Dual WAN load Balancing + Squid Web Proxy

  • Hello mates,

    I am trying to setup a pfsense firewall router with dual wan load balancing configured and 3 Vlans, using single LAN interface as parent interface for the all 3 Vlans, I would like to configure squid transparent web proxy server for Caching and URL filtering, as the pfsense squid server will not work with dual wan load balancing I was advised to use a separate machine for proxy server, I have created the diagram and attached it, please have a look at it and let me know if it is the right design and topology and if it is going to work, because I am trying to setup the proxy server between the core switch and the pfsense box. the thing that makes me concern are the vlans, I wonder if the vlans will work properly with squid proxy server in between the switch and the pfsense which I use it as router on stick?!

    Dual WAN with Squid.jpg

  • Netgate Administrator

    Squid does not have to be 'in-line' like that. It could be on a separate VLAN attached only to pfSense.

    You set redirect rules in pfSense exactly as the Squid package does when it's running on pfSense. That redirects web traffic to the Squid proxy which can be anywhere. Then traffic from the proxy to external sites can be policy routed to a load-balanced gateway group.


  • Dear Steve,
    Thank you for your reply, please have a look at diagram and let me know if you mean same like this, what I got from your instruction is that I should connect the Squid in separate Vlan, lets suppose Vlan 1, and then I should create firewall rules in pfsense on every vlan interface; that traffic from vlan net to any destination with any port redirect to Squid. and then one another floating rule should be created on vlan1 interface; from source squid to any, and on the gateway settings the gateway group should be selected.


  • Netgate Administrator

    You should only redirect traffic on port 80 and 443 if you have enabled ssl interception. Here's what the squid package adds:

    # Setup Squid proxy redirect
    rdr pass on em1 proto tcp from any to !(em1) port 80 -> port 3128
    rdr pass on em1 proto tcp from any to !(em1) port 443 -> port 3129

    The rule passing traffic to the gateway group doesn't have to be floating it just passes the traffic on VLAN1. If that's the only thing on VLAN1 it can just pass all traffic there to the gateway group. You probably want a rule above that to pass DNS to pfSense though so that doesn't get policy routed.


  • Dear Steve,
    Can you please write the the rules that to be configured on every Vlan, for example:

    one rule on vlan 10: from vlan10 net to any port 80, redir to squid
    one rule vlan 20: from vlan20 net to any port 80 redir to squid
    two rule on Vlan 1: from vlan 1 net to any port any, gw : gw group
    allow from vlan 1 net to any port 53

    Note: in above diagram we have connected the squid directly to the switch port of Vlan1, while normally squid proxy sever should have 2 interfaces wan and lan or in and out, but in this diagram we have only one interface.

  • Netgate Administrator

    If you put Squid 'in-line' with two interfaces then all the redirects would happen there and not at the main firewall.
    You don't have to do that though, it's easier to just redirect traffic to the proxy from the firewall as I outlined. In that case whatever is running Squid is only a proxy server, it only needs one interface.


Log in to reply