Squid with multi wan doesnt work as intended

athurdent · Mar 3, 2013, 5:18 PM

Have a look here, never tried it but it makes sense to me:
http://www.communig8.com/articles/64-open-source/137-pfsense-multi-wan-how-to-really-make-it-work

xbipin · Mar 4, 2013, 5:04 AM

thanks for the link but i have read those old configs before also but my setup is different, i dont want to use my multi wan as load balancer or fail over, i want to route specifically based on originating ip and if u see my rules, it works fine without squid but with squid, traffic goes out of the wrong interface

athurdent · Mar 4, 2013, 5:39 AM

Hmm, thought, that a combination of having Squid use 127.0.0.1 as outgoing address and a well crafted floating rule with gateway wan2 might work.

xbipin · Mar 4, 2013, 12:05 PM

in squid i typed this

tcp_outgoing_address 127.0.0.1;

on floating tab i created a rule

pass
quick disabled
interface wan1 and wan2
direction out
protocol tcp
source and destination any
source port any
destination port 80
gateway wan2

and i logged packet also and it seems it still goes out of wan1 instead of wan2

xbipin · Mar 4, 2013, 12:07 PM

here r some screenshots

athurdent · Mar 4, 2013, 12:22 PM

Does the rule get any hits, do you see log entries for it? Otherwise there might be interference with pfSense internal rules, I guess.

xbipin · Mar 4, 2013, 12:25 PM

yes the floating rule gets hits but interface is always shown as wan1 inspite of me routing out of wan2 using the rule so probably it has some bug i guess unless there is something else to be configured.

i use whatsmyip etc to check the ip and all say traffic is coming from wan1 instead of wan2

athurdent · Mar 4, 2013, 1:12 PM

Tried to replicate it, but I am getting the same results you get. Seems there's something more involved. When I use Quick for the rule, the traffic hits the ruleset twice and it dows not work at all. But I cannot debug this further now, sorry. I'm not at home and might lock myself out playing with the ruleset too much ;)
I remember there was something about negate rules, but I am not sure if that applies to this problem.

Edit: The "Squid-way" to solve this would simply be

tcp_outgoing_address <wan2 ip="" address="">;</wan2>

Don't know how complicated it would be to make the outgoing address an option in the Squid package, though.

xbipin · Mar 4, 2013, 1:18 PM

http://redmine.pfsense.org/issues/2854

xbipin · Mar 4, 2013, 2:17 PM

@athurdent:

Tried to replicate it, but I am getting the same results you get. Seems there's something more involved. When I use Quick for the rule, the traffic hits the ruleset twice and it dows not work at all. But I cannot debug this further now, sorry. I'm not at home and might lock myself out playing with the ruleset too much ;)
I remember there was something about negate rules, but I am not sure if that applies to this problem.

Edit: The "Squid-way" to solve this would simply be
tcp_outgoing_address <wan2 ip="" address="">;</wan2>
Don't know how complicated it would be to make the outgoing address an option in the Squid package, though.

provided the wan ip never changed

athurdent · Mar 4, 2013, 3:13 PM

Like I said, an option in the package would be needed for that.

marcelloc · Mar 19, 2013, 2:12 PM

@athurdent:

Like I said, an option in the package would be needed for that.

just put it(tcp_outgoing_address <wan2 ip="" address="">;) on custom_options.

You will need to update it every time you get a new wan address if you do not have a static wan.</wan2>

xbipin · Mar 19, 2013, 3:25 PM

thats the whole thing, i dont have a static ip so why not use some coding to feed in ip when it changes to it, mayb a drop down similar to gateway which can be selected and it changes with ip change