Squid and output with different gateways



  • hello people

    I wonder if there is a solution to the problem that I am today.

    I have Squid on the firewall in transparent mode and failover working. The problem is with the outputs to determine rules in my lan, if I determine that the 10.0.0.10 will leave the GW2 IP and this is behind a squid he will leave the Default connection firewall and gateway that is not determined by the rule . If I turn off the squid rule works without problems.



  • when using a proxy all source address' will be rewritten to be the proxy's address.



  • Thanks for the reply heper

    I understand that he will write to the address of the LAN to the proxy. What really would like to know if there is how to keep the GW output. Because now he will use the default GW



  • i don't see how it is possible to change the gateway for specific lan clients when using squid (but i'm no expert)

    you could change the gateway for ALL squid traffic by using floating rules.
    you'd have to set some settings to make it work … search the forum for squid & loadbalancing



  • Thanks again for the answer

    I've read about it, like it was to make sure that this possibility does not exist. I always arises the need for a user out another GW or I wanted to do a manual balancing of the GW determining network clients without losing access rules web



  • @felipeortega:

    I've read about it, like it was to make sure that this possibility does not exist.

    It could be done if you have on squid daemon for each external ip and match client/proxy configuration.



  • Thank you for your attention @marcelloc  ;)

    Perhaps I was vague in my question. I know it would resolve outside of pfsense squid. Unfortunately in this case I am only counting equipment and one would not use another. Virtualization is out of question too. Do not know if I would make a rule to keep floating in the GW client.



  • Hello people

    I've been doing some testing to solve my problem and just getting by using the command:

    acl GROUPA src 192.168.0.100/24;
    tcp_outgoing_address 200.200.200.1 GROUPA;

    This way I can change the output gateway for some customers of the network but there is still another problem if the link is set to fall for these clients lose failover because obviously this set by a gateway.

    Is there any way to use a squid varivel to understand my group to have the gateway failover?



  • @felipeortega:

    Is there any way to use a squid varivel to understand my group to have the gateway failover?

    Using scripts yes, on squid config I think no.



  • you should check but perhaps it might be possible to catch the 200.200.200.1 | destination http | direction: out with floating rules. This would however result that all traffic going out from that ip to http will failover …

    perhaps an other way might be to create some virtual ip's, use them as tcp_outgoing_address and then mangle up some floating rules to get them to go out the correct gateway_group

    this is all speculation, but i'm sure the developers or others with more brainpower/experience could help you figure out the details



  • Thank you for answer
    If it were possible to perform the floating rules specific request of customers to 80 out for a determined group of gw
    And other clients on the other gw my problem would be solved already
    Until they do not think a more elegant solution
    Will this method forcing tcp_outgoing_address
    Too bad he did not understand the variable created in LoadBalance


Locked