Squid (Forward) Proxy - Setting Outbound Interface/Gateway

rx512 · May 1, 2018, 9:27 AM

I've installed Squid as a forward proxy and the basic functionality is working well.

The proxy traffic is going out my WAN currently, but I want to go out of either a Gateway Group (has 2 VPN gateways in it) I have setup, or a specific OpenVPN Interface if I cannot target a Gateway Group.

There is no option I can see where I select the outgoing interface used for proxy requests.

I've examined the Firewall Entries to see if I can somehow target the outgoing requests based on IP or Port, but I can't. It comes from the default pfSense IP and with a random port, nothing specific to let me target proxy-only traffic via firewall rule.

I also considered using a virtual IP for Squid (say 192.168.1.2) with the hope that proxy requests will come from 192.168.1.2 as a result, however I'm unable to get this working. I've added the Virtual IP, and it works, I can access pfSense no problem. But, when trying to use 192.168.1.2 as the Proxy IP, no requests go through. The firewall shows the incoming request for 192.168.1.2:3128 and it is accepted, however there is no matching rule from 192.168.1.2:* to DestinationIP:Port. It's not a case of firewall logging settings either, if I use 192.168.1.1 as the proxy IP I see both the inbound and outbound proxy requests. I expect the issue here is Squid binding to LAN which is 192.168.1.1, so it doesn't catch 192.168.1.2 traffic.

It seems I can likely achieve my goal by either:
– Changing outbound interface for Squid to a Gateway Group or specific interface
-- Binding Squid to 192.168.1.2
-- Finding out how to identify Squid outbound traffic so I can target it with a firewall rule

If anyone is able to offer a suggestion that would be amazing, thank you.

rx512 · May 1, 2018, 9:49 AM

Small update

I added this to the Custom Options:
http_port 192.168.1.2:3128

and I can now use 192.168.1.2 as the proxy IP, but it doesn't help. For example:

My PC to Proxy:
192.168.1.XXX:56209 192.168.1.2:3128

pfSense to WAN:
[My WAN IP]:59142 151.101.29.140:443

Still no way to target the outbound request (that I can see)

deagle · May 4, 2018, 4:16 AM

I had the same issue. After searching I found a solution, I don't remember who posted these or I'd give them props. You'll need something like this in your Squid advanced options:

acl vpn_clients src 192.168.1.0/24
tcp_outgoing_address xxx.xxx.xxx.xxx vpn_clients

You'll also need a way to update the outgoing address if it's not static. I have a cron job to run this:

#!/bin/sh

# Variables
VPN_IFACE=ovpnc1
SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf

# Get current IP address of VPN interface
VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if VPN interface is up and exit if it isn't
if [ -z "$VPN_IFACE_IP" ]
then
        exit 0;
fi

# Check current IP for VPN interface in squid.conf file
VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if the config file matches the current VPN interface IP, and if so exit script
if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ]
then
        exit 0;
fi

# Replace the previous IP address in the squid.conf file with the current VPN interface address
sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE

# Force reload of the new squid.conf file
/usr/local/sbin/squid -k reconfigure