Multi Wan external Squid redirect on same Subnet?

  • Hello All!!

    I am banging my head against this one, and i am starting to think it's not possible, but could someone confirm it for me.

    I have a pfsense firewall setup with a dual Wan load balanced failover setup working and in place.

    Due to that i am unable to use the traffic shaping or proxy within pfsense.

    So i have setup an external ubuntu box with squid on it running within the LAN, on the same subnet, which i have confirmed is working as expected.

    Now i would like to redirect all port 80 traffic to port 3128 on my squid box, then have it pushed through my load balancing/failover rules when it comes back to pfsense. Is there any way to do this without moving the squid server into it's own subnet, which is a pain for management e.t.c?

    If not, could someone just take me through the steps involved to setup the appropriate nat rules so achieve this?

    Would i need to physically move the box to a separate network, or would just changing the ip address to a different subnet work?



  • Rebel Alliance Developer Netgate

    The squid box would have to be on a different interface/subnet for a transparent redirect to work. You can't do NAT reflection back out the same interface cleanly. It might work with normal port forwards with the NAT reflection used in pfSense, but I don't know that it would work (or if I'd trust it) to handle a squid redirect.

    It would be easy to do if it were in its own subnet, and keeping servers like that in a DMZ segregated from your client PCs is usually a good idea anyhow.

    If it were on its own subnet, you'd just need a port forward on LAN that redirected any port 80 traffic NOT going to the pfSense box's LAN IP, over to your squid box's IP on port 3128. Then on the DMZ interface, just have a rule that would match any outbound port 80 traffic and makes the gateway your load balance pool.

  • OK, thanks for that. These are all ESXI VM's so i guess i will just have to add some more networking in.

    "you'd just need a port forward on LAN that redirected any port 80 traffic NOT going to the pfSense box's LAN IP'

    Is this right? Surely this would mean that the redirect would not redirect the HTTP traffic and it would continue on through the pfsense box. Or am i being dumb, which is more than possible!!



Log in to reply