Squid (Forward) Proxy - Setting Outbound Interface/Gateway

  • I've installed Squid as a forward proxy and the basic functionality is working well.

    The proxy traffic is going out my WAN currently, but I want to go out of either a Gateway Group (has 2 VPN gateways in it) I have setup, or a specific OpenVPN Interface if I cannot target a Gateway Group.

    There is no option I can see where I select the outgoing interface used for proxy requests.

    I've examined the Firewall Entries to see if I can somehow target the outgoing requests based on IP or Port, but I can't. It comes from the default pfSense IP and with a random port, nothing specific to let me target proxy-only traffic via firewall rule.

    I also considered using a virtual IP for Squid (say with the hope that proxy requests will come from as a result, however I'm unable to get this working. I've added the Virtual IP, and it works, I can access pfSense no problem. But, when trying to use as the Proxy IP, no requests go through. The firewall shows the incoming request for and it is accepted, however there is no matching rule from* to DestinationIP:Port. It's not a case of firewall logging settings either, if I use as the proxy IP I see both the inbound and outbound proxy requests. I expect the issue here is Squid binding to LAN which is, so it doesn't catch traffic.

    It seems I can likely achieve my goal by either:
    – Changing outbound interface for Squid to a Gateway Group or specific interface
    -- Binding Squid to
    -- Finding out how to identify Squid outbound traffic so I can target it with a firewall rule

    If anyone is able to offer a suggestion that would be amazing, thank you.

  • Small update

    I added this to the Custom Options:

    and I can now use as the proxy IP, but it doesn't help. For example:

    My PC to Proxy:

    pfSense to WAN:
    [My WAN IP]:59142

    Still no way to target the outbound request (that I can see)

  • I had the same issue. After searching I found a solution, I don't remember who posted these or I'd give them props. You'll need something like this in your Squid advanced options:

    acl vpn_clients src
    tcp_outgoing_address xxx.xxx.xxx.xxx vpn_clients

    You'll also need a way to update the outgoing address if it's not static. I have a cron job to run this:

    # Variables
    # Get current IP address of VPN interface
    VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')
    # Check if VPN interface is up and exit if it isn't
    if [ -z "$VPN_IFACE_IP" ]
            exit 0;
    # Check current IP for VPN interface in squid.conf file
    VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')
    # Check if the config file matches the current VPN interface IP, and if so exit script
    if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ]
            exit 0;
    # Replace the previous IP address in the squid.conf file with the current VPN interface address
    sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE
    # Force reload of the new squid.conf file
    /usr/local/sbin/squid -k reconfigure

Log in to reply