Dual WAN load Balancing + Squid Web Proxy

noor92 · May 23, 2019, 7:39 AM

Hello mates,

I am trying to setup a pfsense firewall router with dual wan load balancing configured and 3 Vlans, using single LAN interface as parent interface for the all 3 Vlans, I would like to configure squid transparent web proxy server for Caching and URL filtering, as the pfsense squid server will not work with dual wan load balancing I was advised to use a separate machine for proxy server, I have created the diagram and attached it, please have a look at it and let me know if it is the right design and topology and if it is going to work, because I am trying to setup the proxy server between the core switch and the pfsense box. the thing that makes me concern are the vlans, I wonder if the vlans will work properly with squid proxy server in between the switch and the pfsense which I use it as router on stick?!

stephenw10 · May 28, 2019, 1:57 PM

Squid does not have to be 'in-line' like that. It could be on a separate VLAN attached only to pfSense.

You set redirect rules in pfSense exactly as the Squid package does when it's running on pfSense. That redirects web traffic to the Squid proxy which can be anywhere. Then traffic from the proxy to external sites can be policy routed to a load-balanced gateway group.

Steve

noor92 · May 29, 2019, 9:32 AM

Dear Steve,
Thank you for your reply, please have a look at diagram and let me know if you mean same like this, what I got from your instruction is that I should connect the Squid in separate Vlan, lets suppose Vlan 1, and then I should create firewall rules in pfsense on every vlan interface; that traffic from vlan net to any destination with any port redirect to Squid. and then one another floating rule should be created on vlan1 interface; from source squid to any, and on the gateway settings the gateway group should be selected.

stephenw10 · May 29, 2019, 10:50 AM

You should only redirect traffic on port 80 and 443 if you have enabled ssl interception. Here's what the squid package adds:

# Setup Squid proxy redirect
rdr pass on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
rdr pass on em1 proto tcp from any to !(em1) port 443 -> 127.0.0.1 port 3129

The rule passing traffic to the gateway group doesn't have to be floating it just passes the traffic on VLAN1. If that's the only thing on VLAN1 it can just pass all traffic there to the gateway group. You probably want a rule above that to pass DNS to pfSense though so that doesn't get policy routed.

Steve

noor92 · May 29, 2019, 12:05 PM

Dear Steve,
Can you please write the the rules that to be configured on every Vlan, for example:

one rule on vlan 10: from vlan10 net to any port 80, redir to squid
one rule vlan 20: from vlan20 net to any port 80 redir to squid
two rule on Vlan 1: from vlan 1 net to any port any, gw : gw group
allow from vlan 1 net to any port 53

Note: in above diagram we have connected the squid directly to the switch port of Vlan1, while normally squid proxy sever should have 2 interfaces wan and lan or in and out, but in this diagram we have only one interface.

stephenw10 · May 29, 2019, 12:11 PM

If you put Squid 'in-line' with two interfaces then all the redirects would happen there and not at the main firewall.
You don't have to do that though, it's easier to just redirect traffic to the proxy from the firewall as I outlined. In that case whatever is running Squid is only a proxy server, it only needs one interface.

Steve