Squid and several lans that need to access it, howto?



  • i´m setting up a proxy with 1.2 and squid

    this is how it looks

    all done with real ipadresses (pfsense not default router)

    wan
    111.111.111.1

    lan
    222.222.222.21

    no vlan involved on the pfsense itself

    we then have a number of internal lan(all real adresses) that should be able to access squid(3128)

    say
    222.222.233.x
    222.222.234.x
    222.222.235.x
    and so on

    from any of the 222.222.23x.x i cant "telnet 111.111.111.1 3128" and when connected to 222.222.222.x it works

    If i set a computer on the 222.222.222.x network it works fine but not on the other networks

    All networks have computers and servers on them which is working fine.

    However..i set the proxy to listening on wan and lan i could get proxy working trough wan interface,
    but i dont want traffic entering and leaving on the same interface (becouse of bandwith)

    should it be any problem getting traffi in on 222.222.222.21 and exiting 111.111.111.1 (which is working when on internal "lan")

    Should i turn off nat? (did´t make any difference when i tried that)

    this must have been done allready

    ideas?

    regards /Fredde



  • First off - should each of the subnets be able to communicate with each other - i.e. be on the same network.  Regardless of the wan/router/squid setup, should 222.222.233.x be able to talk to 222.222.234.x?  If so, then the only necessary change is to the subnet mask of your lan interface.

    If they should not be able to talk, then you'll need to setup each subnet as an interface (vlan or physical, up to you).  Then, in the Squid GUI make sure you select each interface as the 'proxy interface' (hold down crtl to select more than one).

    Hope that helps, let us know how you fare.



  • tnx for the answer..but ;)

    The 222.222.23x.x can all talk to other networks but that´s all done trough our secure platform.

    i´m not quite sure how to make it understandable but i´ll give it a go ;)

    the internal net for pfsense is 111.111.111.21 just as any other computer really ie not acting fw or router for anything(exept the proxying)

    from what i gathered the prb is somewhere that squid only accepts requests from 111.111.111.0/24 network
    i have no problem with running webconfig(port 80) on any of the 2 networks but get nothing on port 3128 on the internal network.

    Is it understandable what i´m trying to accomplish here?

    /Fredde

    @mhab12:

    First off - should each of the subnets be able to communicate with each other - i.e. be on the same network.  Regardless of the wan/router/squid setup, should 222.222.233.x be able to talk to 222.222.234.x?  If so, then the only necessary change is to the subnet mask of your lan interface.

    If they should not be able to talk, then you'll need to setup each subnet as an interface (vlan or physical, up to you).  Then, in the Squid GUI make sure you select each interface as the 'proxy interface' (hold down crtl to select more than one).

    Hope that helps, let us know how you fare.



  • Got it now…

    Several things come to mind.  First off transparent will not work.  If you are not having pfSense act as the GW/FW/router there is no way to force the traffic through the proxy.  Clients will still go right to the net as if your squid box never existed.  If you are going to configure each browser to use the proxy, I am not entirely sure.  I know that people have been having major issues when both interfaces are on the same subnet as your situation would call for.

    My suggestion would be to do as you have done, only setup a port forward in the pfSense NAT from WAN 3128 to LAN 127.0.0.1:3128.  You might have to tinker with the allow users on interface tickbox in the proxy GUI.  This is basically like running a public proxy...only it wouldn't be 'public' in your case.  You might search the forum for that as I remember somebody trying to do this in the past.



  • Ok, good point, will try that tomorrow

    We will only use this proxy for marratech videoconferances(this is initial testing) since we dont want to open up all ports that marratech requirers we want to test if pfsense/squid will aid us in this

    tnx for assistance

    /Fredde

    @mhab12:

    Got it now…

    Several things come to mind.  First off transparent will not work.  If you are not having pfSense act as the GW/FW/router there is no way to force the traffic through the proxy.  Clients will still go right to the net as if your squid box never existed.  If you are going to configure each browser to use the proxy, I am not entirely sure.  I know that people have been having major issues when both interfaces are on the same subnet as your situation would call for.

    My suggestion would be to do as you have done, only setup a port forward in the pfSense NAT from WAN 3128 to LAN 127.0.0.1:3128.  You might have to tinker with the allow users on interface tickbox in the proxy GUI.  This is basically like running a public proxy...only it wouldn't be 'public' in your case.  You might search the forum for that as I remember somebody trying to do this in the past.



  • Well after som more testing i found out that neather squid or webconfig is reachable when i´m from a "internal" network and trying to reach lan webconfig

    However if i add a 8bit mask on my lan if i can reach webconfig trough "lan" if (both starts at 194. )

    But that doesent really seems like a good solution to my problem, we also have other networks that could be in need of this in the future that does not start on 194.

    so with lan if on a /24 it is not reachable..but when adding a /8 it is

    I cinda understand why being on the "same network"  would work but how to configure if with a /24 and being reachable from other subnet then the same /24 net

    I´m i missing something obvius here or does pfsense "require" to be router for this scenario to work

    one reason i want in on one if and out on the other is bandwidht, 100/100 and not 50/50 which would be if i only used one if

    anyone?

    /Fredde



  • If you want the three subnets that makeup your LAN to be able to reach the pfsense box, your subnet mask setting on the LAN interface of the pfsense box needs to be equivalent to 255.255.0.0 or at least 255.255.33.0  This will ensure that the three subnets you have mentioned before can get to the configured LAN IP of 222.222.222.21

    It sounds like now you're running into a basic subnetting issue.  You can read up on wikipedia or countless other sites around the net.
    http://en.wikipedia.org/wiki/Subnetwork



  • I just dont se where the prb is here, if i have the lan ipadress like any other computer on that network why shouldent i be able to reach that, i have routes that let traffic to other computers on that same /24 network

    there are like 254 other computers on that same lan network that i´m able to reach with ping,ftp,web and whatnot.

    Is it because pfsense is a router/firewall and will only let the "lan network" talk to the lan interface?.

    Bare with me…just trying to figure things out ;)

    /F



  • If the LAN IP of pfsense is configured to say 192.168.1.1 and the subnet mask is /24 (255.255.255.0) then only computers addressed 192.168.1.2-254 will be able to access the GUI, proxy, etc.  If you set the subnet mask of the LAN on pfsense to /16 (255.255.0.0) then the box will listen for any requests from 192.168.1.x all the way through 192.168.254.x so long as everything is on the same physical net.

    Just because machines in the office can access each other does not mean they will access the pfsense box the same way.  I cannot know your whole config, but it seems that the issue would be subnetting.  Also bear in mind that your router (not pfsense, from my understading) may be sending traffic back to your pfSense WAN port.  I can't be sure, but if this is the case you would need to use NAT to get back to the LAN side - i.e. forward WAN 443 to 127.0.0.1:443 to get GUI access from WAN side.

    Last thing to keep in mind - I suspect you're working in non-routable IP space (192.168., 10., 172.16-31.*)  Most routers will DROP any requests to these IPs.  Because of this, you'll have to plan on having any client connect DIRECTLY to the pfSense box by making sure they are on the same subnet.

    I don't doubt you will be able to do what you need with pfSense, but it seems that you'll need to figure out the underlying issues first.



  • @mhab12:

    If the LAN IP of pfsense is configured to say 192.168.1.1 and the subnet mask is /24 (255.255.255.0) then only computers addressed 192.168.1.2-254 will be able to access the GUI, proxy, etc.  If you set the subnet mask of the LAN on pfsense to /16 (255.255.0.0) then the box will listen for any requests from 192.168.1.x all the way through 192.168.254.x so long as everything is on the same physical net.

    Ok that cinda explains my main problem with not being able to access gui and squid on lan if.

    i´d guess i have to use /10 or something and accept that solution.

    Would it work if i trunked the needed vlans into pfsense and created static mappings?…guess i have to try tomorrow ;)

    danke /Fredde


Log in to reply