Transparent Squid behind pfSense

  • Hi Friends,

    Now I'm reasonably familiar with psSense and start playing around with Squid to speed up my office's web browsing.  I've just installed a Squid box and finding out way to config it properly.

    I'm just confused how to setup Transparent Squid.

    I have a Squid server setting up at IP on LAN side.

    If I setup Port Forward from port 80 to Squid server port 3128.  How can my Squid server connect via port 80 to outside server?  Would it be redirected back to the Squid server itself?

    Am I just over thinking?  How is the practical setup should be?


  • why don't you use the pfsense squid package with transparent mode ?
    just enable the transparent button and see it working… :-)

  • After struggling with how to redirect to a separate Squid box, I think i have it figured out now.

    Services –> Load Balancer--> Pools --> add a new pool
      Name: Squid Proxy
      Type: Gateway
      Monitor IP: <ip of="" the="" squid="" box="">IP: <ip of="" the="" squid="" box="">Click "Add to Pool" and then Save.

    Firewall --> Rules --> LAN --> add new rule
      Action: Pass
      Interface: LAN
      Protocol: TCP
      Source: check "not"
          Type: Single host or alias
          Address: <ip of="" squid="" box="">Destination port range: HTTP
      Gateway: the Squid pool you set up in Load Balancer

    Setting it up like that redirects the traffic, from everything but Squid, to the Squid box without doing any sort of NAT on the source IP addresses so you will have accurate Squid logs.</ip></ip></ip>

  • That's actually a great way to do this! Never thought of this. You even could create a failoverpool to send out requests directly unproxied if the squid box is down by adding the wan gateway as second gateway to the pool.

  • Hi Trendchiller, where can I find the option I'm using ver 1.0.1

    Hi Dwadson, Thanks I'll try it tomorrow (my time GMT+7).

    Hi Hoba, You're the best.  That's what I was worrying you just enlighted me.  I'll try it and let you know the result.

  • Hi Dwadson

    I setup Rules as the following:
    Interface: LAN
    Protocal: TCP
    Source: Not
    Destination: any
    Destination port range: HTTP to HTTP
    Gateway: Squid proxy

    I setup Load Balancer as the following:
    Name: Squid proxy
    Type: Gateway
    Monitor: TCP
    Monitor IP: (my squid box)

    You didn't mentioned the port for the Load Balancing then I tried from None,80 and 3128 but all doesn't work for me.  What did I do  wrong or where should I check further.


  • I had just left the port field empty.

    Are you using a snapshot release? The load balancer config options have changed and it's been giving me some grief. Or it's just this dual-wan setup in general that is causing me headaches now…

  • I use this "pfSense-1.0.1-LiveCD-Installer.iso.gz"

  • More info:

    Setup 1
    1. I added port 80 so now my Squid box is listening on prot 80 and 3128
    2. When I manually setup IE to use my Squid box as a proxy server it works perfectly both on port 80 and 3128
    3. The Squid LAN routing rule still doesn't work.

    This means that the Squid box is running ok but there's something wrong about the way pfSense route the packet.

    Setup 2
    1. Same as situation(1)
    2. I setup my Squid box with public IP let it access the Internet bypassing the pfSense box.
    3. I use NAT port forwarding and it works.

    This narrow the scope of the problem to the way pfSense route the packet only.

    Basically the Setup #2 is ok but not the best coz the statistics won't show the real requester it just show pfSense IP.

    Anybody have any idea?

  • tonezzz: you need to install the squid-package (from the package menu). This only works on non-embedded-installs…

    the squid package really works fine

  • What platform is your Squid box running on?

    Mine is running on CentOS Linux and I have one firewall rule that is loaded from /etc/rc.d/rc.local after it boots up:

    iptables -t nat -A PREROUTING -i eth0 -d ! <squid_ip>-p tcp –dport 80 -j REDIRECT --to-ports 3128

    That rule redirects the traffic to the proper port for Squid. Kind of an important thing that I had forgotten about.  :)  If your Squid box is running on BSD, I'm not sure exactly how to accomplish that but that Squid FAQ on transparent proxy has some examples on how to do it:

    My Squid is still set to my old router, so I'm not 100% sure that the redirect rule on the pfSense box will pass the HTTP traffic from the Squid box properly. The rule SHOULD pass it...</squid_ip>

  • @trendchiller:

    tonezzz: you need to install the squid-package (from the package menu). This only works on non-embedded-installs…

    the squid package really works fine

    Personally, I'm avoiding the built-in Squid proxy because it's more load on the router and the webGUI doesn't encompass all the options that Squid has. If you want to have custom ACLs for particular workstations (based on their MAC address), you end up having to edit the Squid configuration files directly.

    Plus, I also use a program called MySAR for analyzing the Squid logs that requires MySQL and a webserver. I really don't want to have that running on my router as well. I think I could run those on a separate box from the Squid proxy itself, but if I need to do that…I might as well move Squid off the router too.

  • Thanks dwadson.  Mine is running on Debian GNU/Linux 3.1.  I'm very new on Linux anyway.  Your idea sounds good, I'll check it when I come back to work on Monday.  It's 21:23 of Friday night here and I'm still setting up 2 notebooks for my colleagues.  I want to go windsurfing tomorrow, it's windy everyday ;-)

    Enjoy your weekend.

  • Hi dwason,  I just type exactly the same command (iptables -t …....) and it works!!!
    I tried to find the rc.local file but I cannot find it.  I'm using Debian GNU/Linux 3.1 where should I put the command?  Anybody please help.


    Or Google "debian startup script" and you'll get a steer in the right direction.

  • I followed the first link.  There is an error message "You must specify –to-source" but it works anyway.  Thanks dwadson.

  • The changed load balancer in the snapshot releases doesn't seem to allow this technique to work. You can no longer enter an IP address for the gateway/proxy - that capability has been replaced with the "Interface Name" menu. Tried doing it with it set as a server rather than a gateway but that doesn't seem to work either - traffic doesn't get redirected.

    Looks like I'm gonna roll back to 1.0.1 so this will work. It's more important to have this working than improved load balancing…

  • You can manually edit the config.xml and exchange the interfacename with the IP-Adress and reupload the config. Just don't touch this pool with the gui again and it should work with the newer versions.