Squid and Policy-based routing



  • Hello everyone,

    I have pfSense 2.0-RC1 configured with 1 LAN interface (10.11.0.1/16) and 1 WAN interface (10.0.0.111/16).
    We have 2 Internet lines connected to devices having LAN IP addresses 10.0.0.1/16 and 10.0.0.3/16, respectively.

    NAT is disabled on the pfSense box.
    Based on the source IP address, the pfSense either routes packets to Internet line #1 or #2, as configured in a firewall rule.
    This is working fine.

    However, when Squid, with transparent proxy, is enabled, the policy-based routing no longer works.
    I've searched the pfSense support forums and found out that when Squid is enabled, the packet leaves the pfSense box as if it is being generated from the pfSense box itself, hence does not go through the firewall rules. This seems to be normal behaviour.
    Is this OK until here?

    My question is: can I have policy-based routing as described above, together with Squid as a transparent proxy as well as SquiGuard for content filtering?

    I haven't yet found an answer to this. Apologies if this has already been explained in another post (please do post the url if it exists).

    All suggestions are welcome.



  • Correct me if I am wrong:
    You have configured to gateways for the two devices (10.0.0.1/16 and 10.0.0.3/16) on the pfsense's WAN side, correct ?

    I think this is a little bit like "LoadBalancing" or "MultiWAN".
    At this moment SQUID needs some additional configuration to work with "MultiWAN oder LoadBalancing". You have to create "Floating" rules.

    I am not using squid in this scenario, but it will work with the correct configuration as far as I know.

    Give it a search on the forum. There is an actual thread which explains how to configure squid and floating rules.

    I hope this will help you and I hope I am not wrong ;-)



  • Yes, I have configured 2 gateways.
    OK, I'll search the forum for Squid & floating rules and post back later.

    Thanks for your reply.



  • I have been trying to do policy based routing with Squid for sometime, it just breaks the policy based routing, when it's enabled…



  • You can do policy-based routing with squid in transparent mode.

    Example:
    WAN1 (default)  - 10.10.10.1
    WAN2 - 10.10.20.1
    1 LAN - 192.168.100.0/24

    GroupA - 192.168.100.0/25 goes to WAN1
    GroupB - 192.168.100.128/25 goes to WAN2

    Without squid, you can make this policy routing in the fw rules.
    With squid, all traffic goes to your default gateway which is WAN1.

    To have policy routing, I put this in the custom options:
    acl GroupA src 192.168.100.0/25;
    acl GroupB src 192.168.100.128/25;

    tcp_outgoing_address 10.10.10.1 GroupA;
    tcp_outgoing_address 10.10.20.1 GroupB;

    or you simplify it with
    acl GroupB src 192.168.100.128/25;
    tcp_outgoing_address 10.10.20.1 GroupB;

    since all unspecified connections go to your default GW.

    Although I experience some lesser performance with this setup like I am getting high latency maybe because I have 3 WANs and more groups, but it is still tolerable.



  • @jikjik101:

    To have policy routing, I put this in the custom options:
    acl GroupA src 192.168.100.0/25;
    acl GroupB src 192.168.100.128/25;

    tcp_outgoing_address 10.10.10.1 GroupA;
    tcp_outgoing_address 10.10.20.1 GroupB;

    or you simplify it with
    acl GroupB src 192.168.100.128/25;
    tcp_outgoing_address 10.10.20.1 GroupB;

    And what happens when one of the WAN is down? Is squid able to failover between multiple tcp_outgoing_address?



  • No.

    This doesn't work with failover or loadbalance setup.
    You have to manually change the outgoing address to an online WAN.

    Unless there is an OR function in the squid like
    tcp_outgoing_address 10.10.10.1|10.10.201 GroupA;

    But you have to make a condition first to make the OR function works like a failover
    e.g.
    if  10.10.10.1==down
    tcp_outgoing_address 10.10.20.1 GroupA;

    If someone can translate that into a squid code, then it can help us to have failover+squid+multiwan+transparent.



  • Bump: I was under the impression that gateways were going to be addressable via Squid under pfSense 2.0.  Can anyone else speak to this?  Does a bounty need to be created to get this going?


Log in to reply