PfSense Squid Proxy for Multi-WAN



  • 2.0.2-RELEASE (i386)
    built on Fri Dec 7 16:30:14 EST 2012
    FreeBSD 8.1-RELEASE-p13

    Install Squid Package
    1. squidGuard
    2. Lightsquid
    3. squid

    Setting Squid Proxy
    Custom Options : tcp_outgoing_address 127.0.0.1

    ![02. Squid Proxy Setting.png_thumb](/public/imported_attachments/1/02. Squid Proxy Setting.png_thumb)
    ![02. Squid Proxy Setting.png](/public/imported_attachments/1/02. Squid Proxy Setting.png)
    ![01. Package Manager.png_thumb](/public/imported_attachments/1/01. Package Manager.png_thumb)
    ![01. Package Manager.png](/public/imported_attachments/1/01. Package Manager.png)



  • Multi-WAN Routing
    All WANs in same tier to create Multi-WAN

    Firewall Floating rules
    Squid proxy use port 80 and use interface WAN, WAN it's default for squid proxy server
    Select Gateway: Multi-WAN

    Firewall NAT Outbound
    Allow to passage out.
    Select Manual Outbound NAT rule generation (AON - Advanced Outbound NAT), and save to generate default mapping rules

    ![03. Multi-WAN Routing.png](/public/imported_attachments/1/03. Multi-WAN Routing.png)
    ![03. Multi-WAN Routing.png_thumb](/public/imported_attachments/1/03. Multi-WAN Routing.png_thumb)
    ![04. Floating.png](/public/imported_attachments/1/04. Floating.png)
    ![04. Floating.png_thumb](/public/imported_attachments/1/04. Floating.png_thumb)
    ![05. NAT Outbound.png](/public/imported_attachments/1/05. NAT Outbound.png)
    ![05. NAT Outbound.png_thumb](/public/imported_attachments/1/05. NAT Outbound.png_thumb)



  • Hostname and Domain name
    Hostname and the Domain name is located

    DNS Forwarder
    Enable DNS Forwarder

    DHCP server
    In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

    Create wpad.dat, wpad.da and proxy.pac
    Use vi editor to create file wpad.dat, wpad.da and proxy.pac

    ![06. Hostname and Domain.png](/public/imported_attachments/1/06. Hostname and Domain.png)
    ![06. Hostname and Domain.png_thumb](/public/imported_attachments/1/06. Hostname and Domain.png_thumb)
    ![07. DNS Forwarder.png](/public/imported_attachments/1/07. DNS Forwarder.png)
    ![07. DNS Forwarder.png_thumb](/public/imported_attachments/1/07. DNS Forwarder.png_thumb)
    ![08. DHCP Server.png](/public/imported_attachments/1/08. DHCP Server.png)
    ![08. DHCP Server.png_thumb](/public/imported_attachments/1/08. DHCP Server.png_thumb)
    ![09. Editor WPAD.png](/public/imported_attachments/1/09. Editor WPAD.png)
    ![09. Editor WPAD.png_thumb](/public/imported_attachments/1/09. Editor WPAD.png_thumb)



  • Enable access log, is necessary to Lightsquid access log.
    Enable logging : Mark
    Log store directory : /var/squid/log

    ![10. Logging.png](/public/imported_attachments/1/10. Logging.png)
    ![10. Logging.png_thumb](/public/imported_attachments/1/10. Logging.png_thumb)



  • Redirect Mode
    Option if you want to use a redirect mode

    ![11. Redirect Mode.png](/public/imported_attachments/1/11. Redirect Mode.png)
    ![11. Redirect Mode.png_thumb](/public/imported_attachments/1/11. Redirect Mode.png_thumb)



  • Save Configuration
    Always use this command when completed configuration
    1. SquidGuard => Save
    2. SquidGuard => Apply
    3. Squid => Save



  • Will try this settings :)
    But what does these files?  wpad.dat, wpad.da and proxy.pac



  • @sawmill:

    Will try this settings :)
    But what does these files?  wpad.dat, wpad.da and proxy.pac

    wpad.dat, wpad.da and proxy.pac was not in pfsense directory, it must be created, can also use notepad then upload and transfer from /tmp/ to the folder /usr/local/www/ or use the vi editor.

    http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid



  • what's the purpose of this thread? Is this for the loadbalance multiwan with squid?
    I'm a lil confused by the title of your every post.

    Will I still have a failover if I don't follow your 3rd post?

    I'll try your howto and post the results here.



  • Step Multi-WAN LoadBalancer with squid. I separate post in every step to simplify the configuration.
    I'm confused on step 3 you mean whether floating or routing. I am waiting for your decision.



  • Hi,

    thank you for the tutorial. Which IP address do I have to enter into "wpad" files when using different VLANs/interfaces?

    Thank you.



  • i mean this:

    DNS Forwarder
    Enable DNS Forwarder

    DHCP server
    In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

    Create wpad.dat, wpad.da and proxy.pac
    Use vi editor to create file wpad.dat, wpad.da and proxy.pac

    I have a DNS fowarder but without the wpad thing.



  • @Nachtfalke:

    Hi,

    thank you for the tutorial. Which IP address do I have to enter into "wpad" files when using different VLANs/interfaces?

    Thank you.

    IP Address option depends on the current selection in the squid proxy interface, refer to the first post of the second picture.



  • @jikjik101:

    i mean this:

    DNS Forwarder
    Enable DNS Forwarder

    DHCP server
    In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

    Create wpad.dat, wpad.da and proxy.pac
    Use vi editor to create file wpad.dat, wpad.da and proxy.pac

    I have a DNS fowarder but without the wpad thing.

    What results did you get, I've never tried it. If successful it is good news.



  • @hyrol:

    @Nachtfalke:

    Hi,

    thank you for the tutorial. Which IP address do I have to enter into "wpad" files when using different VLANs/interfaces?

    Thank you.

    IP Address option depends on the current selection in the squid proxy interface, refer to the first post of the second picture.

    Hi,

    thank you for your response. But the picture shows just one interface (LAN) which is a listening interface on squid. I do have 6 different (V)LAN interfaces which are listening interfaces of squid but as far as I can see I am only able to create one wpad file.

    So let's say I Have a host-A in VLAN-A which is not allowed to talk to VLAN-B (firewall rules) then how would it work if the IP of the wpad file is the interface IP of VLAN-B ?

    Thank you!



  • try this…

    function FindProxyForURL(url,host)
    {
    if (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
       (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
       (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
       (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
    return "DIRECT";
    else
    return "PROXY your.pfsense.ip.address:port";  DIRECT";
    }



  • @jikjik101:

    i mean this:

    DNS Forwarder
    Enable DNS Forwarder

    DHCP server
    In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

    Create wpad.dat, wpad.da and proxy.pac
    Use vi editor to create file wpad.dat, wpad.da and proxy.pac

    I have a DNS fowarder but without the wpad thing.

    What you say is true, I have tried to remove the step, it can work.

    Skip this
    DHCP server
    In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

    Create wpad.dat, wpad.da and proxy.pac
    Use vi editor to create file wpad.dat, wpad.da and proxy.pac

    ![08. DHCP Server.png](/public/imported_attachments/1/08. DHCP Server.png)
    ![08. DHCP Server.png_thumb](/public/imported_attachments/1/08. DHCP Server.png_thumb)
    ![09. Editor WPAD.png](/public/imported_attachments/1/09. Editor WPAD.png)
    ![09. Editor WPAD.png_thumb](/public/imported_attachments/1/09. Editor WPAD.png_thumb)



  • For some reason, this setup not working on pfsense 2.1 and squid 3.3.4, my box was working very well with 2.0.3, but now it´s not with 2.1, any ideas?



  • Nice way summing it up!  Thanks!



  • @hyrol:

    Firewall Floating rules
    Squid proxy use port 80 and use interface WAN, WAN it's default for squid proxy server
    Select Gateway: Multi-WAN

    Till Last week i was using Version 2.0.2 now upgraded to 2.0.3
    Thanks!!!
    The following tutorial helped me alot
    http://securite-ti.com/pfSense_Web_Proxy_with_multi-WAN_links.pdf

    I have some doubts [Confused]
    My Scenario:
    Configured my Gateway in Fail Over mode. [WAN1–-Tire1, WAN2---Tire2]
    I want to make my Tire2 connection as default Gateway for 15 LAN Users. Does the policy based routing will work since WAN1 is the default for squid proxy server.
    I have tested it but some times the Traffic goes through the Tire1 [Especially for DHCP Clients]

    Interfaces: Lan Protocol: ANY Source: LAN IP Destination ports: ANY Gateway: WAN2GW

    All configurations are same as shown in the PDF Tutorial. Do the same configurations will work on Version 2.0.3



  • has anyone tried this on 2.0.3 ?

    I have tried it earlier and I think i have messed up…... i have removed packages and revert to original settings, now my internet is working fine with load balancing, and failovers.



  • @fabianoheringer:

    For some reason, this setup not working on pfsense 2.1 and squid 3.3.4, my box was working very well with 2.0.3, but now it´s not with 2.1, any ideas?

    ON
    2.1-RC1 (amd64)
    built on Thu Aug 15 16:30:12 EDT 2013
    FreeBSD 8.3-RELEASE-p9

    I solved by activating "Allow default gateway switching" option in Advanced configs (failover only) and removing all floating and NAT rules..
    Hope this helps…



  • @vielfede:

    @fabianoheringer:

    For some reason, this setup not working on pfsense 2.1 and squid 3.3.4, my box was working very well with 2.0.3, but now it´s not with 2.1, any ideas?

    ON
    2.1-RC1 (amd64)
    built on Thu Aug 15 16:30:12 EDT 2013
    FreeBSD 8.3-RELEASE-p9

    I solved by activating "Allow default gateway switching" option in Advanced configs (failover only) and removing all floating and NAT rules..
    Hope this helps…

    that is not solved, it still has 2 problems that aren't an issue for your specific use.
    It doesn't help with loadbalancing or when someone has more than 2 WANs of which 1 WAN reallly should not do http traffic (because it is reserved for other use like VoIP, or because the ip can't be known publicly etcetera)

    It really is a stupid bug in 2.1. Worse is that 2.0.x had a bug that failover doesn't work for connections like VoIP/SIP so going back isn't an option either, at least for me… really nice



  • Finally, after a long time trying pfSense Squid Package + Multi Wan and I have managed to find its way in a deadlock.
    pfSense 2.1 Squid Package + Multi Wan, no longer using the Floating Rules, but using the Interface Groups.
    Good Luck Everyone.

    ![Interface Groups.jpg](/public/imported_attachments/1/Interface Groups.jpg)
    ![Interface Groups.jpg_thumb](/public/imported_attachments/1/Interface Groups.jpg_thumb)
    ![Proxy Server.jpg](/public/imported_attachments/1/Proxy Server.jpg)
    ![Proxy Server.jpg_thumb](/public/imported_attachments/1/Proxy Server.jpg_thumb)
    ![Internet Rules.jpg](/public/imported_attachments/1/Internet Rules.jpg)
    ![Internet Rules.jpg_thumb](/public/imported_attachments/1/Internet Rules.jpg_thumb)
    ![Floating Rules.jpg](/public/imported_attachments/1/Floating Rules.jpg)
    ![Floating Rules.jpg_thumb](/public/imported_attachments/1/Floating Rules.jpg_thumb)



  • Thanks, and congratulations!

    What version of squid and squidguard are you using?

    Please send a screenshot of your system->routing screen showing your default route.



  • Created the interface group, but how are you getting squid to use the group and not the default gateway?



  • Still configure the same as pfSense 2.0.3 Squid Package Multi Wan, only changes to the Floating Rules to Interface Group.

    ![Lan Rules.jpg_thumb](/public/imported_attachments/1/Lan Rules.jpg_thumb)
    ![Lan Rules.jpg](/public/imported_attachments/1/Lan Rules.jpg)





  • Thanks but I am not seeing where or how you have used the interface group.



  • Under Menu Interface




  • Hyrol,

    Many thanks, but where I use the new "Internet" interface created at "Interface Groups", I don't like to abuse of your time, but could you resume how will be the new configuration?



  • afrugone,

    What you mean, all configure same as pfSense 2.0.3 Squid Multi WANs, difference only Floating rules vs Interface Group. pfSense 2.1 not more using Floating rules for Squid Multi WANs.



  • OK I´ll try this,

    Thanks



  • @hyrol:

    afrugone,

    What you mean, all configure same as pfSense 2.0.3 Squid Multi WANs, difference only Floating rules vs Interface Group. pfSense 2.1 not more using Floating rules for Squid Multi WANs.

    I've done as you said exactly but not working at all



  • Actually this is not Load-Balance Round Robin, this is Load-Balance Bandwith Agreggation and you can see all the WANs its working.
    It is worth it from nothing.




  • Hi @hyrol,

    The last LAN rule screenshot you posted actually bypasses the squid altogether and sends the traffic directly to the loadbalancer gateway group. That's how you're getting bandwidth aggregation (but not squid caching).

    And the interface group "Internet" is not really playing any role anywhere.

    So, in summary, this does not seem to be a working solution for 2.1.x for squid plus load-balancing or failover.



  • NOTE:

    if you have problems with multi WAN (which may be the reason you look at this topic) you may find it senseless, because you browser can have problems with downloading images

    SO SEE THIS TOPIC NOT VIA ROUTER YOU PLAN TO CONFIGURE :)


Log in to reply