Squid with VIP

alexand3r

Hello everyone,

I have 2 pfsense installed with 3 interfaces, and CARP configured on both of them to have a master and a slave, everything is perfectly working so far.
Now I'd like to install and configure squid3's package to have them working as a cluster with failover. Now my master sync his settings to the slave and it's working. When I configure the proxy address of a client with the address of the master it's working, with the VIP it's also working, not with the address of the slave but I guess this is because his interfaces are down as long as the master lives !

But then when I shutdown the master, my client can reach internet throught the address of the slave, but not with the VIP even if the VIP can be reach by a ping…

I found on the forum 2 solutions,

one was to add "http_port virutal_address:port" on the setting box, but it didn't work

and the other one was to create a NAT rule forwarding from VIP to 127.0.0.1, and it also didn't work.

Do you know how I could fix this ? :)

Thank your for your help !

Gloom

What address have you got squid bound to, the loopback or the carp address?

alexand3r

The CARP one, I've tried to bind it with the loopback and adding a NAT rule but it didn't work :s

marcelloc

@alexand3r:

The CARP one, I've tried to bind it with the loopback and adding a NAT rule but it didn't work :s

It will work if you setup squid to loopback without custom options for tcp_outgoing_address.

Check if you can fetch pages from pfsense console/ssh using links before testing squid.

Tcpdump will help you to identify what is going wrong.

post your rdr nat rule to check if there is no errors.

alexand3r

Here is the NAT rule I used:

Interface : LAN
Source : any
Source port : *
Destination : my_virtual_address/32
Destination port : *
NAT Address : 127.0.0.1/32
NAT port : *
Static port : NO

I'm maybe wrong with it ? :s

marcelloc

@alexand3r:

I'm maybe wrong with it ? :s

It's just missing squid port 3128

Interface : LAN
Source : any
Source port : *
Destination : my_virtual_address/32
Destination port : 3128
NAT Address : 127.0.0.1/32
NAT port : 3128
Static port : NO

alexand3r

Hey I changed my rule just like you said with adding the port 3128 and unfortunetely the problem persists. It's a NAT Outbound rule right ?

Even if on the proxy server I set up the "Proxy interface : loopback". Could it be because I use the package squid3 ?

I don't understand, when the master is off, my virtual ip can still be reach by a ping, my client can use the slave as proxy, but they cannot with the VIP… it seems that the slave uses the VIP but cannot link it to his proxy service, so it could be more than one rule that I should add ?

And by the way, when I do all of this wihout any custom options, the VIP doesn't work when a client uses it as a proxy, even if the master is up, but if I add "http_port my_virtual_ip:3128" then it works when the master is up but not on failover with only the slave up. So what are the custom options made for ?

marcelloc

@alexand3r:

Hey I changed my rule just like you said with adding the port 3128 and unfortunetely the problem persists. It's a NAT Outbound rule right ?

No. Its a rdr rule.

alexand3r

Ok maybe a really stupid question but what is a rdr rule ? On squid I can do a "Port Forward", "1:1" or "Outbound" NAT rule, which of them is a rdr one ?

marcelloc

@alexand3r:

Ok maybe a really stupid question but what is a rdr rule ? On squid I can do a "Port Forward", "1:1" or "Outbound" NAT rule, which of them is a rdr one ?

redirection rule = port forward.

alexand3r

Ok I'll try this thanks !

Also I was wondering, why while my squid's master is supposed to sync his conf, when I do a change on the squid.conf from the Web interface, I cannot see the change on the slave ?

marcelloc

@alexand3r:

Ok I'll try this thanks !

Also I was wondering, why while my squid's master is supposed to sync his conf, when I do a change on the squid.conf from the Web interface, I cannot see the change on the slave ?

It only sync changes made on package gui.

mgrosh

This thread has been alot of help.

I have a similar situation and this fixed most of my issues but broke one small thing.

My setup
2 pfSense 2.0.1 servers with CARP for failover
2 WAN connections setup with MultiWAN
Squid Installed

LAN
10.1.1.139 pfSense1
10.1.1.140 pfSense2
10.1.1.141 pfSense Virtual IP

WAN
xxx.xxx.251.139 pfSense1
xxx.xxx.251.140 pfSense2
xxx.xxx.251.141 pfSense Virtual IP

I removed  "tcp_outgoing_address 127.0.0.1" from custom options.
added
LAN TCP * * 10.1.1.141 3128 127.0.0.1 3128
to Port Forward

and added
WAN  127.0.0.0/8 * * * xxx.xxx.251.141 * NO
to Outbound

everything is working except for when i open http://www.pfsense.org/ip.php shows my IP address as xxx.xxx.251.139 <–WRONG (should be the VIP)

when i add "tcp_outgoing_address 127.0.0.1" to custom options,  http://www.pfsense.org/ip.php shows my IP address as xxx.xxx.251.141 <-- correct

however, with "tcp_outgoing_address 127.0.0.1" added to custom options i can not connect to local resources on the 10.0.0.0/8 LAN network.

any ideas?

mgrosh

I noticed marcelloc mention this on another thread

"Use squid tcp outgoing address directive to specify it.

There is a field on squid gui for custom options. Place it there."

Would this fix my problem and how would i implement this with my MultiWAN situation?

marcelloc

A load balance rule on floating tab should work for outgoing traffic.

mgrosh

@marcelloc:

A load balance rule on floating tab should work for outgoing traffic.

This is the floating rule i have

TCP * * * 80 (HTTP) MultiWAN_Comcast none

Even with this it still shows my IP address as xxx.xxx.251.139

marcelloc

Second try could be uncheck default gateway option on gateway config.

mgrosh

unchecking the default gateway had no affect.

I still have not tried

"Use squid tcp outgoing address directive to specify it.

There is a field on squid gui for custom options. Place it there."

I just need direction on how to implement this in a multiwan environment.

mgrosh

This is still a major issue for us.

routing works perfectly.  However, when specifing the proxy it does not use the Virtual IP.

My setup
2 pfSense 2.0.1 servers with CARP for failover
2 WAN connections setup with MultiWAN
Squid Installed

LAN
10.1.1.139 pfSense1
10.1.1.140 pfSense2
10.1.1.141 pfSense Virtual IP

WAN
xxx.xxx.251.139 pfSense1
xxx.xxx.251.140 pfSense2
xxx.xxx.251.141 pfSense Virtual IP

I removed  "tcp_outgoing_address 127.0.0.1" from custom options.
added
LAN TCP * * 10.1.1.141 3128 127.0.0.1 3128
to Port Forward

and added
WAN  127.0.0.0/8 * * * xxx.xxx.251.141 * NO
to Outbound

I also have a load balance rule on the floating tab that allows all.

everything is working except for when i open http://www.pfsense.org/ip.php shows my IP address as xxx.xxx.251.139 <–WRONG (should be the VIP)

when i add "tcp_outgoing_address 127.0.0.1" to custom options,  http://www.pfsense.org/ip.php shows my IP address as xxx.xxx.251.141 <-- correct

however, with "tcp_outgoing_address 127.0.0.1" added to custom options i can not connect to local resources on the 10.0.0.0/8 LAN network.

Any suggestions?

"Use squid tcp outgoing address directive to specify it." has been mentioned as a solution but no details on how to implement it on a multiwan environment.

marcelloc

mgrosh,

Can you check via tcpdump what ip squid is using when trying to access 10.0.0.0/8 network?

att,
Marcello Coutinho