Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Multi Wan external Squid redirect on same Subnet?

    Firewalling
    2
    3
    3594
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gazzer82 last edited by

      Hello All!!

      I am banging my head against this one, and i am starting to think it's not possible, but could someone confirm it for me.

      I have a pfsense firewall setup with a dual Wan load balanced failover setup working and in place.

      Due to that i am unable to use the traffic shaping or proxy within pfsense.

      So i have setup an external ubuntu box with squid on it running within the LAN, on the same subnet, which i have confirmed is working as expected.

      Now i would like to redirect all port 80 traffic to port 3128 on my squid box, then have it pushed through my load balancing/failover rules when it comes back to pfsense. Is there any way to do this without moving the squid server into it's own subnet, which is a pain for management e.t.c?

      If not, could someone just take me through the steps involved to setup the appropriate nat rules so achieve this?

      Would i need to physically move the box to a separate network, or would just changing the ip address to a different subnet work?

      Thanks

      Gareth

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        The squid box would have to be on a different interface/subnet for a transparent redirect to work. You can't do NAT reflection back out the same interface cleanly. It might work with normal port forwards with the NAT reflection used in pfSense, but I don't know that it would work (or if I'd trust it) to handle a squid redirect.

        It would be easy to do if it were in its own subnet, and keeping servers like that in a DMZ segregated from your client PCs is usually a good idea anyhow.

        If it were on its own subnet, you'd just need a port forward on LAN that redirected any port 80 traffic NOT going to the pfSense box's LAN IP, over to your squid box's IP on port 3128. Then on the DMZ interface, just have a rule that would match any outbound port 80 traffic and makes the gateway your load balance pool.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          gazzer82 last edited by

          OK, thanks for that. These are all ESXI VM's so i guess i will just have to add some more networking in.

          "you'd just need a port forward on LAN that redirected any port 80 traffic NOT going to the pfSense box's LAN IP'

          Is this right? Surely this would mean that the redirect would not redirect the HTTP traffic and it would continue on through the pfsense box. Or am i being dumb, which is more than possible!!

          Cheers

          Gareth

          1 Reply Last reply Reply Quote 0
          • First post
            Last post