Squid is on LAN, I want to pass all http acces to this system…
I have to do firewall port forward?
destionation: wan except ip of squid machine and pfsense machine?
redirect ip: ip of squid
More data on squid machine is web server (port 80 and 3128 are also NAT-ed :)
You need a bit more complicated rule than that.
If you want your LAN clients' http traffic transparently redirected to the squid server, it needs to be more like:
NOT <- check that
Source Type: Single Host
Source address: IP of the squid box
Destination: any (Or you could check NOT and put the IP of the firewall there, too, or use an alias containing local/vpn networks)
Destination Port: 80
Redirect target ip: IP of the squid box
Redirect target port: 3128 (or whatever port you have squid listening for transparent connections on)
I think that should work, though generally it is recommended to put the squid box on a separate interface from where the clients are entering, then you don't have to use the source part of that redirect.