Dansguardian CARP Interface

  • Hi Guys,

    We have a very large network with 12 locations and on average 3,000 users per day all running through Dansguardian and pfSense with no issues. However, we only have HTTP filtering since we're using NAT to redirect traffic to Dansguardian from port 80 to 8080. We would like to change this by using WPAD to configure the clients browser to use the proxy for HTTPS as well so we can at least filter by hostname. The problem is that we have a primary/secondary pfSense pair using CARP and as far as I can tell Dansguardian will not listen on a CARP IP Address which is what we need since when the main box goes down the second box will not have the same IP attached.

    My thoughts have been to using DNS Forwarder to override a domain name and use that for the address of our proxy but we're using it for split DNS for our in-house servers and would not be able to use XMLRPC sync to keep the DNS Forwarders in sync on both boxes so my next idea was to edit the config file manually but won't it get overridden when any changes are made to Dansguardian?

    Does anyone have any ideas to make this sort of thing work?

    Thanks in advance!

  • I have this configuration on a few boxes.

    1 Squid needs to point to loopback
    2 Dansguardian needs to point to loopback
    3 You need a port forward from your carp ip to your loopback

    listen squid/dansguardian on loopback and create a rdr nat to forward from carp address to proxy daemon

    user –> carp address -> dansguardian@ -> squid@ -> internet

Log in to reply