Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Who's here using squid with multiwan?

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tripplex
      last edited by

      who's here using squid with multiwan?
      Please reply and let me know how yours it configured.
      The amount of wan you have etc.

      1 Reply Last reply Reply Quote 0
      • R
        rfzh1996
        last edited by

        I have 3 WAN

        NAME    MB/S Sharing

        ISP1 -> 50 1:1
        ISP2 -> 30 2:1
        ISP3 -> 30 2:1

        You need create ACL, and use tcp_outgoing, you set this setting in Services -> Squid -> General -> Custom ACLS (Before Auth) as example

        http_port 3128
        acl lab1 src 192.168.10.0/24
        acl lab2 src 192.168.11.0/24
        acl lab3 src 192.168.12.0/24
        
        tcp_outgoing_address IPISP1 lab1
        tcp_outgoing_address IPISP2 lab2
        tcp_outgoing_address IPISP3 lab3
        
        

        And when the source is an ip of lab1 use ISP1

        1 Reply Last reply Reply Quote 0
        • S
          SaschaITM
          last edited by

          AFAIK, that did work in older pfSense versions, but doesn't work in recent builds. From what I understand, the reason is something like "all requests originating from pfSense itself will use the Default Gateway", which is true for Squid running on the pfSense machine. I actually used the "tcp_outgoing_adress" solution at a site I'm managing, and noticed by chance some time after a pfSense update that the 2nd WAN wasn't being utilized anymore. I ran a few test afterwards, and couldn't get Squid traffic to balance anymore. My current solution is to use an additional Squid proxy server on a different machine, which is of course inconvenient, and a waste of resources (but works fine).

          More information can be found in this forum post.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Just to restate the (mostly) obvious:

            Load balancing

            • cannot be fixed in Squid because it's not possible to match the packets due to pf(4) bug

            Failover

            • HA will never failover gracefully, because it's just not possible at all: https://forum.pfsense.org/index.php?topic=46067.msg256634#msg256634
            • If you want Squid to just switch the GWs, that doesn't work either because there was no code to let Squid know that the GW went down/up. If someone wants to play with the gateway state plugin on 2.4 snapshots (required) and produce some patch, feel welcome. Implementation example: 1 + 2.
            1 Reply Last reply Reply Quote 0
            • T
              tripplex
              last edited by

              wow this is a burning issue. It seems no one have it configured to work on the same box.

              1 Reply Last reply Reply Quote 0
              • T
                tripplex
                last edited by

                is vmware esxi is used then install two instance of pfsense, will it work that way? I would use one instance for load balancing multi wan and the other instance for squid?

                1 Reply Last reply Reply Quote 0
                • K
                  kpk
                  last edited by

                  Think so myself. Is there a way in IPv4 without doubleNAT (clients<->proxy-> "WAN IP" <-> "failover groups" ->ext IP)?
                  I really really would like to stick with pfsense, but there must be a working solution for proxy + multiwan.

                  @doktornotor:

                  Just to restate the (mostly) obvious:

                  Load balancing

                  • cannot be fixed in Squid because it's not possible to match the packets due to pf(4) bug

                  Failover

                  • HA will never failover gracefully, because it's just not possible at all: https://forum.pfsense.org/index.php?topic=46067.msg256634#msg256634
                  • If you want Squid to just switch the GWs, that doesn't work either because there was no code to let Squid know that the GW went down/up. If someone wants to play with the gateway state plugin on 2.4 snapshots (required) and produce some patch, feel welcome. Implementation example: 1 + 2.

                  thanks for the post, as it simplifies the bug hunting big time. Do you know if there is any news about this 2 years(!) old bug?

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    There's nothing new really. LB broken, HA is not doable by design and noone submitted any plugin code for the GW switching case for Squid.

                    1 Reply Last reply Reply Quote 0
                    • S
                      SaschaITM
                      last edited by

                      To reiterate: the simple solution is to use an additional Squid proxy instance on a seperate machine, and setup that instance as a parent proxy for the pfSense Squid instance. I've implemente it like that because I wanted the Squid on pfSense to act as a transparent proxy. For multi-WAN, just use policy based routing (gateway groups). This leaves DNS as the only potential issue when the default gateway goes down I think, and that can probably be solved by using an additional Unbound instance on a seperate machine. I didn't test that yet, though, because my default gateway is pretty stable.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.