PfSense Squid Proxy for Multi-WAN

hyrol

2.0.2-RELEASE (i386)
built on Fri Dec 7 16:30:14 EST 2012
FreeBSD 8.1-RELEASE-p13

Install Squid Package
1. squidGuard
2. Lightsquid
3. squid

Setting Squid Proxy
Custom Options : tcp_outgoing_address 127.0.0.1


hyrol

Multi-WAN Routing
All WANs in same tier to create Multi-WAN

Firewall Floating rules
Squid proxy use port 80 and use interface WAN, WAN it's default for squid proxy server
Select Gateway: Multi-WAN

Firewall NAT Outbound
Allow to passage out.
Select Manual Outbound NAT rule generation (AON - Advanced Outbound NAT), and save to generate default mapping rules


hyrol

Hostname and Domain name
Hostname and the Domain name is located

DNS Forwarder
Enable DNS Forwarder

DHCP server
In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

Create wpad.dat, wpad.da and proxy.pac
Use vi editor to create file wpad.dat, wpad.da and proxy.pac


hyrol

Enable access log, is necessary to Lightsquid access log.
Enable logging : Mark
Log store directory : /var/squid/log


hyrol

Redirect Mode
Option if you want to use a redirect mode


hyrol

Save Configuration
Always use this command when completed configuration
1. SquidGuard => Save
2. SquidGuard => Apply
3. Squid => Save

sawmill

Will try this settings :)
But what does these files?  wpad.dat, wpad.da and proxy.pac

hyrol

@sawmill:

Will try this settings :)
But what does these files?  wpad.dat, wpad.da and proxy.pac

wpad.dat, wpad.da and proxy.pac was not in pfsense directory, it must be created, can also use notepad then upload and transfer from /tmp/ to the folder /usr/local/www/ or use the vi editor.

http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

jikjik101

what's the purpose of this thread? Is this for the loadbalance multiwan with squid?
I'm a lil confused by the title of your every post.

Will I still have a failover if I don't follow your 3rd post?

I'll try your howto and post the results here.

hyrol

Step Multi-WAN LoadBalancer with squid. I separate post in every step to simplify the configuration.
I'm confused on step 3 you mean whether floating or routing. I am waiting for your decision.

Nachtfalke

Hi,

thank you for the tutorial. Which IP address do I have to enter into "wpad" files when using different VLANs/interfaces?

Thank you.

jikjik101

i mean this:

DNS Forwarder
Enable DNS Forwarder

DHCP server
In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

Create wpad.dat, wpad.da and proxy.pac
Use vi editor to create file wpad.dat, wpad.da and proxy.pac

I have a DNS fowarder but without the wpad thing.

hyrol

@Nachtfalke:

Hi,

thank you for the tutorial. Which IP address do I have to enter into "wpad" files when using different VLANs/interfaces?

Thank you.

IP Address option depends on the current selection in the squid proxy interface, refer to the first post of the second picture.

hyrol

@jikjik101:

i mean this:

DNS Forwarder
Enable DNS Forwarder

DHCP server
In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

Create wpad.dat, wpad.da and proxy.pac
Use vi editor to create file wpad.dat, wpad.da and proxy.pac

I have a DNS fowarder but without the wpad thing.

What results did you get, I've never tried it. If successful it is good news.

Nachtfalke

@hyrol:

@Nachtfalke:

Hi,

thank you for the tutorial. Which IP address do I have to enter into "wpad" files when using different VLANs/interfaces?

Thank you.

IP Address option depends on the current selection in the squid proxy interface, refer to the first post of the second picture.

Hi,

thank you for your response. But the picture shows just one interface (LAN) which is a listening interface on squid. I do have 6 different (V)LAN interfaces which are listening interfaces of squid but as far as I can see I am only able to create one wpad file.

So let's say I Have a host-A in VLAN-A which is not allowed to talk to VLAN-B (firewall rules) then how would it work if the IP of the wpad file is the interface IP of VLAN-B ?

Thank you!

hyrol

try this…

function FindProxyForURL(url,host)
{
if (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
   (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
   (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
   (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
return "DIRECT";
else
return "PROXY your.pfsense.ip.address:port";  DIRECT";
}

hyrol

@jikjik101:

i mean this:

DNS Forwarder
Enable DNS Forwarder

DHCP server
In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

Create wpad.dat, wpad.da and proxy.pac
Use vi editor to create file wpad.dat, wpad.da and proxy.pac

I have a DNS fowarder but without the wpad thing.

What you say is true, I have tried to remove the step, it can work.

Skip this
DHCP server
In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

Create wpad.dat, wpad.da and proxy.pac
Use vi editor to create file wpad.dat, wpad.da and proxy.pac


fabianoheringer

For some reason, this setup not working on pfsense 2.1 and squid 3.3.4, my box was working very well with 2.0.3, but now it´s not with 2.1, any ideas?

srk3461

Nice way summing it up!  Thanks!

binarymind

@hyrol:

Firewall Floating rules
Squid proxy use port 80 and use interface WAN, WAN it's default for squid proxy server
Select Gateway: Multi-WAN

Till Last week i was using Version 2.0.2 now upgraded to 2.0.3
Thanks!!!
The following tutorial helped me alot
http://securite-ti.com/pfSense_Web_Proxy_with_multi-WAN_links.pdf

I have some doubts [Confused]
My Scenario:
Configured my Gateway in Fail Over mode. [WAN1–-Tire1, WAN2---Tire2]
I want to make my Tire2 connection as default Gateway for 15 LAN Users. Does the policy based routing will work since WAN1 is the default for squid proxy server.
I have tested it but some times the Traffic goes through the Tire1 [Especially for DHCP Clients]

Interfaces: Lan Protocol: ANY Source: LAN IP Destination ports: ANY Gateway: WAN2GW

All configurations are same as shown in the PDF Tutorial. Do the same configurations will work on Version 2.0.3