Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid Transparent HTTP Proxy with CARP HA VIP

    General pfSense Questions
    1
    2
    309
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      patd last edited by

      This is my current setup, these are not my production IPs, these are just to serve as my example:

      Primary Firewall:

      WAN VIP: 1.1.1.146/29
      Physical WAN Interface IP: 1.1.1.147/29
      LAN VIP: 192.168.1.1/24
      Physical LAN Interface IP: 192.168.1.2/24

      Backup Firewall:

      WAN VIP: 1.1.1.146/29
      Physical WAN Interface IP: 1.1.1.148/29
      LAN VIP: 192.168.1.1/24
      Physical LAN Interface IP: 192.168.1.3/29

      Both Firewalls are setup with NAT and failover has been configured and works flawlessly

      Recently I enabled Squid's Transparent HTTP Proxy, to take advantage of ClamAV.  Now since enabling this feature, I am have a problem where all HTTP traffic for whatever reason wants to use the Physical WAN Interface IP of the firewall and not the VIP of 1.1.1.146.  This is a huge problem as all of our resources that our office accesses are only permitted to accept incoming HTTP sessions from the VIP of 1.1.1.146.

      I should mention that prior to enabling this feature, all traffic NAT'd out the 1.1.1.146 IP, so this issue to me doesn't appear to be related to NAT.

      As a work around, I see some people have used the http_port <ip>3128 function to force HTTP to go out on their VIP, but this isn't working for me.

      I might be unclear as to where to enable that function in the squid advanced options.  I have tried http_port 1.1.1.146 3128 in both the Before Auth and After Auth fields, still no change.

      Please Help.

      Thank you.</ip>

      1 Reply Last reply Reply Quote 0
      • P
        patd last edited by

        well the command is as follows

        tcp_outgoing_address

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense Plus
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy