• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Squid proxy changing default routes breaks browsing

Scheduled Pinned Locked Moved Cache/Proxy
7 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • 4
    4o4rh
    last edited by Aug 26, 2019, 11:05 PM

    I originally had the default route as the WAN and all my WAN rules set to VPN gateway.
    Browsing without squid, everything worked correctly and went via the VPN.

    I just discovered, when squid is used it is going via the WAN and not the VPN, defeating the purpose of the VPN.

    Problem is, if i change the default route to VPN, then i get many sites,
    pages crash the firefox tab. e.g. express.co.uk

    Can i make a rule to force the outgoing traffic of squid to use a specific gateway, or any ideas why changing the default route screws up squid?

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by KOM Aug 27, 2019, 12:25 AM Aug 27, 2019, 12:12 AM

      Try playing with the tcp_outgoing_address directive in squid's custom options.

      4 1 Reply Last reply Aug 27, 2019, 9:23 PM Reply Quote 0
      • 4
        4o4rh @KOM
        last edited by Aug 27, 2019, 9:23 PM

        @KOM thanks for the info, unfortunately, i am using 2x VPN in a failover config and the individual VPNs reset at least one a day, so who have to have some scripting to make it work.

        With the Default Route switch to VPN, everything works accept VOIP registration.
        I have that as a separate LAN using the DNS forwarder.
        The LAN using the VPNs, uses DNS resolver.

        I did that, so that the VOIP would always work whether or not the VPN was done.
        Also i had problem with call dropouts over the VPN.

        I think the problem is, by changing the default route DNS Forwarder is now trying use the VPN, instead of the WAN interface. Unlike DNS Resolver, where the outgoing interfaces can be specified.

        It would be good if there was a custom config option to force DNS Forwarder to use the WAN.
        I think that would solve the problem.

        1 Reply Last reply Reply Quote 0
        • K
          KOM
          last edited by KOM Aug 28, 2019, 12:04 AM Aug 28, 2019, 12:01 AM

          I think that if you create a gateway group with your VPNs and make them the default, you can have set squid's tcp_outgoing_address to 127.0.0.1 and it will use the gateway group. I think I may have an old document laying around that explains how to do this in more detail. Let me know if you're interested and I'll get it to you somehow.

          4 1 Reply Last reply Aug 28, 2019, 5:06 AM Reply Quote 0
          • 4
            4o4rh @KOM
            last edited by Aug 28, 2019, 5:06 AM

            @KOM said in Squid proxy changing default routes breaks browsing:

            tcp_outgoing_address

            Did that, and have confirmed the VOIP issue is DNS. If i add the LAN segment to DNS resolver, registration works, but only while the VPN is up. Will start another thread under DNS heading. thanks again

            1 Reply Last reply Reply Quote 0
            • 4
              4o4rh
              last edited by 4o4rh Aug 28, 2019, 8:55 PM Aug 28, 2019, 8:51 PM

              managed to resolve it this way
              https://forum.netgate.com/topic/146093/dns-forwarder-how-to-use-non-default-route/2

              do have two outstanding issues with squid though.

              1. if i goto a blocked site, i get the following
                HTTP - 404 Not Found / NGINX
                HTTPS - SSL_ERROR_RX_RECORD_TOO_LONG

              I can see in the SquidGuard Table that they are blocked by blk_BL_porn in the form
              http://name.com
              name.com:443

              for squidguard Common ACL and Target Categories,
              i set the redirect mode to ext_url_err_page
              https://pfsense.local.lan:444/nginx/index.html

              1. if i lose all VPNs i.e. 2 if 2 enabled or 1 if 1 enabled,
                system can't recover by itself. i.e. the rules are obviously deleted for each downed gateway,
                but when the gateway comes back up, the rules are reloaded.
              1 Reply Last reply Reply Quote 0
              • K
                KOM
                last edited by Aug 28, 2019, 9:50 PM

                For rare http sites, you should get the default squidguard block page. Because of how https works, blocked https sites will result in a browser error page.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received