Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid proxy changing default routes breaks browsing

    Scheduled Pinned Locked Moved Cache/Proxy
    7 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4o4rh
      last edited by

      I originally had the default route as the WAN and all my WAN rules set to VPN gateway.
      Browsing without squid, everything worked correctly and went via the VPN.

      I just discovered, when squid is used it is going via the WAN and not the VPN, defeating the purpose of the VPN.

      Problem is, if i change the default route to VPN, then i get many sites,
      pages crash the firefox tab. e.g. express.co.uk

      Can i make a rule to force the outgoing traffic of squid to use a specific gateway, or any ideas why changing the default route screws up squid?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by KOM

        Try playing with the tcp_outgoing_address directive in squid's custom options.

        4 1 Reply Last reply Reply Quote 0
        • 4
          4o4rh @KOM
          last edited by

          @KOM thanks for the info, unfortunately, i am using 2x VPN in a failover config and the individual VPNs reset at least one a day, so who have to have some scripting to make it work.

          With the Default Route switch to VPN, everything works accept VOIP registration.
          I have that as a separate LAN using the DNS forwarder.
          The LAN using the VPNs, uses DNS resolver.

          I did that, so that the VOIP would always work whether or not the VPN was done.
          Also i had problem with call dropouts over the VPN.

          I think the problem is, by changing the default route DNS Forwarder is now trying use the VPN, instead of the WAN interface. Unlike DNS Resolver, where the outgoing interfaces can be specified.

          It would be good if there was a custom config option to force DNS Forwarder to use the WAN.
          I think that would solve the problem.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by KOM

            I think that if you create a gateway group with your VPNs and make them the default, you can have set squid's tcp_outgoing_address to 127.0.0.1 and it will use the gateway group. I think I may have an old document laying around that explains how to do this in more detail. Let me know if you're interested and I'll get it to you somehow.

            4 1 Reply Last reply Reply Quote 0
            • 4
              4o4rh @KOM
              last edited by

              @KOM said in Squid proxy changing default routes breaks browsing:

              tcp_outgoing_address

              Did that, and have confirmed the VOIP issue is DNS. If i add the LAN segment to DNS resolver, registration works, but only while the VPN is up. Will start another thread under DNS heading. thanks again

              1 Reply Last reply Reply Quote 0
              • 4
                4o4rh
                last edited by 4o4rh

                managed to resolve it this way
                https://forum.netgate.com/topic/146093/dns-forwarder-how-to-use-non-default-route/2

                do have two outstanding issues with squid though.

                1. if i goto a blocked site, i get the following
                  HTTP - 404 Not Found / NGINX
                  HTTPS - SSL_ERROR_RX_RECORD_TOO_LONG

                I can see in the SquidGuard Table that they are blocked by blk_BL_porn in the form
                http://name.com
                name.com:443

                for squidguard Common ACL and Target Categories,
                i set the redirect mode to ext_url_err_page
                https://pfsense.local.lan:444/nginx/index.html

                1. if i lose all VPNs i.e. 2 if 2 enabled or 1 if 1 enabled,
                  system can't recover by itself. i.e. the rules are obviously deleted for each downed gateway,
                  but when the gateway comes back up, the rules are reloaded.
                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  For rare http sites, you should get the default squidguard block page. Because of how https works, blocked https sites will result in a browser error page.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.