PfSense VLAN => external squid box => WAN via pfSense and back



  • Hi everyone… I'm about to pull my hair out and am hoping for some advice.  I'm trying to setup an external Squid cache server, outside of PFSense.  I'm having trouble redirecting HTTP traffic to the server -- and perhaps routing it back again.

    I can manually configure a browser to use this proxy without a problem. When I start trying to nat redirect port 80 on a transparent basis, that's where I'm having issues.

    I'm not quite putting the blame on my squid box/installation yet because as soon as I turn on the NAT redirect in pfSense, port 80 becomes unusable across the entire network.

    When logged into the squid box I can WGET a page from an external site just fine EXCEPT after I enable the NAT port redirect... then nada... hangs.

    So perhaps there is a loop in here. This is probably the case as the NAT redirect seems to be affecting more than just the VLAN I want to apply it to.  I can't see how this portforwarding is going to work if it is scooping up everything on port 80 all over the network (including my squid to WAN requests, I think).  Should I be redirecting using another method?  My setup is below.

    nat portforward rule:
    IF:VLAN-USERS, PROTO:TCP, EXT-ADDY:ANY, EXT-PORT:80, NAT-PORT:3128, NAT-IP:SQUIDIP

    interfaces:
    WAN1
    WAN2
    LAN-192.168.1.0/24
    VLAN-USERS:192.168.10.0/24  <= vlan I want to redirect
    VLAN-SQUID:192.168.4.0/24  <= squid box at 192.168.4.2, listening on 3128, uses balanced wan interfaces as gateway.

    Please let me know if you have any advice!  I'm at my wits end!  If I can't get this to work, my next thought is to break apart my setup to have one box manage the wan connections, another for squid, and then another for firewall/internal networking.



  • I have this working in a test environment using the load balancer as described here: http://forum.pfsense.org/index.php/topic,6229.0.html



  • Thanks! I had pondered that idea at one time tried to do it with NAT and stuff since that seemed like it should have been the most straightforward.  Glad you confirmed that this works and got me back on that track!

    Note: I didn't even need the load balancer.  Just set the squid box up as a gateway and I set rules for anything on port 80 to use it.  Seems to work like a charm!

    On the other hand, I am using the load balancing for multi-wan, and squid is plugged into that.

    I probably will end up using the load balancing for multiple squid boxes… so that's a really nice idea/side benefit!

    One of my next tasks will be to learn about CARP. I wonder if I can get failover pfSense boxes running to smoothly hand off my increasingly complex setup...


Log in to reply