Squid proxy changing default routes breaks browsing

4o4rh · Aug 26, 2019, 11:05 PM

I originally had the default route as the WAN and all my WAN rules set to VPN gateway.
Browsing without squid, everything worked correctly and went via the VPN.

I just discovered, when squid is used it is going via the WAN and not the VPN, defeating the purpose of the VPN.

Problem is, if i change the default route to VPN, then i get many sites,
pages crash the firefox tab. e.g. express.co.uk

Can i make a rule to force the outgoing traffic of squid to use a specific gateway, or any ideas why changing the default route screws up squid?

KOM · Aug 27, 2019, 9:23 PM

Try playing with the tcp_outgoing_address directive in squid's custom options.

4o4rh · Aug 27, 2019, 9:23 PM

@KOM thanks for the info, unfortunately, i am using 2x VPN in a failover config and the individual VPNs reset at least one a day, so who have to have some scripting to make it work.

With the Default Route switch to VPN, everything works accept VOIP registration.
I have that as a separate LAN using the DNS forwarder.
The LAN using the VPNs, uses DNS resolver.

I did that, so that the VOIP would always work whether or not the VPN was done.
Also i had problem with call dropouts over the VPN.

I think the problem is, by changing the default route DNS Forwarder is now trying use the VPN, instead of the WAN interface. Unlike DNS Resolver, where the outgoing interfaces can be specified.

It would be good if there was a custom config option to force DNS Forwarder to use the WAN.
I think that would solve the problem.

KOM · Aug 28, 2019, 5:06 AM

I think that if you create a gateway group with your VPNs and make them the default, you can have set squid's tcp_outgoing_address to 127.0.0.1 and it will use the gateway group. I think I may have an old document laying around that explains how to do this in more detail. Let me know if you're interested and I'll get it to you somehow.

4o4rh · Aug 28, 2019, 5:06 AM

@KOM said in Squid proxy changing default routes breaks browsing:

tcp_outgoing_address

Did that, and have confirmed the VOIP issue is DNS. If i add the LAN segment to DNS resolver, registration works, but only while the VPN is up. Will start another thread under DNS heading. thanks again

4o4rh · Aug 28, 2019, 8:55 PM

managed to resolve it this way
https://forum.netgate.com/topic/146093/dns-forwarder-how-to-use-non-default-route/2

do have two outstanding issues with squid though.

if i goto a blocked site, i get the following
HTTP - 404 Not Found / NGINX
HTTPS - SSL_ERROR_RX_RECORD_TOO_LONG

I can see in the SquidGuard Table that they are blocked by blk_BL_porn in the form
http://name.com
name.com:443

for squidguard Common ACL and Target Categories,
i set the redirect mode to ext_url_err_page
https://pfsense.local.lan:444/nginx/index.html

if i lose all VPNs i.e. 2 if 2 enabled or 1 if 1 enabled,
system can't recover by itself. i.e. the rules are obviously deleted for each downed gateway,
but when the gateway comes back up, the rules are reloaded.

KOM · Aug 28, 2019, 9:50 PM

For rare http sites, you should get the default squidguard block page. Because of how https works, blocked https sites will result in a browser error page.