Squid transparant load balance how-to



  • Hi,

    For the last couple of weeks/months i've been trying to get squid to loadbalance/failover using gateway-groups. (in vmware)

    Currently i'm at the point that i'm able to get it working with VERY BAD PERFORMANCE.
    I believe some minor tweaks are still needed but i'll publish what i have so far and hope someone will figure out how to get it right.

    my wan ip: 192.168.5.2 (gw=192.168.5.1)
    my opt1 ip: 10.168.20.2 (gw=10.168.20.1)
    my lan ip: 10.10.20.1 (gw=gateway-group)

    1. install latest snapshot & configure your interfaces (i'm using the 2011/01/20 snapshot)

    2. in system–>routing add gateways for all interfaces
        in the group tab add a loadbalancing group (tier 1 , all interfaces)

    3. make sure to add the gateways to the WAN/OPT interface (interface menu)

    4. Firewall rules:

    details about the floating rule see this pdf: http://goput.it/fer.pdf
    note the state-type !!! <– without this, it doesn't work but i'm pretty sure this causes the bad performance
    also: don't forget the gateway-group

    5. Nat rules:

    6. Install squid (system–>packages-->squid)

    7. Configure squid
    http://goput.it/hhe.pdf
    note the 'tcp_outgoing_address' directive at the bottom.

    I hope some people will find this useful and perhaps come up with a solution for the performance issue.
    my complete config can be downloaded here:  http://goput.it/hah.xml



  • links not work



  • I set this up - at first it didn't work. You can't see which interfaces are selected for squid in your pdf in the guide, but if you set it to loopback then it does loadbalance! So thats the trick.

    Now I will see if it works without some of these rules set. Thanks



  • First, you are not on latest snapshot.
    Second, in latest snapshot you do not need the nat rules since localhost net is included in auto generated nat rules.
    Third, it should only need localhost as interface on squid selected. Not sure why some declare it does not work like that since i have not checked the package.


Locked