Squid does not pass the firewall rules.



  • Hello, I have a problem, I am not able to deal with, I count on your help …
    Well, I have in my firewall 4 NICs

    LAN 192.168.0.254 (NETWORK SERVERS)
    200.x.x.x WAN (Link DEDICATED)
    Àpt1 192.168.8.254 (LOCAL NETWORK)
    Apt2 10.1.1.3 (ADSL)

    Well, configured so that the LAN interface only accesses the internet via the WAN, and the interface àpt1 only accesses the internet by Apt1.
    Well so far so good ... I installed Squid to control content, only after I installed the squid, all interfaces only access the internet over the WAN, bypassing the firewall settings made previously.
    I would like if possible that the squid, complied with the settings made in the firewall for each network access the Internet so that was configured.
    However if you do not like, would change some information in the squid that used the interface Apt2 to go to the Internet?

    My firewall is working perfectly, however, so I've got this problem with the squid ...
    My LAN network is configured to access the Internet only by dedicated link,
    Apt1 this interface and configured to access the Internet only through the interface APT2,
    works perfectly, however watering install squid, it ignores my settings and releases the output port 80 for my dedicated link, the 2 LAN interfaces ... probably should have a place to change this setting to set aa standard output, if he would release the access port 80 through the interface APT2 the 2 networks, was already good for me ....

    Thanks



  • Hi
    I have had this issue on the past.

    I discovered that Squid does not support Multi WAN configurations. It will only proxy requests through to the primary WAN interface.



  • Yeah thats why i stop using multi wan. Hope there are some other ways for this..



  • It does kind of work with policy based routing on Multi Wan.
    I ended up keeping all of my HTTP/S traffic through squid on default WAN and routed email, VPN, RDP etc through WAN2 to split the load rather than true load balancing.



  • Hi,

    I also have the same problem - without squid - everything works fine for the multi wan, failover and firewall rules.

    Are you guys saying there is no way to enable squid  and still have all the rules and failover / multiwan in place?

    Thanks.



  • It is just that Squid will only proxy through to the WAN interface. So ports picked up by the proxy will only go out through WAN. All other ports will use your defined routing. Works OK with policy based routing for me. I guess HTTP traffic will not failover if going through Squid.



  • ok…
    I also noticed that the speed, download and upload are slower when we enable squid.
    is there some work around for this?
    thanks.



  • Yes, there are loads of posts on this topic.
    There is a config file tweak that needs doing. I have had varying results with it.

    Here's one thread: http://forum.pfsense.org/index.php/topic,19205.0.html but there are many more.



  • tried to modify the loader config - but still it was slow - I did not have any traffic shaper configured though.
    for the moment - I just took out squid/squidguard…. no proxy and filtering for the moment.... waiting for a new version of pfsense that will work with multiwan + squid + squidguard

    thanks


Log in to reply