New HOWTO: pfSense Squid Web Proxy with multi-WAN links (it works!)

urbangear

After manually adding my subnet in the "Allowed subnets" box, my dual wan, squid and squidguard setup is now functioning using pfSense Version 2.0-Release (i386)

UPDATE: squidguard doesn't work but squid is OK

jlopez

Hi, first of all I apologize for my bad english…

PfSense 2.0 Release + Squid (transparent proxy) + Squidguard + Load Balancer doesn't work, only works failover, but not balancing. Without Squid, load balancer works fine.

If I do the NAT and the floating rule, without any change more, it seems to navigate and sometimes I can see the load balancer working, but a lot of times when browse it seems to stay "connected to..." and the web doesn't load fully.

I've tested with the previous configurations in "how to" (NAT, floating rule, LAN-loopback in proxy server with tcp_outgoing_address...) and the results are the same...doesn't work fine.

jlopez

Hi,

I have realized of testing throw http://pfsense.org/ip.php to verify load balancing that when I access to this url, I see my public IP of wan1, then I refresh and I see the public IP of wan2, I refresh another time and I see public IP of wan1, then if I refresh another time and the browser keep "Waiting to pfsense.org…", I refresh and I see my public IP of wan1....another time wan2...again wan1....and then keep "Waiting...."...and repeats everytime.

This is following the How to...pfsense+load balancing+squid+floating rule...

vladk

Anybody got this working with load balancing? I just can't get it to work if one of the nodes is down. It either craps out with invalid request or just takes forever and all the pages just sit there, spinning.

Riroxi

Thx to DimitriS.

The tutorial Works perfectly for me.  ;D

I found only one problem. I could not set the navigation to the squid on the loopback interface, but as the Ermal said, just putting the "tcp_outgoing_address 127.0.0.1" worked for me.

I have only one more question… how i can force a ip range to use one of gateways. I tryed to create a LAN rule but not worked well...

EG: I need the traffic comming by 192.168.1.10 to 192.168.1.20 use the WAN2.

Thx and sorry for my google english :D

Riroxi

Well… After some days, the balance go to space!

All connections use the default gateway... any ideas?

Riroxi

Hello guys!

I make some new tests today, and i have new results…

I created a new floating rule to DNS (53) as quoted by heper.

The squid seems to work well now.

Also seted my WANS without a Default WAN. Seems helped. Not sure.

Now my WAN group Settings:

WAN1 - TIER2 - MONITOR ON INTERNAL ROUTER OF ISP
WAN2 - TIER1 - MONITOR ON 8.8.4.4 GOOGLE DNS

I do this because when the some of WANs reach the latency, the Links always go to another WAN... but still not using the two wans... for some reason they choose the one... probaly the lower ping

when one of then seems always online, on tier 2, they balance fine.

I'm little confused now  ???

Look at SS

I still making new tests...

Thx again and sorry for my bad english

Daouid

Thank for your document!
But, I think, it works for Failover only!
In the PDF we can see the Tiers (in Gateway Priority) is not ths same for the 2 connections!
So my question is: Anyone has a Squid + Multi-WANs + Load balancing really functional?
(With the Tiers of the 2 connexions at 1)

Thanks a lot!

Daouid

I have found this topic: http://forum.pfsense.org/index.php/topic,38882.0.html
It really works and with the Load Balancing!!
The Load Balancing is less efficient for large file contrary to pfsense sense without Squid, any ideas? If I download 2 files, the 2 are on the same box, but when I open lot of web site, the ips are the ips of my 2 boxes.

Thanks !

paoloromano

Hi Guys,

Dont have luck yet on running pfsens2.0+multiwan+loadbalance+failover+squidproxy+lightsquid.
Does this setup really works?

Although I have setup pfsense2.0+multiwan+loadbalance+failover.

Thanks Masters!

:)

a_ghellam

**Dear,
Thanks a lot for your post,
  I would like to know if it works also for multiwan loadbalancing (NOT FAILOVER), because when i used to config multi wan (WAN1= 1 Mb and WAN2= 1Mb from two different ISP) and add a rule in LAN interface for multigateway, my download reach the 2 Mb without installing SQUID and other dependencies. However when i install the squid and it's dependencies and configure it on lan and transparent proxy my download limit reach 1 Mb.
  I read that Squid doesn't allow multigateway, So if i can have a solution for my problem i'll appreciate a lot.

Best Regards,**

pubmsu

Based on this HOW TO and the other 3-easy-steps HOW TO, I have the questions as posted in this other thread:

http://forum.pfsense.org/index.php/topic,38882.msg233730.html#msg233730

So what's the current status and conclusion on this topic? Does it do loadbalancing?

skyrice

Have set up my failovers etc all work fine. I have default rule for everyone to use WAN1 failover to WAN2 and then have a few select ip addresses using WAN2 failover to WAN1 (these are IP's with large upload rates so dont affect others internet performance). So far none of the threads on this issue have gotten this setup to work. Everything ends up through WAN1.
About to attempt converting to VM and having 3 virtual pfSense boxes. 1 for multiwan and then 2 others as squid boxes for each connection

LAN –> pfSense1(Multiwan) --> pfSense2(Squid+SquidGuard) --> WAN1
                                      --> pfSense3(Squid+SquidGuard) --> WAN2

anyone with a more elegant solution to this please post the answer soon as the above just looks painful (2 lots of proxies to configure keep up-to-date + having to setup 3 VM machines).

twinfield

@skyrice

I appear to be in the same situation.  Is there a particular reason you are putting your proxies on the WAN side rather than the following:

/–--> WAN0
LAN -----> Proxy -----> pfsense MultiWAN ---+
                                                                ----> WAN1

Is there a performance improvement to using a separate proxy for each WAN?  I was intending to set things up this way for my purposes but would like to know if there is any advantage to your method.  Thanks

M4estre

its works with balance only, failover and squid cant work together, someone else have this problem too?

pccom

I learn set up multi-wan from this video.
http://www.youtube.com/watch?v=exa9OxyZ84U&feature=related
Why this video did not use floating rule?

I found Squid not working when Samba started. I manually run squid -z then /usr/local/etc/rc.d/squid.sh restart
Now it is working.

manfisto

@twinfield:

@skyrice

I appear to be in the same situation.  Is there a particular reason you are putting your proxies on the WAN side rather than the following:

/–--> WAN0
LAN -----> Proxy -----> pfsense MultiWAN ---+
                                                                ----> WAN1

Is there a performance improvement to using a separate proxy for each WAN?  I was intending to set things up this way for my purposes but would like to know if there is any advantage to your method.  Thanks

I am having the same setup as yours just that its different appliance.

|–---> WAN0
                                                                                    |-----> WAN1
LAN -----> Pfsense Squid Proxy -----> MultiWAN Appliance ---+
                                                                                    |-----> WAN2
                                                                                    |-----> WAN3

Currently it is working fine but its not gonna be long once the campus subscribe to 4 x 40mb lines = 160mbps.
My appliance is running on a 100based which the LAN port will become the bottleneck if i continue to use the appliance.
However, my Pfsense is running on R300 server with multiple network gigabit network ports.
Therefore, I am looking at this solution as well, anyone been able to make it work,
as in Pfsense + Squid +SquidGuard + MultiWAN loadBalance + Failover?

jikjik101

try the HOWTO except step 3.
for step 4, select LAN only, do not include LOOP.
tcp_outgoing_address 127.0.0.1 will be automatically added.

darkknight

Hi all!

And, what about:

VLAN1 (failover A)\                                                                                                              * WAN 1
VLAN2 (failover B) _____________________\ Squid Proxy Server__________\ pfSense 2.0.1/ * WAN 2 (default gateway)
VLAN3 (failover C) /                                      /                                          /                        \  * WAN 3
VLAN4 (failover C)/

(there's no network on LAN, except the VLAN'S)

Here, for a while, we'll use the proxy in not the transparent mode.
i.e., I'm in the VLAN1, proxy is in the VLAN2. When I set the proxy settings into the browser, I access the internet through VLAN2's gateway.
Is there a better way to do this?

Sorry the English…

DimitriS

Hello pfSense users around the world!

I'm back for another mission in Haiti dealing with pfSense firewall and Multiwan!!

Since I wrote the "pfSense Squid Web Proxy with multi-WAN links", I noticed some issue whith the DNS. When my default Gateway failed, following problems appears:

• SQUID proxy won't work anymore
• pfSense Configuration interface is very slow
• DNS solving is not working (or working very slow) : https://PFSENSE_IP/diag_dns.php

To bypass this problem, I update my configuration:

• Configure two open DNS servers (Google DNS : 8.8.8.8 and L3 DNS : 4.2.2.2)
• Force theses DNS in the Proxy Server config. (may not required, but it might helps)
• Create and new floating rule to correctly failover DNS solving (most important thing)

See attached pictures for details.

Regards (your feedback is always appreciated!),

Dimitri Souleliac