Should squid (and other services) work on the VIP address?

gwhynott

Hello,

I have 2 pfsence 2.0.1 boxes with CARP configured.  These boxes are routing,  no NAT configured.  They have 3 interfaces,  one dedicated as the CARP interface/heatbeat.   They also have Squid installed on both and configured verbatim (squid-reverse v2.79_2).

Using the VIP as a gateway IP for the internal network,  things work as expected,  including fail over.   What doesn't work is using the VIP as the target IP for the proxy service for internal clients.   If you set your proxy settings to either the master or slave's real IP,   you can use the proxy service.  If you set your proxy to the VIP,  the proxy service is not reachable.

Is this expected behavior or should we be able to use the proxy via the VIP?  There isn't a VIP option in the 'listen on' config within the proxy area.

if i edit squid.conf directly and add:

http_port 10.101.111.3:3128

x.x.x.3 being the VIP between the two boxes,   it works.

so i guess the question would be,  is it ok to do this or was it left out for a reason?

thanks for your time,
greg

gwhynott

i added the "http_port 10.101.111.3:3128" (which is the VIP) to the 'custom options' on both boxes,  rebooted the master to test,  things worked out well.

I suspect this was just an over site of the package integration into the pfsense framework.

-g

marcelloc

You can also choose loopback interface to listen and create a nat from carp VIP to 127.0.0.1

The tcp_outgoing_address custom option could be used to force squid to use a specific carp VIP on wan

alexand3r

Hey there !

I have exactly the same problem but I tried both solutions (custom settings and adding a NAT Rule + loopback) and it didn't work :s !

Do you know how could fix it ?

Thank you for your help !

marcelloc

alexand3r,

I suggest you to listen squid only on loopback and then create a firewall -> nat -> port forwarding from your carp ip to 127.0.0.1.

att,
Marcello Coutinho

jimp

That wouldn't matter for squid.

The primary reason to use the CARP VIP for that kind of service is for stateful failover. And since the proxy instances on your CARP primary and backup nodes are not the same or shared, then sessions would not remain active during failover. State sync could actually hurt you in that case.

Only reason to set it on the outbound traffic would be so that web requests come from that IP if you want, but it isn't required.

alexand3r

It's exactly what I want to do, to have a stateful failover so that when my master is down, proxy still works throught the slave thanks to the CARP VIP !

So on my proxy settings, I've checked the XMLRPC Sync so that the 2 servers always have the same config, but now I don't get it on what I should do to make this stateful failover works ? NAT rule ? Custom option ? Or something else ? Because for the moment none of the solutions have worked :s so unless I have wrong settings, I don't know what's wrong…

But anyway I'm very thankful for the help you're giving me here and your time sharing ! Thanks !

jimp

If you re-read what I posted, I covered that already. Even if the settings are synced, squid's connections in the actual squid process – NOT the state table -- are not synchronized, so true stateful failover is not possible for the squid process.

The same applies to other daemons like OpenVPN or IPsec but in those cases using the CARP VIP is needed to make sure the right box receives/sends the remote traffic properly.

In the case of squid, that doesn't matter really, unless a remote site needs to see the CARP VIP to allow access if it filters by IP.