• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] Router Transparent Forward Proxy Squid EXTREMELY slow

Scheduled Pinned Locked Moved Cache/Proxy
11 Posts 3 Posters 2.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    justsomeguy
    last edited by Dec 21, 2017, 5:51 PM Dec 19, 2017, 2:18 PM

    Let me start by saying I'm new to nearly all of this.

    I'm trying to do a proof of concept in a host with 2 VMs and 2 NICs before buying hardware, see the attached diagram. The goal is to use this in a lab setup where stuff of various OSs and configurations come and go without having to manually adjust settings or get on/off the larger corporate network.

    Our corporate network requires traffic be routed through a (manually configured in each client) proxy for any HTTP and HTTPS requests. For HTTPS the corporate proxy just forwards it doesn't intercept.

    What I'm trying to do is setup pfSense as a router than transparently forwards all HTTP and HTTPS requests to the upstream proxy server from any connected clients.

    I'm ignoring the HTTPS part for the moment because that's a can of worms I'm not ready for yet.

    I setup the DHCP and DNS and that all seems to work. I installed Squid and believe I have it setup correctly. The weird part is that it seems to be working, just EXTREMELY slowly for external websites, like wget was showing 500 B/s for http://www.cnn.com. Corporate LAN websites load quickly without issue and they are not bypassing the proxy.

    I checked the CPU load in pfSense and it's not more than like 25% ever. I set the cache to null since I don't want to cache only forward. I tried various combinations of the via and x-forward settings without any change in results.

    I'm running pfSense 2.4.2 I download and installed yesterday.

    Open to any help I can get.
    Thanks.
    Arch.gv.png
    Arch.gv.png_thumb

    1 Reply Last reply Reply Quote 0
    • S
      sichent Banned
      last edited by Dec 19, 2017, 7:19 PM

      Slow Squid is usually a sign of DNS misconfiguration these days :(

      1 Reply Last reply Reply Quote 0
      • J
        justsomeguy
        last edited by Dec 19, 2017, 7:34 PM

        I have DNS resolver and forwarder disabled on the pfSense. The pfSense DHCP passes the same DNS that is used on the corporate LAN. Using nslookup in the client seems to work just fine for internal and external addresses. Thoughts?

        1 Reply Last reply Reply Quote 0
        • K
          KOM
          last edited by Dec 19, 2017, 9:06 PM

          Shell in and run:

          squidclient -h LAN_IP_ADDRESS -p 3128 mgr:info

          and look at the Median Service Times.  See if anything looks out of order.

          1 Reply Last reply Reply Quote 0
          • J
            justsomeguy
            last edited by Dec 19, 2017, 9:36 PM

            looks like i'm going to have a noob response to your question, it says access denied….

            (see attachment)

            Untitled.png
            Untitled.png_thumb

            1 Reply Last reply Reply Quote 0
            • J
              justsomeguy
              last edited by Dec 19, 2017, 9:53 PM

              i'm also confused to report without any changes, wget and apt-get work in the terminal with good speed, but websites in the browser either spin or get the squid timeout page like www.cnn.com and neverssl.com respectively.

              1 Reply Last reply Reply Quote 0
              • K
                KOM
                last edited by Dec 19, 2017, 9:58 PM

                Services - Squid - Local Cache - External Cache Managers.  Make sure that 127.0.0.1 and your PC's LAN IP address are in the list separated by a semicolon and try again.  I can't answer your questions since I know nothing about your configuration.

                1 Reply Last reply Reply Quote 0
                • J
                  justsomeguy
                  last edited by Dec 19, 2017, 10:13 PM

                  adding the IP where you suggested fixed that access denied issue. attached is the section with the median response times.

                  i've installed chromium on the client and potentially learned 2 new things. cnn even though not encrypted still has some ssl resources which i think are slowing the page down when loading in the browser, but not wget. neverssl seems to load fine in chromium, which i suspect means that firefox and chromium are doing different things with the headers??

                  is there a way to disable the in memory cache just to get things setup?

                  thanks a lot for the help btw.

                  Untitled.png
                  Untitled.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • J
                    justsomeguy
                    last edited by Dec 19, 2017, 10:17 PM

                    i take part of my last post back, there's some intermittentency for sure. neverssl won't load in chromium now and wget now returns 503.

                    1 Reply Last reply Reply Quote 0
                    • K
                      KOM
                      last edited by Dec 20, 2017, 1:54 PM

                      It's not a DNS issue, which it often is.  Probably something else in your config.  I only use squid as a platform for squidguard.  I don't do any caching.

                      You can't totally disable memory caching.

                      1 Reply Last reply Reply Quote 0
                      • J
                        justsomeguy
                        last edited by Dec 21, 2017, 5:50 PM

                        Thanks. Today the issue returned and being suspicious I check on another computer bypassing my whole pfSense setup (directly on corporate LAN) and the same issue exists. I'm confident it is an issue with the upstream proxy.

                        I'm going to mark this thread as solved, but I'm sure I'll be back in a day or 2 with a new issue as I try and bring this thing up. Thanks for the help, seems like a strong community.  :)

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received