Squid Transparent HTTP Proxy with CARP HA VIP

  • This is my current setup, these are not my production IPs, these are just to serve as my example:

    Primary Firewall:

    WAN VIP:
    Physical WAN Interface IP:
    LAN VIP:
    Physical LAN Interface IP:

    Backup Firewall:

    WAN VIP:
    Physical WAN Interface IP:
    LAN VIP:
    Physical LAN Interface IP:

    Both Firewalls are setup with NAT and failover has been configured and works flawlessly

    Recently I enabled Squid's Transparent HTTP Proxy, to take advantage of ClamAV.  Now since enabling this feature, I am have a problem where all HTTP traffic for whatever reason wants to use the Physical WAN Interface IP of the firewall and not the VIP of  This is a huge problem as all of our resources that our office accesses are only permitted to accept incoming HTTP sessions from the VIP of

    I should mention that prior to enabling this feature, all traffic NAT'd out the IP, so this issue to me doesn't appear to be related to NAT.

    As a work around, I see some people have used the http_port <ip>3128 function to force HTTP to go out on their VIP, but this isn't working for me.

    I might be unclear as to where to enable that function in the squid advanced options.  I have tried http_port 3128 in both the Before Auth and After Auth fields, still no change.

    Please Help.

    Thank you.</ip>

  • well the command is as follows


  • Alright, I have a new issue now that I have used the tcp_outgoing_address command to specify my VIP for all outgoing HTTP traffic.

    Nothing in my setup has changed except for enabling the clamAV engine in squid.  Since doing so, pages load slowly or not at all.

    If I remove the tcp_outgoing_address command from my custom options, the problem goes away.

    Files from eicar.com are caught by clamAV and there is no impact to performance.

    As soon as I re-enter the tcp_outgoing_address into my squid custom options everything goes in the crapper.

    Any ideas anyone?

Log in to reply