Load Balance and Squid does not work runnig in the same server



  • There is a known limitation when using outgoing load balance  and squid in the same server, o squid always get out in the default route and dont respect the lan rules, but I read this would be solved in the 2.0 version, anyone knows something about this. I have tried many alternatives and I almost gave up to find the solution.



  • with a lot of help and patches of the pfsense team i've managed to get it working on a snapshot of last month's beta (it probably works with the most recent RC1 but i can't confirm this)

    i will get back to you this weekend or early next week if you are interested.

    basically you need to let squid bind to localhost then use floating rules to push it out the loadbalancing group

    you do need a seperate DNS server on the LAN side that squid can use to resolve because you'll have issues otherwise if WAN1 goes offline



  • heper You sure about that?



  • pretty sure …. it was all virtualized, but it eventually balanced and more importantly did failover with 2 WAN's. (i did need 4 VM's in total to test this)

    @rafael.cardoso:

    heper You sure about that?



  • How are you trying to configure it?
    Please show screenshots and i will help you.



  • i'll let you know this weekend how i've managed in full detail

    in any case I selected LAN+loopback for proxy interfaces.
    then at the bottom you have a field called 'custom options'
    there i entered this: tcp_outgoing_address 127.0.0.1

    squid traffic will allways try to go out WAN1
    with floating rules you can catch it before it leaves the interface and redirect it to force it out using the loadbalance-gateway-group.



  • You are missing something nobody told you :)

    All this needs AON activated and the source in the generated rules set to any so those rules translate properly for traffic redirected from the loadbalance pool.



  • also note my comment that i put a dns server on the lan-side  ….

    i couldn't get it to work with the default dnsmasq provided by pfsense when my WAN1 went offline, this could be because i'm not capable of configuring it properly ;)

    so if you are able to accomodate a dns inside the lan then you can fill in the 'Use alternate DNS-servers for the proxy-server' field in the squid configuration page.



  • i took some screenshots
    they pretty much explain themselfs …

    i currently don't have the time to write a full how-to but if you still have questions don't hesistate to ask em ;)

    see below:

    dashboard:

    NAT:

    Rules:

    Squid settings:



  • thanks it worked  8) 8) 8)
    the detail that was picked up in nat rules to the 127.0.0.1, but everything right now and running!



  • I just put a patch that will include localhost(127.0.0/8) on the default nat rules so AON will not be needed anymore in the configuration.
    Should be easier now by just creating a floating rule and selecting the gateway group on it.



  • Ermal, I have the following situation, an internal server running IIS, the rule enabled the floating leaves no service be accessed externally, is there anything to be done differently in this rule, use of nat port http to redirect traffic



  • This is not related to this topic or i am not understanding anything on this.
    So please explain.



  • hi,
    in floating rule, please give me the detail,
    check Quick, and match any interface and ther direction in or out,
    explain
    thanks



  • i did all thing in pics, but not work



  • I'm trying to understand the pics, but there is many things like the direction in floating rules.

    This set of rules can be used to work the wan balancing with squid? its needed the AON or not with the latest release?



  • I'm also trying to understand how to do this before i go and install squid. Hopefully somebody could post the steps in detail as I'm really new at this.



  • We need  good explain, we dont know some things in rules, we need more explain,
    where is document for load balance and squid,
    thanks



  • will post details of floating rules tonight ….

    also i don't check this forum on a daily bases , to get my attention regarding this post its easier to send a pm



  • Hello guys, i'm experiencing the same problem. I've tryed the solution you give. When i configure two links in different tiers, making failover, squid work perfectly going trough the gateway I specify. but, when I configure two gateways in the same tier, making balance, the squid can't find any site and when the user try to access any site on the internet, the browser still "searching forever" until get the "TIMEOUT" message. Did one of you experienced that too? what am I doing wrong?

    Just for information:

    I have two links: 1 PPPOE and 1 Static from 2 different ISPs in two different interfaces.
    I have a Lan where are all the computers and a DMZ where are a Web Server that is a DNS server too.
    The LAN's DNS server is the PfSense.



  • thanks, we need Pic's with explain, step by step.
    regards



  • i'll try to write up a step-by-step howto in a couple of months …. the free time i have is precious and going to the pub is more fun then writing a howto ;)

    basic steps are this:

    • get loadbalancing/failover working without squid (search the forum)

    • install squid

    • setup rules as shown in this post

    • configure squid as shown in this post

    as promised below u'll find the float rule detail screenshot:



  • Heper, I am almost there…
    I found out that my problem is with the DNS. So i see that you posted something about that. You have said that it's need to have a DNS server on the LAN side, so in my case that are a dns server on a DMZ, needing to pass trough the pfsense to access, it can't be done?



  • Just loadbalance even DNS as well as you do for TCP traffic.



  • Thank you Heper!

    I just put a patch that will include localhost(127.0.0/8) on the default nat rules so AON will not be needed anymore in the configuration.
    Should be easier now by just creating a floating rule and selecting the gateway group on it.

    Ermal, may you please expound on this. What is the difference between this and heper's screenshots? Thanks!



  • You have to put an additional rule the same as in the previous screenshot but the protocol should be UDP and outgoing port 53.
    That will help with dns.



  • i will try to config it, now i dont need to add AON rule, or need
    regards



  • Still not work.
    what is the wrong????!!!!!



  • ermal,
      I have configured the rule you said, balancing the DNS requests too. but it doesn't work. My DNS is in the DMZ so the connections to it can't be balanced because it don't pass trough the gateways to access. with that rule, who are out of the proxy have DNS problems too. so if I put a rule without balancing to the DMZ subnet in the floating rules before the balance rule, the normal connections work but the proxy connections still without name resolution.



  • i'd suggest you try setting up a virtual machine with a basic dns server on your lan subnet (be it on windows or linux or bsd).
    If that solves your problems then you can be certain it's a dns issue

    if you don't want to waste time setting up VM's then i suggest you add some rules to log all udp traffic on port 53
    also packet captures can help figuring out where or what gets stuck

    One of the things i've noticed is when you pull WAN1 interface offline, the frontpage of the pfsense gui will start to go really slow (ie. waiting for a time-out).
    to work around this issue close the "system information" widget …. this checks for updates and fails because it doesn't find dns

    @digossantos:

    ermal,
      I have configured the rule you said, balancing the DNS requests too. but it doesn't work. My DNS is in the DMZ so the connections to it can't be balanced because it don't pass trough the gateways to access. with that rule, who are out of the proxy have DNS problems too. so if I put a rule without balancing to the DMZ subnet in the floating rules before the balance rule, the normal connections work but the proxy connections still without name resolution.



  • didn't work for me as well..



  • @ermal:

    I just put a patch that will include localhost(127.0.0/8) on the default nat rules so AON will not be needed anymore in the configuration.
    Should be easier now by just creating a floating rule and selecting the gateway group on it.

    Is this patch now in the public RC1 builds?  I have the build from Tue Mar 15 08:53:58 EDT 2011 and when I go into the NAT rules and AON I'm not seeing any default rules for 127.0.0/8.



  • Is there anyone trying to do this with multiple vlans also? I had it working per the various posts in this thread, but it broke my ability to get to http sites on other vlans. I think having squid using 127.0.0.1 is what breaks it.



  • and when i use although havp with parent to squid????????

    in this case :

    tcp_outgoing_address 127.0.0.1;never_direct allow all;cache_peer 127.0.0.1 parent 4444 0 name=havp no-query no-digest no-netdb-exchange default;redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;redirector_bypass on;redirect_children 3

    ?????? what is with cache peer to loopback?



  • Still not work.
    What is the solution?



  • Heper, thanks for your guide!
    What advanced option used in the "matching rule, to stop balance twice" floating rule?
    I used TCP flags: out of: SYN.
    It works!



  • rubic:

    it's possible to 'mark' packets when they hit one of your rules. Afterwards you can "search" for them packets using other rules, sort of ;)

    so basically i use a floating rule to push all http traffic through de gateway-group; at the same time i 'mark' them.

    i put another floating rule IN FRONT of my loadbalance-rule and added option 'quick' ; there i push packets out without going through gateway-group ; here i specify to 'match' the packets i 'marked' in my secondary rule.

    see this



  • Hm… will think about... however, looking at pf packet flow diagram, I wonder if floating load-balance rule can fire twice
    by the way, in my case your solution works even without binding squid to loopback ???



  • heper, you were right!
    when default WAN is down, an outgoing packet hits the rule twice (both on WAN fnd OPT-WAN interface)
    if you don't mind I would like to translate your how-to for russian pfSense community
    thanks!



  • It hits it twice but really it does not execute the policy routing the second time.
    Only the nat rules are executed.


Locked