[Solved] Router Transparent Forward Proxy Squid EXTREMELY slow

  • Let me start by saying I'm new to nearly all of this.

    I'm trying to do a proof of concept in a host with 2 VMs and 2 NICs before buying hardware, see the attached diagram. The goal is to use this in a lab setup where stuff of various OSs and configurations come and go without having to manually adjust settings or get on/off the larger corporate network.

    Our corporate network requires traffic be routed through a (manually configured in each client) proxy for any HTTP and HTTPS requests. For HTTPS the corporate proxy just forwards it doesn't intercept.

    What I'm trying to do is setup pfSense as a router than transparently forwards all HTTP and HTTPS requests to the upstream proxy server from any connected clients.

    I'm ignoring the HTTPS part for the moment because that's a can of worms I'm not ready for yet.

    I setup the DHCP and DNS and that all seems to work. I installed Squid and believe I have it setup correctly. The weird part is that it seems to be working, just EXTREMELY slowly for external websites, like wget was showing 500 B/s for http://www.cnn.com. Corporate LAN websites load quickly without issue and they are not bypassing the proxy.

    I checked the CPU load in pfSense and it's not more than like 25% ever. I set the cache to null since I don't want to cache only forward. I tried various combinations of the via and x-forward settings without any change in results.

    I'm running pfSense 2.4.2 I download and installed yesterday.

    Open to any help I can get.

  • Banned

    Slow Squid is usually a sign of DNS misconfiguration these days :(

  • I have DNS resolver and forwarder disabled on the pfSense. The pfSense DHCP passes the same DNS that is used on the corporate LAN. Using nslookup in the client seems to work just fine for internal and external addresses. Thoughts?

  • Shell in and run:

    squidclient -h LAN_IP_ADDRESS -p 3128 mgr:info

    and look at the Median Service Times.  See if anything looks out of order.

  • looks like i'm going to have a noob response to your question, it says access denied….

    (see attachment)

  • i'm also confused to report without any changes, wget and apt-get work in the terminal with good speed, but websites in the browser either spin or get the squid timeout page like www.cnn.com and neverssl.com respectively.

  • Services - Squid - Local Cache - External Cache Managers.  Make sure that and your PC's LAN IP address are in the list separated by a semicolon and try again.  I can't answer your questions since I know nothing about your configuration.

  • adding the IP where you suggested fixed that access denied issue. attached is the section with the median response times.

    i've installed chromium on the client and potentially learned 2 new things. cnn even though not encrypted still has some ssl resources which i think are slowing the page down when loading in the browser, but not wget. neverssl seems to load fine in chromium, which i suspect means that firefox and chromium are doing different things with the headers??

    is there a way to disable the in memory cache just to get things setup?

    thanks a lot for the help btw.

  • i take part of my last post back, there's some intermittentency for sure. neverssl won't load in chromium now and wget now returns 503.

  • It's not a DNS issue, which it often is.  Probably something else in your config.  I only use squid as a platform for squidguard.  I don't do any caching.

    You can't totally disable memory caching.

  • Thanks. Today the issue returned and being suspicious I check on another computer bypassing my whole pfSense setup (directly on corporate LAN) and the same issue exists. I'm confident it is an issue with the upstream proxy.

    I'm going to mark this thread as solved, but I'm sure I'll be back in a day or 2 with a new issue as I try and bring this thing up. Thanks for the help, seems like a strong community.  :)

Log in to reply