Who's here using squid with multiwan?



  • who's here using squid with multiwan?
    Please reply and let me know how yours it configured.
    The amount of wan you have etc.



  • I have 3 WAN

    NAME    MB/S Sharing

    ISP1 -> 50 1:1
    ISP2 -> 30 2:1
    ISP3 -> 30 2:1

    You need create ACL, and use tcp_outgoing, you set this setting in Services -> Squid -> General -> Custom ACLS (Before Auth) as example

    http_port 3128
    acl lab1 src 192.168.10.0/24
    acl lab2 src 192.168.11.0/24
    acl lab3 src 192.168.12.0/24
    
    tcp_outgoing_address IPISP1 lab1
    tcp_outgoing_address IPISP2 lab2
    tcp_outgoing_address IPISP3 lab3
    
    

    And when the source is an ip of lab1 use ISP1



  • AFAIK, that did work in older pfSense versions, but doesn't work in recent builds. From what I understand, the reason is something like "all requests originating from pfSense itself will use the Default Gateway", which is true for Squid running on the pfSense machine. I actually used the "tcp_outgoing_adress" solution at a site I'm managing, and noticed by chance some time after a pfSense update that the 2nd WAN wasn't being utilized anymore. I ran a few test afterwards, and couldn't get Squid traffic to balance anymore. My current solution is to use an additional Squid proxy server on a different machine, which is of course inconvenient, and a waste of resources (but works fine).

    More information can be found in this forum post.


  • Banned

    Just to restate the (mostly) obvious:

    Load balancing

    Failover



  • wow this is a burning issue. It seems no one have it configured to work on the same box.



  • is vmware esxi is used then install two instance of pfsense, will it work that way? I would use one instance for load balancing multi wan and the other instance for squid?



  • Think so myself. Is there a way in IPv4 without doubleNAT (clients<->proxy-> "WAN IP" <-> "failover groups" ->ext IP)?
    I really really would like to stick with pfsense, but there must be a working solution for proxy + multiwan.

    @doktornotor:

    Just to restate the (mostly) obvious:

    Load balancing

    Failover

    thanks for the post, as it simplifies the bug hunting big time. Do you know if there is any news about this 2 years(!) old bug?


  • Banned

    There's nothing new really. LB broken, HA is not doable by design and noone submitted any plugin code for the GW switching case for Squid.



  • To reiterate: the simple solution is to use an additional Squid proxy instance on a seperate machine, and setup that instance as a parent proxy for the pfSense Squid instance. I've implemente it like that because I wanted the Squid on pfSense to act as a transparent proxy. For multi-WAN, just use policy based routing (gateway groups). This leaves DNS as the only potential issue when the default gateway goes down I think, and that can probably be solved by using an additional Unbound instance on a seperate machine. I didn't test that yet, though, because my default gateway is pretty stable.