RESOLVED:squid won't work for second lan subnet
-
Hello everyone,
My pf version is 1.2.3 stable.
Latest squid and squidguard packages installed.I have 2 subnets on my local network.
I configured second IP subnet on pf lan interface as described on http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf.Now squid runs smoothly on first lan interface,but won't work on second lan interface?
Any idea?
-
Stupid question - Have you selected both interfaces in the GUI by holding down ctrl+clicking on second interface? If yes, then try playing with the allow users on interface check box, tick it, save, test, untick, save test, etc.
-
Please read question correctly super genius mhab12 and you will found who is really stupid.
Second IP subnet on pf lan interface is not equal to physical second interface,it's just alias to same physical LAN interface with different IP subnet(see linked document http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf)
and second IP subnet alias can't seen from services>proxy server>general>proxy interface tab.
-
IP aliases aren't really supported in the UI in 1.2.x, so don't expect many of the automated functions to pick up on your additional subnet(s).
As such, you will probably need to manually add ACLs into squid for your subnets (do them all just in case) instead of relying on the 'allow users on interface' shortcut.
-
I meant that my question was likely stupid but should be a starting point in troubleshooting.
Another important factor that will come into play in your setup is that the squid redirects and rules are parsed BEFORE the firewall rules. This is why aliases, block rules, and anything else that is handled as part of the pf will not impact squid. Several people have raised the issue as a security concern and I believe this has changed in 2.0 (also why 2.0 can have multi-wan squid, etc.)
-
mhab12 sorry for misunderstood,i make some research and found some points.
i think solution in squid.inc file.
Here is squid.conf generated from PF 1.2.3/squid with one physical LAN interface.
Do not edit manually !
http_port 192.168.100.100:8080
acl localnet src 192.168.100.0/255.255.255.0and this is squid.conf generated from PF 1.2.3/squid with two physical LAN interface.
Do not edit manually !
http_port 192.168.100.100:8080
http_port 192.168.200.100:8080
acl localnet src 192.168.100.0/255.255.255.0 192.168.200.0/255.255.255.0as you see pf/squid, adds red lines to squid.conf when two physical LAN interfaces installed and chosen from squid>generel>proxy interface.
here are related lines in squid.inc with interfaces.
function squid_get_real_interface_address($iface) {
global $config;$iface = convert_friendly_interface_to_real_interface_name($iface);
$line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));
list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line);return array($ip, long2ip(hexdec($netmask)));
maybe by modifying this part of squid.inc its possible adding IP aliases to squid.conf like second LAN interface.
-
resolved bu adding to
squid>general>custom optinons
http_port IP_ALIAS:3128
Thanks to izuware
