Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid and Policy-based routing

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 6 Posters 7.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      netsysadmin
      last edited by

      Hello everyone,

      I have pfSense 2.0-RC1 configured with 1 LAN interface (10.11.0.1/16) and 1 WAN interface (10.0.0.111/16).
      We have 2 Internet lines connected to devices having LAN IP addresses 10.0.0.1/16 and 10.0.0.3/16, respectively.

      NAT is disabled on the pfSense box.
      Based on the source IP address, the pfSense either routes packets to Internet line #1 or #2, as configured in a firewall rule.
      This is working fine.

      However, when Squid, with transparent proxy, is enabled, the policy-based routing no longer works.
      I've searched the pfSense support forums and found out that when Squid is enabled, the packet leaves the pfSense box as if it is being generated from the pfSense box itself, hence does not go through the firewall rules. This seems to be normal behaviour.
      Is this OK until here?

      My question is: can I have policy-based routing as described above, together with Squid as a transparent proxy as well as SquiGuard for content filtering?

      I haven't yet found an answer to this. Apologies if this has already been explained in another post (please do post the url if it exists).

      All suggestions are welcome.

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Correct me if I am wrong:
        You have configured to gateways for the two devices (10.0.0.1/16 and 10.0.0.3/16) on the pfsense's WAN side, correct ?

        I think this is a little bit like "LoadBalancing" or "MultiWAN".
        At this moment SQUID needs some additional configuration to work with "MultiWAN oder LoadBalancing". You have to create "Floating" rules.

        I am not using squid in this scenario, but it will work with the correct configuration as far as I know.

        Give it a search on the forum. There is an actual thread which explains how to configure squid and floating rules.

        I hope this will help you and I hope I am not wrong ;-)

        1 Reply Last reply Reply Quote 0
        • N
          netsysadmin
          last edited by

          Yes, I have configured 2 gateways.
          OK, I'll search the forum for Squid & floating rules and post back later.

          Thanks for your reply.

          1 Reply Last reply Reply Quote 0
          • M
            memothejanitor
            last edited by

            I have been trying to do policy based routing with Squid for sometime, it just breaks the policy based routing, when it's enabled…

            1 Reply Last reply Reply Quote 0
            • J
              jikjik101
              last edited by

              You can do policy-based routing with squid in transparent mode.

              Example:
              WAN1 (default)  - 10.10.10.1
              WAN2 - 10.10.20.1
              1 LAN - 192.168.100.0/24

              GroupA - 192.168.100.0/25 goes to WAN1
              GroupB - 192.168.100.128/25 goes to WAN2

              Without squid, you can make this policy routing in the fw rules.
              With squid, all traffic goes to your default gateway which is WAN1.

              To have policy routing, I put this in the custom options:
              acl GroupA src 192.168.100.0/25;
              acl GroupB src 192.168.100.128/25;

              tcp_outgoing_address 10.10.10.1 GroupA;
              tcp_outgoing_address 10.10.20.1 GroupB;

              or you simplify it with
              acl GroupB src 192.168.100.128/25;
              tcp_outgoing_address 10.10.20.1 GroupB;

              since all unspecified connections go to your default GW.

              Although I experience some lesser performance with this setup like I am getting high latency maybe because I have 3 WANs and more groups, but it is still tolerable.

              1 Reply Last reply Reply Quote 0
              • C
                codemarauder
                last edited by

                @jikjik101:

                To have policy routing, I put this in the custom options:
                acl GroupA src 192.168.100.0/25;
                acl GroupB src 192.168.100.128/25;

                tcp_outgoing_address 10.10.10.1 GroupA;
                tcp_outgoing_address 10.10.20.1 GroupB;

                or you simplify it with
                acl GroupB src 192.168.100.128/25;
                tcp_outgoing_address 10.10.20.1 GroupB;

                And what happens when one of the WAN is down? Is squid able to failover between multiple tcp_outgoing_address?

                1 Reply Last reply Reply Quote 0
                • J
                  jikjik101
                  last edited by

                  No.

                  This doesn't work with failover or loadbalance setup.
                  You have to manually change the outgoing address to an online WAN.

                  Unless there is an OR function in the squid like
                  tcp_outgoing_address 10.10.10.1|10.10.201 GroupA;

                  But you have to make a condition first to make the OR function works like a failover
                  e.g.
                  if  10.10.10.1==down
                  tcp_outgoing_address 10.10.20.1 GroupA;

                  If someone can translate that into a squid code, then it can help us to have failover+squid+multiwan+transparent.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mhab12
                    last edited by

                    Bump: I was under the impression that gateways were going to be addressable via Squid under pfSense 2.0.  Can anyone else speak to this?  Does a bounty need to be created to get this going?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.