New HOWTO: pfSense Squid Web Proxy with multi-WAN links (it works!)

zetar · Jul 13, 2011, 6:47 AM

Screenshot

zetar · Jul 13, 2011, 6:48 AM

screenshot

zetar · Jul 13, 2011, 6:48 AM

screenshot

heper · Jul 13, 2011, 7:28 PM

@zetar

what does not work ?

are you able to do basic loadbalancing without squid ?
if no -> read the sticky about loadbalancing / failover in 2.0 forum

if yes -> is your floating rule being hit when trying to access a page ? –> if yes then you could be having a dns issue, duplicate the floating rule you have for http but change to tcp/udp and destination to DNS (53)

zetar · Jul 15, 2011, 3:57 PM

Hello.
Thank you for reply.
I reinstalled from the beginning.
The load balancing has worked very well until the installation of the Squid.
After the Squid and the fact the rules as you said to no longer works.
Attached is a screenshot of the rules are created by me for other services.
Can interfere at times.
Another thing, what are the correct values to put as the threshold latency and packet loss.
After the rule of floating, I found this rule, that fact alone, can 'interfere. Screenshots.
Another problem by loading a download of 6 7 megs no longer opens the page. I have to stop the download.
Thanks again.

zetar · Jul 15, 2011, 4:08 PM

If you notice the OPT1 and 'upload. the other three WAN server always does not happen.

kirlox_kitoy · Aug 1, 2011, 8:46 AM

Will these work for 3 ISP or 3 WAN links?

kirlox_kitoy · Aug 1, 2011, 8:53 AM

have you tried not to append the custom options which is the loopback maybe that will work.

andylai · Aug 14, 2011, 6:13 PM

@heper, I had setup squid load balancing following your instruction and it works (kind of). I fell unstable / slow performance while serving the web. Like I open a website the website may load halfway then it kept loading but nothing display. I need to refresh it then only it load the entire page. Or sometime it may never load the page at all but it never say "page cannot be display" etc, it just kept loading.

Also it cause my Online Games not able to connect to it server. The NAT outbound setting would it cause any trouble to go for manual? May it be the reason why my Online Games can't locate the server?

xocapik · Aug 29, 2011, 11:30 AM

Hi, i tried this and works but with low performance.

now i updated pfsense and i got this when accessing via transparet proxy


ERROR
The requested URL could not be retrieved

While trying to process the request:

GET / HTTP/1.1
Host: www.nasa.gov
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: __utma=259910805.353818488.1314617254.1314617254.1314617254.1; __utmb=259910805; __utmc=259910805; __utmz=259910805.1314617254.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); sessionpref=0; bn_u=6923701915773992990; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221314617258598_503062%22%2C%22pv%22%3A2%2C%22to%22%3A3.3%2C%22c%22%3A%22http%3A%2F%2Fwww.nasa.gov%2F%22%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22f%22%3A1314617266696%7D
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

The following error was encountered:

    Invalid Request 

Some aspect of the HTTP Request is invalid. Possible problems:

    Missing or unknown request method
    Missing URL
    Missing HTTP Identifier (HTTP/1.0)
    Request is too large
    Content-Length missing for POST or PUT requests
    Illegal character in hostname; underscores are not allowed 

Your cache administrator is admin@localhost.
Generated Mon, 29 Aug 2011 11:27:52 GMT by localhost (squid)

If I specify the proxy in the client it works well.

paoloromano · Sep 16, 2011, 11:42 AM

hello masters,

i setup failover and loadbalancing, i believe its working but not when i install squid proxy. failover is no longer working once i unplugged either of the wan connection. i cannot browse the web although i can ping 8.8.8.8, when i uncheck "allow users on this interface" i can browse the net. is there a workaround on setting up load balancing, failover and squid? i need your advise masters, thanks in advance!

lcisetti · Oct 3, 2011, 5:29 PM

Hi.

Any news about this issue ?

My pfsense 2.0 RELEASE + Squid + Failover + squidguard + Transparent Proxy still not work.

Thanks in advance.

Luca

urbangear · Oct 10, 2011, 2:52 AM

After manually adding my subnet in the "Allowed subnets" box, my dual wan, squid and ~~squidguard~~ setup is now functioning using pfSense Version 2.0-Release (i386)

UPDATE: squidguard doesn't work but squid is OK

jlopez · Oct 11, 2011, 3:31 PM

Hi, first of all I apologize for my bad english…

PfSense 2.0 Release + Squid (transparent proxy) + Squidguard + Load Balancer doesn't work, only works failover, but not balancing. Without Squid, load balancer works fine.

If I do the NAT and the floating rule, without any change more, it seems to navigate and sometimes I can see the load balancer working, but a lot of times when browse it seems to stay "connected to..." and the web doesn't load fully.

I've tested with the previous configurations in "how to" (NAT, floating rule, LAN-loopback in proxy server with tcp_outgoing_address...) and the results are the same...doesn't work fine.

jlopez · Oct 13, 2011, 2:06 PM

Hi,

I have realized of testing throw http://pfsense.org/ip.php to verify load balancing that when I access to this url, I see my public IP of wan1, then I refresh and I see the public IP of wan2, I refresh another time and I see public IP of wan1, then if I refresh another time and the browser keep "Waiting to pfsense.org…", I refresh and I see my public IP of wan1....another time wan2...again wan1....and then keep "Waiting...."...and repeats everytime.

This is following the How to...pfsense+load balancing+squid+floating rule...

vladk · Oct 20, 2011, 6:58 PM

Anybody got this working with load balancing? I just can't get it to work if one of the nodes is down. It either craps out with invalid request or just takes forever and all the pages just sit there, spinning.

Riroxi · Oct 25, 2011, 12:21 AM

Thx to DimitriS.

The tutorial Works perfectly for me. ;D

I found only one problem. I could not set the navigation to the squid on the loopback interface, but as the Ermal said, just putting the "tcp_outgoing_address 127.0.0.1" worked for me.

I have only one more question… how i can force a ip range to use one of gateways. I tryed to create a LAN rule but not worked well...

EG: I need the traffic comming by 192.168.1.10 to 192.168.1.20 use the WAN2.

Thx and sorry for my google english :D

Riroxi · Oct 27, 2011, 1:27 AM

Well… After some days, the balance go to space!

All connections use the default gateway... any ideas?

Riroxi · Oct 27, 2011, 11:56 PM

Hello guys!

I make some new tests today, and i have new results…

I created a new floating rule to DNS (53) as quoted by heper.

The squid seems to work well now.

Also seted my WANS without a Default WAN. Seems helped. Not sure.

Now my WAN group Settings:

WAN1 - TIER2 - MONITOR ON INTERNAL ROUTER OF ISP
WAN2 - TIER1 - MONITOR ON 8.8.4.4 GOOGLE DNS

I do this because when the some of WANs reach the latency, the Links always go to another WAN... but still not using the two wans... for some reason they choose the one... probaly the lower ping

when one of then seems always online, on tier 2, they balance fine.

I'm little confused now ???

Look at SS

I still making new tests...

Thx again and sorry for my bad english

Daouid · Nov 1, 2011, 1:53 PM

Thank for your document!
But, I think, it works for Failover only!
In the PDF we can see the Tiers (in Gateway Priority) is not ths same for the 2 connections!
So my question is: Anyone has a Squid + Multi-WANs + Load balancing really functional?
(With the Tiers of the 2 connexions at 1)

Thanks a lot!