Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RESOLVED:squid won't work for second lan subnet

    Scheduled Pinned Locked Moved pfSense Packages
    7 Posts 3 Posters 10.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      expert_az
      last edited by

      Hello everyone,
      My pf version is 1.2.3 stable.
      Latest squid and squidguard  packages installed.

      I have 2 subnets on my local network.
      I configured second IP subnet on pf lan interface as described on http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf.

      Now squid runs smoothly on first lan interface,but won't work on second lan interface?

      Any idea?

      1 Reply Last reply Reply Quote 0
      • M
        mhab12
        last edited by

        Stupid question - Have you selected both interfaces in the GUI by holding down ctrl+clicking on second interface?  If yes, then try playing with the allow users on interface check box, tick it, save, test, untick, save test, etc.

        1 Reply Last reply Reply Quote 0
        • E
          expert_az
          last edited by

          Please read question correctly super genius mhab12 and you will found who is really stupid.

          Second IP subnet on pf lan interface is not equal to physical second interface,it's just alias to same physical LAN interface with different IP subnet(see linked document http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf)

          and second IP subnet alias can't seen from services>proxy server>general>proxy interface  tab.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            IP aliases aren't really supported in the UI in 1.2.x, so don't expect many of the automated functions to pick up on your additional subnet(s).

            As such, you will probably need to manually add ACLs into squid for your subnets (do them all just in case) instead of relying on the 'allow users on interface' shortcut.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              mhab12
              last edited by

              I meant that my question was likely stupid but should be a starting point in troubleshooting.

              Another important factor that will come into play in your setup is that the squid redirects and rules are parsed BEFORE the firewall rules.  This is why aliases, block rules, and anything else that is handled as part of the pf will not impact squid.  Several people have raised the issue as a security concern and I believe this has changed in 2.0 (also why 2.0 can have multi-wan squid, etc.)

              1 Reply Last reply Reply Quote 0
              • E
                expert_az
                last edited by

                mhab12 sorry for misunderstood,i make some research and found some points.

                i think solution  in squid.inc file.

                Here is squid.conf  generated  from PF 1.2.3/squid with one physical LAN interface.

                Do not edit manually !

                http_port 192.168.100.100:8080
                acl localnet src  192.168.100.0/255.255.255.0

                and this is squid.conf  generated  from PF 1.2.3/squid with two physical LAN interface.

                Do not edit manually !

                http_port 192.168.100.100:8080
                http_port 192.168.200.100:8080
                acl localnet src  192.168.100.0/255.255.255.0 192.168.200.0/255.255.255.0

                as you see pf/squid, adds red lines to squid.conf when two physical LAN interfaces installed and chosen from squid>generel>proxy interface.

                here are related lines in squid.inc with interfaces.

                function squid_get_real_interface_address($iface) {
                global $config;

                $iface = convert_friendly_interface_to_real_interface_name($iface);
                $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));
                list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line);

                return array($ip, long2ip(hexdec($netmask)));

                maybe by modifying this part of squid.inc its possible adding IP aliases to squid.conf like second LAN interface.

                1 Reply Last reply Reply Quote 0
                • E
                  expert_az
                  last edited by

                  resolved bu adding to

                  squid>general>custom optinons

                  http_port IP_ALIAS:3128

                  Thanks to izuware

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.