External squid



  • Hi,

    Since I can't do exactly what I want when using squid embedded in PfSense, I'd like to do the following:

    • HTTP traffic from LAN is sent transparently to another computer running squid (configured in transparent mode)
    • This traffic is then sent back to PfSense
    • Then PfSense can route this traffic on multiple WANS (based on firewall rules)
    • Another traffic is directly managed by PfSense

    I think I shoud add a NAT rule to route http traffic to the squid computer, but I'm not sure about how sending outgoing traffic back to PfSense after squid ?

    Thanks if you can help.
    ![external squid.jpg](/public/imported_attachments/1/external squid.jpg)
    ![external squid.jpg_thumb](/public/imported_attachments/1/external squid.jpg_thumb)



  • If you install squid on the pfSense, you can enter an upstream-proxy. so no further special config is needed to my knowledge.



  • @_igor_:

    If you install squid on the pfSense, you can enter an upstream-proxy. so no further special config is needed to my knowledge.

    Hmmm well if I do that, what IP address will the squid box see ? IP of the LAN machine trying to reach an web site, or IP of squid box ?



  • I just wonder one thing though:  Why have all that extra routing around of packets?  It adds complexity, and causes pfSense to have to route the same packet 2 times (2x the performance hit per packet).

    The simplest way would be putting the squid machine between the LAN and pfSense, since it appears you only have one LAN.  And you can use transparent mode with no issues then, and no special rules or overhead on the pfSense machine.

    If you do this way, the packet can go straight, with no bouncing around.

    
    WAN1--\
           |pfSense|--|Squid|----LAN
    Wan2--/
    
    


  • @Liath.WW:

    I just wonder one thing though:  Why have all that extra routing around of packets?  It adds complexity, and causes pfSense to have to route the same packet 2 times (2x the performance hit per packet).

    The simplest way would be putting the squid machine between the LAN and pfSense, since it appears you only have one LAN.  And you can use transparent mode with no issues then, and no special rules or overhead on the pfSense machine.

    If you do this way, the packet can go straight, with no bouncing around.

    
    WAN1--\
           |pfSense|--|Squid|----LAN
    Wan2--/
    
    

    It appears to be a good idea. But in this case, squid box must act as a router for non-http traffic.
    In this case:

    • I must configure LAN machines gateway to squid box ip address.
    • I can't use pfsense firewall anymore, because all incoming traffic will appear to be from squid box interface, and not LAN machines

    I'd like to manage http traffic with squid, and non-http traffic with pfsense firewall.



  • The most simple way is to use squid on the pfSense-box. Complexity is given with both types of doing that job.
    I don't know the speed of your 2 WAN-lines nor how much traffic will go on, but i have good expierience with even a small P4 1,5Ghz with IDE on a 100MBit-WAN. And a small Atom or AMD NEO has compared much more speed and this ones using SATA. So i don't see any problem to use squid directly with your pfSense. With less complexity and only one Web-IF to manage all.


  • Rebel Alliance Developer Netgate

    You can do the redirect you want if you put the squid box on a different interface (DMZ, etc) and then just setup a proper port forward to direct HTTP traffic to it.

    You might be able to do this on 2.0 with the squid box on the same interface if you specify the rule right (the port forward would have to be setup with a source of ! (not) the squid box) to any.

    Keeping it on a separate interface is ideal though.



  • Yeah you're right I got the result I expected with a second installation of pfsense.

    I now have 2 pfsense running in 2 virtual machines. The 1st pfsense is the main firewall, and the second handles squid. They communicate between eachother with 2 DMZ interfaces bridged on 2 virtual interfaces on the host.

    So all http traffic is sent to the proxy-pfsense, which filters and logs everything I want, and then it comes back to the firewall-pfsense which sends the traffic to the right gateway based on its destination.
    All other traffic is directly managed by the firewall-pfsense.

    If anyone is interested, I can try to write a howto.



  • @OyyoDams:

    If anyone is interested, I can try to write a howto.

    I certainly would be interested!!



  • @OyyoDams:

    It appears to be a good idea. But in this case, squid box must act as a router for non-http traffic.
    In this case:

    • I must configure LAN machines gateway to squid box ip address.

    I'm pretty sure you can configure your squid box as a pure bridge with transparent proxying. Your LAN hosts won't see squid, only pfsense.

    • I can't use pfsense firewall anymore, because all incoming traffic will appear to be from squid box interface, and not LAN machines

    I'm not sure that's true if you can make your squid box transparent as described above.



  • You're right, in theory it works.

    But my case is complexe (I'm working on it for weeks), and in this special case, it doesn't work.

    The fact is I want to do all the following points at the same time:

    • Transparent proxy
    • A standard gateway (ISP)
    • A virtual gateway (an openvpn connexion to another ISP through the real default ISP)
    • Ability to put some websites in aliases, so based on firewall rules (and not pfsense routing table), I can route some traffic on the default ISP, and all other traffic to the openvpn ISP

    The problem with squid on the same pfsense box is that traffic that outcomes from pfsense is sent from firewall itself, and not from a LAN IP. In that case, there are NAT issues.
    With a snapshot in november, after many hours, I managed to make it work, with horrible NAT rules and same floating rules for each destination. That worked, but it was a headache to configure. And with recent snapshots, it simply doesn't work anymore, because even with correct NAT rules, I don't know why, traffic from firewall to main ISP is blocked.
    Maybe an issue with opendns (configured with "redirect-gateway def1 bypass-dhcp"), I don't know, but I've not been able to make it work.

    So as my pfsense firewall was already in a virtual machine (virtualbox on an ubuntu server), I tried to install another pfsense on another virtual machine.
    The firewall NATs http traffic to the proxy, and then after being transparently filtered, traffic is sent back to the firewall.
    So in this case the incoming traffic on firewall is not generated from the firewall itself, and can be routed on internet as I want with simple firewall rules.

    Now a suggestion for future pfsense releases:
    Something that isolates squid, by adding virtual interfaces, so traffic can be routed internally…

    P.S. sorry for my english, I hope you understand :)



  • hi,

    congrats on figuring out how to do failover with a transparent squid :)

    i've been trying the same thing for a couple of months (no luck so far)

    see ( http://forum.pfsense.org/index.php/topic,32494.0.html )

    I was wondering how well the loadbalancing works with your setup ….

    As in, is it possible to balance requests evenly ? The source adress is allways the same (squid pfsense), and i wonder if that works well with pfsenses loadbalance algorithm

    kind regards

    jeroen



  • Hi heper, I never tested load balancing, because in my case I don't want to load balance between 2 physical WANs, I just want to control my traffic, and choose between 1 physical WAN and 1 logical WAN (openvpn connexion through WAN).

    So I didn't even try load balancing feature.

    However, I think it should work, because in my setup, http traffic after being filtered by squid comes back to pfsense through a network interface, so for pfsense itself it's transparent, like if there was no proxy at all. Instead of coming from LAN, http traffic comes from a DMZ interface, but that's the same thing. So if you're able to configure load balancing correctly without squid, you should be able to make it work the same way with a squid setup on another virtual machine.


Locked