Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How-To: 2.0 Load-Balance + Transparent Squid (3 easy steps)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    36 Posts 20 Posters 46.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      heper
      last edited by

      https does not go over port 80, so that rule will only affect http

      did you set the "tcp_outgoing_address 127.0.0.1" in squid ? I'd think you should be able to use it as a source address in your floating rule

      1 Reply Last reply Reply Quote 0
      • F Offline
        frater
        last edited by

        @heper:

        https does not go over port 80, so that rule will only affect http

        I know it doesn't (at least normally).
        Please forget I ever mentioned it….  As I said... I just mentioned https because these sites have even more problems with round-robin.
        This issue with squid has nothing to do with https nor did I think it had.

        did you set the "tcp_outgoing_address 127.0.0.1" in squid ? I'd think you should be able to use it as a source address in your floating rule

        Yes, I did.
        It IS working (the loadbalancing), but it's loadbalancing all traffic to port 80.
        I think most people either use squid on all LAN-interfaces or they don't use it.

        This traffic is indeed coming from 127.0.0.1, but not anymore when that rule is applied.
        Turn on logging and check it.
        The moment that floating rule is executed, the source address is the WAN-IP (as you can see, when you log it).
        The filter is apparently between the WAN-IP and the WAN-gateway, which makes sense.
        So I have no way of distinguishing between the normal traffic going to port 80 and the traffic to port 80 coming from squid.

        I think it even would work if I am able to get it like this:

        pass out log on lo0 all flags S/SA route-to { (pppoe0 217.16.40.239), (dc0_vlan13 89.250.180.1), (dc0_vlan10 89.250.179.1) } round-robin inet proto tcp from any to any port = http flags S/SA keep state label "loadbalance for Squid"
        pass out on lo0 all flags S/SA keep state label "pass loopback"
        
        

        The webif doesn't let me control the lo0 interface and that second line is being put there by the system.

        1 Reply Last reply Reply Quote 0
        • A Offline
          azizth
          last edited by

          This tutorial work in case of gateway fail-over? Wan1 -> tier1 and Wan2 -> tier2

          1 Reply Last reply Reply Quote 0
          • M Offline
            MrsPotter
            last edited by

            Just to answer my own question I posted earlier:

            @heper will any of the above change when the squid is not transparent?

            No, from what I'm experiencing - runnning squid non-transparently does not change the way you set it up. I've got it running and it performs rather well.  ;D

            See http://forum.pfsense.org/index.php/topic,43420.msg243601.html#msg243601

            1 Reply Last reply Reply Quote 0
            • D Offline
              DimitriS
              last edited by

              Hello pfSense users around the world!

              Since I wrote the "pfSense Squid Web Proxy with multi-WAN links" (http://forum.pfsense.org/index.php/topic,37083.0.html), I noticed some issue whith the DNS. When my default Gateway failed, following problems appears:

              • SQUID proxy won't work anymore
              • pfSense Configuration interface is very slow
              • DNS solving is not working (or working very slow) : https://PFSENSE_IP/diag_dns.php

              To bypass this problem, I update my configuration:

              • Configure two open DNS servers (Google DNS : 8.8.8.8 and L3 DNS : 4.2.2.2)
              • Force theses DNS in the Proxy Server config. (may not required, but it might helps)
              • Create and new floating rule to correctly failover DNS solving (most important thing)

              See attached pictures for details here : http://forum.pfsense.org/index.php/topic,37083.msg299568.html#msg299568

              Regards (your feedback is always appreciated!),

              Dimitri Souleliac

              1 Reply Last reply Reply Quote 0
              • T Offline
                tupm
                last edited by

                Why create a "Floating Rule"?, Is it necessary?

                Why put static IP's on WAN connections if you said you were DHCP?

                In my case, I have the same configuration as you, but the swing is BAD.

                I have two links are exactly the same, both are cable modem, the DHCP (ISP) set ip for a WAN1 and WAN2 …

                The problem is that I see pfsense  always use more than the other (for example 70% trafic route to WAN and 30% route to WAN2), I mean do not use 50% and 50% to say ... for what ?????

                In my case, my lan, is just one a couple of devices ....

                I need that for every request to the web, send one for WAN1 WAN2 and the other (for example) whether they come from the same IP source. Most of the time I have one client, (so I).

                example:

                WAN1 DHCP
                WAN2 DHCP
                LAN static
                ONLY ONE CLIENT (my laptop for example)

                Start download kernel.org .... ok I want pfsente route to X wan, for example WAN1

                and, start download cisco.com... ok I want pfsense route to WAN2 !! not wan1 ....

                HOWTO ?

                thanks, sorry for my english...

                1 Reply Last reply Reply Quote 0
                • F Offline
                  fabianoheringer
                  last edited by

                  Hi, for some reason this setup don´t work with 2.0.3 version, only 2.0.2 or less…any suggestions?
                  Thks

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    Kababayan
                    last edited by

                    It works for me using pf 2.0.3. Make sure to make Gateway Groups, say we name it "GWbalance", in your lan firewall rule add:  
                           proto=* source=* port* dest=* port=* gateway=GWbalance que=none   description= allow LAN to any rule  on GWbalance

                    on floating rule add this assuming 3128 is your squid proxy port:
                    proto=* source=* port=* dest=pfsense_IP dest=3128 gateway=GWBalance que=none   description=Squid

                    interface is lan. Hope that helps. To check if your wan gateways are working, open a torrent file (I use utorrent) change preference to use proxy and put your squid proxy config in your torrent program downloader. get  a fast torrent file(many seeders) and start downloading. add traffic graph in your pfsense dashboard and expand all interface to see all graph if traffic.

                    1 Reply Last reply Reply Quote 0
                    • B Offline
                      biolinh
                      last edited by

                      Step 3:
                      Don't forget to tick the Squid checkbox Transparent Proxy!

                      Add this text to Squid Custom Options:

                      tcp_outgoing_address 127.0.0.1

                      My Squid version is 0.4.36_2.

                      Then I expand Advanced Features:
                      I saw three options:

                      • Custom Options (Before Auth)
                        Custom Options (After Auth)
                        Custom Options (SSL/MITM

                      So what box I should enter this command?

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        Sir, this thread is about pfSense 2.0 and has been resting in peace for 4 years until you've summoned the zombies.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.