Squid Transparent HTTP Proxy with CARP HA VIP



  • This is my current setup, these are not my production IPs, these are just to serve as my example:

    Primary Firewall:

    WAN VIP: 1.1.1.146/29
    Physical WAN Interface IP: 1.1.1.147/29
    LAN VIP: 192.168.1.1/24
    Physical LAN Interface IP: 192.168.1.2/24

    Backup Firewall:

    WAN VIP: 1.1.1.146/29
    Physical WAN Interface IP: 1.1.1.148/29
    LAN VIP: 192.168.1.1/24
    Physical LAN Interface IP: 192.168.1.3/29

    Both Firewalls are setup with NAT and failover has been configured and works flawlessly

    Recently I enabled Squid's Transparent HTTP Proxy, to take advantage of ClamAV.  Now since enabling this feature, I am have a problem where all HTTP traffic for whatever reason wants to use the Physical WAN Interface IP of the firewall and not the VIP of 1.1.1.146.  This is a huge problem as all of our resources that our office accesses are only permitted to accept incoming HTTP sessions from the VIP of 1.1.1.146.

    I should mention that prior to enabling this feature, all traffic NAT'd out the 1.1.1.146 IP, so this issue to me doesn't appear to be related to NAT.

    As a work around, I see some people have used the http_port <ip>3128 function to force HTTP to go out on their VIP, but this isn't working for me.

    I might be unclear as to where to enable that function in the squid advanced options.  I have tried http_port 1.1.1.146 3128 in both the Before Auth and After Auth fields, still no change.

    Please Help.

    Thank you.</ip>



  • well the command is as follows

    tcp_outgoing_address


Log in to reply