Squid with upstream proxy on same lan



  • Hello

    i have some questions regarding squid with an upstream proxy.
    My configuration is the following: wan –- pfsense --- lan
    Since i have more cpu power ram and hdd space on my fileserver i had the idea to install squid on it.
    so the configuration would be the following: wan -- pfsense (with transparent proxy) -- lan (on the lan all other computers and the fileserver)

    i disabled hardisc cache and set memory cache to 0 on the pfsense box.
    and indicate the fileserver ip as upstream proxy.
    this seems to work but i'm not sure on some points

    so now i have the following questions:

    1. does disabling hdd cache and setting memory cache to 0 disable all caching on the pfsense box ?
    2. since the fileserver is on the same switch than all other computers and the pfsense lan interface, is my understanding here correct: if a request to a web server comes to the pfsense transparent proxy, the request is forwarded to the fileserver squid, if its in cache the response is sent back to the pfsense proxy and then from there to the requesting client, if not in cache, the fileserver fetches the data and sends it back to the pfsense box which forwards it to the requesting client?
    3. regarding question 2, doesn't that create some sort of endless loop ? because the squid on the fileserver needs to request internet data trough the transparent proxy again ? if not why not ?
    4. is this setup a good choice ?
    5. i have a third network interface (lan, wan and opt1) on the pfsense box, is it possible to make the transparent proxy listen on the lan interface and communicating with the fileserver over opt1 ? to have less traffic on the lan interface ? or does this make no sense ?
    6. could a direct connection make this setup better ? i mean connecting a second lan interface directly to op1 on the pfsense box ? without going trough a switch

    thanks in advance



  • tulpix,

    I think you can get an easier setup if:

    you configure wpad/pac script file

    or

    Make the redirect rule on firewall nat, forwarding traffic to a squid on a dmz network.

    In both cases, you will not need squid on pfsense.

    att,
    Marcello Coutinho



  • thanks

    i will look into that



  • This approach does not work for me (Redirect)
    no traffic hits the proxy when redirecting
    eg.
    pfsense LAN - 192.168.1.254
    pfsense Opt - 192.168.2.254
    Proxy - 192.168.2.253
    pfsense NAT rule:
    Int - LAN
    Protocol - TCP
    Source - Lan subnet (have also tried any)
    Dest -  any
    Dest Port - 80
    Redirect IP - 192.168.2.253
    Redirect port - 3128

    I have auto created the associated rule. My lan allows any out anyway as does my Opt interface.

    This stops all port 80 traffic and nothing hits my proxy.
    If remove the nat rule and point directly to the proxy (via the browser proxy settings) it works fine.
    I want to avoid this approach however as I'm opting for a transparent setup.

    Searching the forums I see may  people with the same issue but no solution other that exactly what I have above which for some reason doesn't work for me.

    My alternative is the uptream proxy approach.  I have an embedded pfsense therefore no cache space, hence the requirement for an external proxy.
    So If I cannot redirect, which ideally is my first choice and in theory should be the simplest  then I too would have to go the upstream approach.
    Any ideas?



  • Did you monitored the traffic using tcpdump on console to be sure nothing was been redirected to opt proxy server?


Locked