Who's here using squid with multiwan?
-
who's here using squid with multiwan?
Please reply and let me know how yours it configured.
The amount of wan you have etc. -
I have 3 WAN
NAME MB/S Sharing
ISP1 -> 50 1:1
ISP2 -> 30 2:1
ISP3 -> 30 2:1You need create ACL, and use tcp_outgoing, you set this setting in Services -> Squid -> General -> Custom ACLS (Before Auth) as example
http_port 3128 acl lab1 src 192.168.10.0/24 acl lab2 src 192.168.11.0/24 acl lab3 src 192.168.12.0/24 tcp_outgoing_address IPISP1 lab1 tcp_outgoing_address IPISP2 lab2 tcp_outgoing_address IPISP3 lab3And when the source is an ip of lab1 use ISP1
-
AFAIK, that did work in older pfSense versions, but doesn't work in recent builds. From what I understand, the reason is something like "all requests originating from pfSense itself will use the Default Gateway", which is true for Squid running on the pfSense machine. I actually used the "tcp_outgoing_adress" solution at a site I'm managing, and noticed by chance some time after a pfSense update that the 2nd WAN wasn't being utilized anymore. I ran a few test afterwards, and couldn't get Squid traffic to balance anymore. My current solution is to use an additional Squid proxy server on a different machine, which is of course inconvenient, and a waste of resources (but works fine).
More information can be found in this forum post.
-
Just to restate the (mostly) obvious:
Load balancing
- cannot be fixed in Squid because it's not possible to match the packets due to pf(4) bug
Failover
- HA will never failover gracefully, because it's just not possible at all: https://forum.pfsense.org/index.php?topic=46067.msg256634#msg256634
- If you want Squid to just switch the GWs, that doesn't work either because there was no code to let Squid know that the GW went down/up. If someone wants to play with the gateway state plugin on 2.4 snapshots (required) and produce some patch, feel welcome. Implementation example: 1 + 2.
-
wow this is a burning issue. It seems no one have it configured to work on the same box.
-
is vmware esxi is used then install two instance of pfsense, will it work that way? I would use one instance for load balancing multi wan and the other instance for squid?
-
Think so myself. Is there a way in IPv4 without doubleNAT (clients<->proxy-> "WAN IP" <-> "failover groups" ->ext IP)?
I really really would like to stick with pfsense, but there must be a working solution for proxy + multiwan.Just to restate the (mostly) obvious:
Load balancing
- cannot be fixed in Squid because it's not possible to match the packets due to pf(4) bug
Failover
- HA will never failover gracefully, because it's just not possible at all: https://forum.pfsense.org/index.php?topic=46067.msg256634#msg256634
- If you want Squid to just switch the GWs, that doesn't work either because there was no code to let Squid know that the GW went down/up. If someone wants to play with the gateway state plugin on 2.4 snapshots (required) and produce some patch, feel welcome. Implementation example: 1 + 2.
thanks for the post, as it simplifies the bug hunting big time. Do you know if there is any news about this 2 years(!) old bug?
-
There's nothing new really. LB broken, HA is not doable by design and noone submitted any plugin code for the GW switching case for Squid.
-
To reiterate: the simple solution is to use an additional Squid proxy instance on a seperate machine, and setup that instance as a parent proxy for the pfSense Squid instance. I've implemente it like that because I wanted the Squid on pfSense to act as a transparent proxy. For multi-WAN, just use policy based routing (gateway groups). This leaves DNS as the only potential issue when the default gateway goes down I think, and that can probably be solved by using an additional Unbound instance on a seperate machine. I didn't test that yet, though, because my default gateway is pretty stable.