please Help.

      Thank you.</ip>

      1 Reply Last reply Reply Quote 0
      • P
        patd
        last edited by

        well the command is as follows

        tcp_outgoing_address

        1 Reply Last reply Reply Quote 0
        • P
          patd
          last edited by

          Alright, I have a new issue now that I have used the tcp_outgoing_address command to specify my VIP for all outgoing HTTP traffic.

          Nothing in my setup has changed except for enabling the clamAV engine in squid.  Since doing so, pages load slowly or not at all.

          If I remove the tcp_outgoing_address command from my custom options, the problem goes away.

          Files from eicar.com are caught by clamAV and there is no impact to performance.

          As soon as I re-enter the tcp_outgoing_address into my squid custom options everything goes in the crapper.

          Any ideas anyone?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.