Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense Squid Proxy for Multi-WAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    36 Posts 15 Posters 31.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hyrol
      last edited by

      2.0.2-RELEASE (i386)
      built on Fri Dec 7 16:30:14 EST 2012
      FreeBSD 8.1-RELEASE-p13

      Install Squid Package
      1. squidGuard
      2. Lightsquid
      3. squid

      Setting Squid Proxy
      Custom Options : tcp_outgoing_address 127.0.0.1

      ![02. Squid Proxy Setting.png_thumb](/public/imported_attachments/1/02. Squid Proxy Setting.png_thumb)
      ![02. Squid Proxy Setting.png](/public/imported_attachments/1/02. Squid Proxy Setting.png)
      ![01. Package Manager.png_thumb](/public/imported_attachments/1/01. Package Manager.png_thumb)
      ![01. Package Manager.png](/public/imported_attachments/1/01. Package Manager.png)

      1 Reply Last reply Reply Quote 0
      • H
        hyrol
        last edited by

        Multi-WAN Routing
        All WANs in same tier to create Multi-WAN

        Firewall Floating rules
        Squid proxy use port 80 and use interface WAN, WAN it's default for squid proxy server
        Select Gateway: Multi-WAN

        Firewall NAT Outbound
        Allow to passage out.
        Select Manual Outbound NAT rule generation (AON - Advanced Outbound NAT), and save to generate default mapping rules

        ![03. Multi-WAN Routing.png](/public/imported_attachments/1/03. Multi-WAN Routing.png)
        ![03. Multi-WAN Routing.png_thumb](/public/imported_attachments/1/03. Multi-WAN Routing.png_thumb)
        ![04. Floating.png](/public/imported_attachments/1/04. Floating.png)
        ![04. Floating.png_thumb](/public/imported_attachments/1/04. Floating.png_thumb)
        ![05. NAT Outbound.png](/public/imported_attachments/1/05. NAT Outbound.png)
        ![05. NAT Outbound.png_thumb](/public/imported_attachments/1/05. NAT Outbound.png_thumb)

        1 Reply Last reply Reply Quote 0
        • H
          hyrol
          last edited by

          Hostname and Domain name
          Hostname and the Domain name is located

          DNS Forwarder
          Enable DNS Forwarder

          DHCP server
          In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

          Create wpad.dat, wpad.da and proxy.pac
          Use vi editor to create file wpad.dat, wpad.da and proxy.pac

          ![06. Hostname and Domain.png](/public/imported_attachments/1/06. Hostname and Domain.png)
          ![06. Hostname and Domain.png_thumb](/public/imported_attachments/1/06. Hostname and Domain.png_thumb)
          ![07. DNS Forwarder.png](/public/imported_attachments/1/07. DNS Forwarder.png)
          ![07. DNS Forwarder.png_thumb](/public/imported_attachments/1/07. DNS Forwarder.png_thumb)
          ![08. DHCP Server.png](/public/imported_attachments/1/08. DHCP Server.png)
          ![08. DHCP Server.png_thumb](/public/imported_attachments/1/08. DHCP Server.png_thumb)
          ![09. Editor WPAD.png](/public/imported_attachments/1/09. Editor WPAD.png)
          ![09. Editor WPAD.png_thumb](/public/imported_attachments/1/09. Editor WPAD.png_thumb)

          1 Reply Last reply Reply Quote 0
          • H
            hyrol
            last edited by

            Enable access log, is necessary to Lightsquid access log.
            Enable logging : Mark
            Log store directory : /var/squid/log

            ![10. Logging.png](/public/imported_attachments/1/10. Logging.png)
            ![10. Logging.png_thumb](/public/imported_attachments/1/10. Logging.png_thumb)

            1 Reply Last reply Reply Quote 0
            • H
              hyrol
              last edited by

              Redirect Mode
              Option if you want to use a redirect mode

              ![11. Redirect Mode.png](/public/imported_attachments/1/11. Redirect Mode.png)
              ![11. Redirect Mode.png_thumb](/public/imported_attachments/1/11. Redirect Mode.png_thumb)

              1 Reply Last reply Reply Quote 0
              • H
                hyrol
                last edited by

                Save Configuration
                Always use this command when completed configuration
                1. SquidGuard => Save
                2. SquidGuard => Apply
                3. Squid => Save

                1 Reply Last reply Reply Quote 0
                • S
                  sawmill
                  last edited by

                  Will try this settings :)
                  But what does these files?  wpad.dat, wpad.da and proxy.pac

                  1 Reply Last reply Reply Quote 0
                  • H
                    hyrol
                    last edited by

                    @sawmill:

                    Will try this settings :)
                    But what does these files?  wpad.dat, wpad.da and proxy.pac

                    wpad.dat, wpad.da and proxy.pac was not in pfsense directory, it must be created, can also use notepad then upload and transfer from /tmp/ to the folder /usr/local/www/ or use the vi editor.

                    http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

                    1 Reply Last reply Reply Quote 0
                    • J
                      jikjik101
                      last edited by

                      what's the purpose of this thread? Is this for the loadbalance multiwan with squid?
                      I'm a lil confused by the title of your every post.

                      Will I still have a failover if I don't follow your 3rd post?

                      I'll try your howto and post the results here.

                      1 Reply Last reply Reply Quote 0
                      • H
                        hyrol
                        last edited by

                        Step Multi-WAN LoadBalancer with squid. I separate post in every step to simplify the configuration.
                        I'm confused on step 3 you mean whether floating or routing. I am waiting for your decision.

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nachtfalke
                          last edited by

                          Hi,

                          thank you for the tutorial. Which IP address do I have to enter into "wpad" files when using different VLANs/interfaces?

                          Thank you.

                          1 Reply Last reply Reply Quote 0
                          • J
                            jikjik101
                            last edited by

                            i mean this:

                            DNS Forwarder
                            Enable DNS Forwarder

                            DHCP server
                            In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

                            Create wpad.dat, wpad.da and proxy.pac
                            Use vi editor to create file wpad.dat, wpad.da and proxy.pac

                            I have a DNS fowarder but without the wpad thing.

                            1 Reply Last reply Reply Quote 0
                            • H
                              hyrol
                              last edited by

                              @Nachtfalke:

                              Hi,

                              thank you for the tutorial. Which IP address do I have to enter into "wpad" files when using different VLANs/interfaces?

                              Thank you.

                              IP Address option depends on the current selection in the squid proxy interface, refer to the first post of the second picture.

                              1 Reply Last reply Reply Quote 0
                              • H
                                hyrol
                                last edited by

                                @jikjik101:

                                i mean this:

                                DNS Forwarder
                                Enable DNS Forwarder

                                DHCP server
                                In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

                                Create wpad.dat, wpad.da and proxy.pac
                                Use vi editor to create file wpad.dat, wpad.da and proxy.pac

                                I have a DNS fowarder but without the wpad thing.

                                What results did you get, I've never tried it. If successful it is good news.

                                1 Reply Last reply Reply Quote 0
                                • N
                                  Nachtfalke
                                  last edited by

                                  @hyrol:

                                  @Nachtfalke:

                                  Hi,

                                  thank you for the tutorial. Which IP address do I have to enter into "wpad" files when using different VLANs/interfaces?

                                  Thank you.

                                  IP Address option depends on the current selection in the squid proxy interface, refer to the first post of the second picture.

                                  Hi,

                                  thank you for your response. But the picture shows just one interface (LAN) which is a listening interface on squid. I do have 6 different (V)LAN interfaces which are listening interfaces of squid but as far as I can see I am only able to create one wpad file.

                                  So let's say I Have a host-A in VLAN-A which is not allowed to talk to VLAN-B (firewall rules) then how would it work if the IP of the wpad file is the interface IP of VLAN-B ?

                                  Thank you!

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hyrol
                                    last edited by

                                    try this…

                                    function FindProxyForURL(url,host)
                                    {
                                    if (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
                                       (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
                                       (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
                                       (isInNet(host,"your.vlan.ip.address","your.vlan.subnet.mask"))
                                    return "DIRECT";
                                    else
                                    return "PROXY your.pfsense.ip.address:port";  DIRECT";
                                    }

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      hyrol
                                      last edited by

                                      @jikjik101:

                                      i mean this:

                                      DNS Forwarder
                                      Enable DNS Forwarder

                                      DHCP server
                                      In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

                                      Create wpad.dat, wpad.da and proxy.pac
                                      Use vi editor to create file wpad.dat, wpad.da and proxy.pac

                                      I have a DNS fowarder but without the wpad thing.

                                      What you say is true, I have tried to remove the step, it can work.

                                      Skip this
                                      DHCP server
                                      In Additional BOOTP/DHCP: wpad.dat, wpad.da and proxy.pac

                                      Create wpad.dat, wpad.da and proxy.pac
                                      Use vi editor to create file wpad.dat, wpad.da and proxy.pac

                                      ![08. DHCP Server.png](/public/imported_attachments/1/08. DHCP Server.png)
                                      ![08. DHCP Server.png_thumb](/public/imported_attachments/1/08. DHCP Server.png_thumb)
                                      ![09. Editor WPAD.png](/public/imported_attachments/1/09. Editor WPAD.png)
                                      ![09. Editor WPAD.png_thumb](/public/imported_attachments/1/09. Editor WPAD.png_thumb)

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        fabianoheringer
                                        last edited by

                                        For some reason, this setup not working on pfsense 2.1 and squid 3.3.4, my box was working very well with 2.0.3, but now it´s not with 2.1, any ideas?

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          srk3461
                                          last edited by

                                          Nice way summing it up!  Thanks!

                                          1 Reply Last reply Reply Quote 0
                                          • B
                                            binarymind
                                            last edited by

                                            @hyrol:

                                            Firewall Floating rules
                                            Squid proxy use port 80 and use interface WAN, WAN it's default for squid proxy server
                                            Select Gateway: Multi-WAN

                                            Till Last week i was using Version 2.0.2 now upgraded to 2.0.3
                                            Thanks!!!
                                            The following tutorial helped me alot
                                            http://securite-ti.com/pfSense_Web_Proxy_with_multi-WAN_links.pdf

                                            I have some doubts [Confused]
                                            My Scenario:
                                            Configured my Gateway in Fail Over mode. [WAN1–-Tire1, WAN2---Tire2]
                                            I want to make my Tire2 connection as default Gateway for 15 LAN Users. Does the policy based routing will work since WAN1 is the default for squid proxy server.
                                            I have tested it but some times the Traffic goes through the Tire1 [Especially for DHCP Clients]

                                            Interfaces: Lan Protocol: ANY Source: LAN IP Destination ports: ANY Gateway: WAN2GW

                                            All configurations are same as shown in the PDF Tutorial. Do the same configurations will work on Version 2.0.3

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.