2.2RELEASE +squid3+sg+snort+clamav+loadbalance working well and apinger
-
Dear all,
Coming from the 2.1.5 version, afrter SEVERAL attempts, I was finally able to upgrade to 2.2 making a fresh install but I have some questions.
My working configuration is:- PfSense 2.2 64bit, 2 LANs, 2 WANs load balanced (wans are very slow with high latency - 1 VSAT 1Mbit, 1 WiMAX 2Mbit)
- Squid3 (in transparent mode with HTTPs filtering using free CA) with Load balance on the 2 WANs configuration using "random" squid function (33%+66%)
- SquidGuard-dev to blacklist ads etc..
- Snort as IPS with P2P (Torrent) filtering (allowed for some internal PCs with scheduling enabled)
- CODEL as QoS policy
- DHCP / DNS Resolver
- ntopng for network live-monitoring
- C-ICAP / CLAMAV Antivirus
To get everything working, just verify that SquidGuard-dev has correct ln -s to the library in /usr/lib as explained almost everywhere in the forum, and be sure to double save tabs under "antivirus" section under Squid3 package (I mean, first time generate code, second time the GUI ask you to change some configuration lines, just follow GUI directions).
To get everything work together I follow the steps:
1- fresh 2.2 install
2- Install squid3
3- changed package signature option on system advanced.
4- Installed squidguard-devel
5- chech squid tabs, save, fix config options pointed by gui alerts
6- On antivirus tab, save config twice as first time it will load sample files and second check config options.
7- via console wait (repeating ps ax | grep -i fresclam or tail -f /var/log/clamav/freshclam.log) clamav database first slow update
8- enable transparent mode(do not select loopback on any squid option)
9- stop and start squid via gui to force c-icap to restart too after first freshclam.
10- install shalla blacklist on squidguard
11- apply squidguard changesTo configure load balanced squid3 behaviour I put on ACL section of Squi3 package the folowing (33% for VSAT and 66% for WIMAX):
acl loadbalance random 1/3; tcp_outgoing_address <ip wan1="">loadbalance; tcp_outgoing_address <ip wan2="">;</ip></ip>
(refer to: https://forum.pfsense.org/index.php?topic=87424.msg480232#msg480232 and https://forum.pfsense.org/index.php?topic=85160.0 to get Squi3 load balanced between two WANs)
To configure WAN load balance/failover for all the rest protocols, I added a WAN group using weight, VSAT has weight 1 while WiMAX has weight 2 (1Mbit/2Mbit).
Everything seems work well except for the following strange behaviour.
QUESTIONS:
- The strange behaviour is showed in the imgs attached. I have the firt WAN that is a VSAT (so latency is always more than 500ms) and an african WiMAX (always more than 150ms). As monitored IP I use the usual Google DNS. As you can see, the latency is only sometimes as expected, while normally shows a latency value of 20/10 or even 0ms that is impossible. I can't figure out why… is this a bug?
- Limiter: if I configure a limiter dummy interfece for "IN" and "OUT" directions, and a put a "MATCH" rule on the WAN interface, seems that no traffic is intercepted by the limiter… why...?
This is important for me because the WiMAX provider is providing us a dedicated 2Mbit line, and if I go over the line capacity, the provider starts to drop packets (Sudanese providers are not so able to shaping traffic)
Any ideas?
Thank YOu
-
Strange behavior ping: Please use another Server than the Google DNS to monitor your network. Had this problem a week ago - google blocked me and I thought I had a outage - but I didn't.
Greets
-
you got further than i did; could not get squid 3 to work on 2.2
-
Hi epimeteo
I'm working on squid/multiwan too. Especially on the failover part.
Can you tell me what happens when one of your WAN fails ?The aclRandom in squid is great for loadbalancing but is dumb when it has to deal with failover.
As squid is not aware of a WAN is down, it will continue to send half of packets through the failed wan.Did you solved that issue ??
Thanks
-
can you post a guide on say youtube of how you got it all to work? other forum members would really appreciate it…
-
Yes please,
I will like to try this setting on my router, I was not able to do it on the older version :(Thanks
-
Does squid understand when one of two wan's are down or it keeps trying to send traffic through the first? So failover works?
-
Does squid understand when one of two wan's are down or it keeps trying to send traffic through the first? So failover works?
Dude, how many more threads are you gonna spam with the same question?
https://forum.pfsense.org/index.php?topic=85160.msg499755#msg499755
https://forum.pfsense.org/index.php?topic=81524.msg499752#msg499752
https://forum.pfsense.org/index.php?topic=66822.msg499751#msg499751
https://forum.pfsense.org/index.php?topic=88826.msg499742#msg499742:(
-
Thats cause nobody answer my posts. :( Sry about that
-
Does squid understand when one of two wan's are down or it keeps trying to send traffic through the first? So failover works?
No.
pfsense detects a wan is down using apinger which call an event handler (pfSctl) that does not interacts with squid
-
dears
is it working as same as configuration bbut with squid non transparent ??