Squid (Forward) Proxy - Setting Outbound Interface/Gateway
-
I've installed Squid as a forward proxy and the basic functionality is working well.
The proxy traffic is going out my WAN currently, but I want to go out of either a Gateway Group (has 2 VPN gateways in it) I have setup, or a specific OpenVPN Interface if I cannot target a Gateway Group.
There is no option I can see where I select the outgoing interface used for proxy requests.
I've examined the Firewall Entries to see if I can somehow target the outgoing requests based on IP or Port, but I can't. It comes from the default pfSense IP and with a random port, nothing specific to let me target proxy-only traffic via firewall rule.
I also considered using a virtual IP for Squid (say 192.168.1.2) with the hope that proxy requests will come from 192.168.1.2 as a result, however I'm unable to get this working. I've added the Virtual IP, and it works, I can access pfSense no problem. But, when trying to use 192.168.1.2 as the Proxy IP, no requests go through. The firewall shows the incoming request for 192.168.1.2:3128 and it is accepted, however there is no matching rule from 192.168.1.2:* to DestinationIP:Port. It's not a case of firewall logging settings either, if I use 192.168.1.1 as the proxy IP I see both the inbound and outbound proxy requests. I expect the issue here is Squid binding to LAN which is 192.168.1.1, so it doesn't catch 192.168.1.2 traffic.
It seems I can likely achieve my goal by either:
– Changing outbound interface for Squid to a Gateway Group or specific interface
-- Binding Squid to 192.168.1.2
-- Finding out how to identify Squid outbound traffic so I can target it with a firewall ruleIf anyone is able to offer a suggestion that would be amazing, thank you.
-
Small update
I added this to the Custom Options:
http_port 192.168.1.2:3128and I can now use 192.168.1.2 as the proxy IP, but it doesn't help. For example:
My PC to Proxy:
192.168.1.XXX:56209 192.168.1.2:3128pfSense to WAN:
[My WAN IP]:59142 151.101.29.140:443Still no way to target the outbound request (that I can see)
-
I had the same issue. After searching I found a solution, I don't remember who posted these or I'd give them props. You'll need something like this in your Squid advanced options:
acl vpn_clients src 192.168.1.0/24 tcp_outgoing_address xxx.xxx.xxx.xxx vpn_clients
You'll also need a way to update the outgoing address if it's not static. I have a cron job to run this:
#!/bin/sh # Variables VPN_IFACE=ovpnc1 SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf # Get current IP address of VPN interface VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+') # Check if VPN interface is up and exit if it isn't if [ -z "$VPN_IFACE_IP" ] then exit 0; fi # Check current IP for VPN interface in squid.conf file VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+') # Check if the config file matches the current VPN interface IP, and if so exit script if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ] then exit 0; fi # Replace the previous IP address in the squid.conf file with the current VPN interface address sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE # Force reload of the new squid.conf file /usr/local/sbin/squid -k reconfigure