PfSense 2.1 Floating rules for Multi Wan doesn't work.



  • I problem in the floating for multi wan, after I upgraded to version 2.1, it does not work.
    ![04. Floating.png](/public/imported_attachments/1/04. Floating.png)
    ![04. Floating.png_thumb](/public/imported_attachments/1/04. Floating.png_thumb)



  • I'm not entirely sure but that rule looks fundamentally wrong in the first place. You've created a floating rule with direction Out on a WAN interface. This means by the time the rule fires, NAT has already occured and a gateway has already been chosen.

    Just create a normal Internet access rule on the LAN interface and set the gateway there. There is generally no need for floating rules for multi-WAN conditional gateway selection.

    You rule is just for HTTP, so simply create a new Internet access rule on the LAN interface above the existing one and set the destination port to HTTP.



  • previously no problems during pfSense 2.0.3, you can refer to this link.

    http://forum.pfsense.org/index.php/topic,60977.0.html



  • It doesn't matter. The floating rule seems overly complex and unnecessary when a simpler solution achieves the same thing.



  • Need floating rules for squid multi wan, have any idea without floating rules.



  • Are both your gateways on the same WAN interface or do you have 2 WAN interfaces each with their own gateway?

    Your rule specifies "WAN" so it's only going to fire after traffic has already been translated to "WAN"'s public IP address. There is no question of "WAN2" ever being used. If it worked before, it sounds like it was thanks to a bug that has now been fixed.

    Unless you can somehow make the OS itself use the "LoadBalancer" gateway I don't see how it could work. You should probably install Squid on a separate box and use a conditional gateway rule on that interface for incoming traffic from Squid.



  • Try selecting both WAN and WAN2 in the floating rule. IMO it still shouldn't work since NAT has already taken place, but try your luck.



  • I don't see where that rule would have ever done anything since quick isn't checked, the default pass out rules will override it.



  • My knowledge, squid works only in WAN, that's why i need Floating rules for multi wan work in squid.



  • i have the same problem. In pfsense 2.03 i can use all my wan with squid. In pfsense 2.1 squid only use default wan.
    In 2.03 i use directive tcp_outgoing_address 127.0.0.1 in squid and add a floating rule with quick flag on that pass the traffic from the default gateway to a gateway Group.

    How can do the same in pfsense 2.1

    thanks.



  • some problem…i cant fix it...much people wait fix that...in my country...



  • maybe squid proxy not compatible for pfsense 2.1.


  • Banned

    Not sure what's the "me too" stuff about. If you are creating the broken rule without "quick" checkbox, it will not ever apply, as noted by cmb.



  • Hi doktornotor, hyrol

    I understand from the thread that the rule was working due to a "bug" prior to 2.1, however is there another way to get Squid to use a Multi WAN Loadbalancing gateway?
    The rule may have been a bug but it was a great help!!

    Kind Regards and thanks in advance

    P.S hyrol thank you for your Squid with Load balancing solution it has worked brilliantly for me prior to upgrading.


  • Banned

    Which part of "you must tick the quick checkbox" for the rule to have any effect is unclear?



  • That does not fix the problem of the load balancing. Does the same as if it wasn't checked…



  • scusa non capisco provo a postarti le cose che ho fatto

    alias : host(s) e poi sotto ho aggiunto www.speedtest.net
    ruels : Pass - LAN - IMCP - any - 192.168.0.15 - speedtest.net - GTWOPT1

    la regola l'ho messa anche in varie posizioni ma non va se vado su speedtest mi mostra l'ip della WAN e non della OPT1 e funziona se spendo la WAN mi va in failover e solo in quel caso va in OPT1

    ma la mia domanda era oltre a fare la regola su ruels devo fare qualcosa su out/nat ecc ecc?


  • Banned

    Uh, English please!



  • I have been using another method "Use sticky connections", but not Load Balacing i want, it is just temporary use.

    ![Use sticky connections.png](/public/imported_attachments/1/Use sticky connections.png)
    ![Use sticky connections.png_thumb](/public/imported_attachments/1/Use sticky connections.png_thumb)



  • i stuck that problem to 2.1

    squid - (wpad configured) - loadbalance not working.



  • Hi..

    I've done extensive tests on pfSense 2.1 with multiwan load balancing, squid and squidguard. I've followed the same configuration which was working on pfSense 2.0.3 (with floating rules, manual NAT, tcp_outgoing_traffic 127.0.0.1 custom option, etc.,).

    But now in 2.1 load balancing is not working with squid, it only uses the default gateway.
    Failover is working with squid.

    Load balancing and failover mutiwan works perfectly fine without squid.

    Is there any specific configuration required for making squid use the load balancing feature and in 2.1 version.

    Please help!!



  • I've got the same problem with squid and multiWAN since Upgrade to 2.1…
    Only WAN(1) default WAN is used by squid, not WAN2 + WAN3 into Gateway-Group on Same
    Tier1.



  • I didn't have a two-WAN setup prior to 2.1.
    Now I have two WAN and I tried to setup one using the pdf from Dimitri S.
    Like others already mentioned, only the default gateway is used.
    From the moment I define floating rules (the solution in 2.x), all hell brakes lose and connections time-out.
    Without floating rules, default gateway is used.

    WAN 1 = DHCP
    WAN 2 = local ip of ISP router as gateway with FULL NAT to pfSense

    Squid isn't transparant and listens to port 8080.

    I'm now even in a situation where my https filter got broken :(
    Blame me for not taking a snapshot prior to this change.

    This guy is having the same problems: http://forum.pfsense.org/index.php/topic,67215.0.html

    On top of this, I noticed that when running squid (2.7 and 3), the multi-wan environment seems to not work. Even after trying the well written guides on the forum. As an example, without squid, I can get speedtest results that reflect wan1 + wan2 + wan3. With squid enabled, I just get a speedtest result of wan1 (the default gateway). And if wan1 is switched off, internet access dies with it.

    Is there someone with a working loadbalance setup on 2.1?



  • I did a totally clean setup last Saturday when I left the office. When I came back on Monday, I saw +5GB traffic on the traffic summary of both interfaces. I opened the traffic graphs and saw traffic on both interfaces. Not sure why it suddenly worked. No floating rules, no custom options on squid, default allow –> gateway, sticky connections and switch gateway is on.



  • Hi klazoid,

    I think some other service/application/browser must have used the bandwidth without proxy..



  • i think i have a solution :
    instead of squid use squid3_dev .

    in custom options :
    "
    acl venticinque random 1/4
    acl settantacinquediv2 random 0.5

    tcp_outgoing_address 192.168.4.1 venticinque

    tcp_outgoing_address 192.168.3.1  settantacinquediv2

    tcp_outgoing_address 192.168.2.1

    "

    i have three wan with different speed so i try to balance the throughput with different weigth



  • Hi Ruggero,

    Can you write this in clear steps..

    Thanks in advance..



  • first install squid3-dev  from available packages.

    ++++++in this way you can use configuration directive acl random .
    from squid doc :
    changes in 3.2 acl : random

    New type random. Pseudo-randomly match requests based on a configured probability .

    now you can do all the configuration you need for multiwan in Custom options - Custom setting of proxy server.

    in my situation ( 3 wan ) :

    "
    acl venticinque random 1/4
    acl settantacinquediv2 random 0.5

    tcp_outgoing_address 192.168.4.254 venticinque

    tcp_outgoing_address 192.168.3.254  settantacinquediv2

    tcp_outgoing_address 192.168.2.254

    "

    192.168.4.254 = ipv4 address wan 1
    192.168.3.254 = ipv4 address wan 2
    192.168.2.254 = ipv4 address wan 3

    random 1/4 = 25 % = wan1 25% of traffic
    random 0.5 = (100-25)/2 = wan2 37,5 % of traffic
    else = wan3 37,5 % of traffic

    i do this because my 3 wan are not equal.

    in case of 2 wan :

    "
    acl cinquanta random 0.5

    tcp_outgoing_address 192.168.4.254 cinquanta

    tcp_outgoing_address 192.168.2.254

    "

    you do not need extra rule on firewall ( floating rule ) .
    Also it bypass gateway groups.



  • Squid3 not stable, i try install i check in services, always stop services, how about when i have PPPoE Multi-WAN dynamic IP. Can u screen capture in Custom options.



  • squid3 need lib update.
    check  squid 3.3.4 package for pfsense with ssl filtering



  • So i understand but some ppl using wan interface for bridge mode (pppoe)  .
    what they can do bridge (pppoe) users.
    and some ppl have dynamic wan ip adresses.

    @ruggero:

    first install squid3-dev  from available packages.

    ++++++in this way you can use configuration directive acl random .
    from squid doc :
    changes in 3.2 acl : random

    New type random. Pseudo-randomly match requests based on a configured probability .

    now you can do all the configuration you need for multiwan in Custom options - Custom setting of proxy server.

    in my situation ( 3 wan ) :

    "
    acl venticinque random 1/4
    acl settantacinquediv2 random 0.5

    tcp_outgoing_address 192.168.4.254 venticinque

    tcp_outgoing_address 192.168.3.254  settantacinquediv2

    tcp_outgoing_address 192.168.2.254

    "

    192.168.4.254 = ipv4 address wan 1
    192.168.3.254 = ipv4 address wan 2
    192.168.2.254 = ipv4 address wan 3

    random 1/4 = 25 % = wan1 25% of traffic
    random 0.5 = (100-25)/2 = wan2 37,5 % of traffic
    else = wan3 37,5 % of traffic

    i do this because my 3 wan are not equal.

    in case of 2 wan :

    "
    acl cinquanta random 0.5

    tcp_outgoing_address 192.168.4.254 cinquanta

    tcp_outgoing_address 192.168.2.254

    "

    you do not need extra rule on firewall ( floating rule ) .
    Also it bypass gateway groups.



  • hi, here it does not work the "acl random" always comes out with the wan1.
    I have version 2.1 and squid pfsense 3.3.8-dev pkg 2.2.

    here is my custom options

    acl fifty random 0.5 (I also tried 1/2 instead of 0.5)
    tcp_outgoing_address fifty 192.168.100.2 (no gateway ip, ip pfsense wan1)
    tcp_outgoing_address 192.168.2.3 (not ip gateway, ip pfsense WAN2)

    here continue to browse only the wan1 while if I disable the transparent proxy balancing works well.
    Works to you?
    how did you set the "outbound nat" in automatic or manual?
    thanks
    bye

    –-------------------------------------------------------------------------------------
    correction, with the "Automatic outbound NAT rule generation" everything works.

    Thank you, Regards



  • Hi,

    nice idea with the different tcp_outgoing addresses…
    I found yesterday also a site which show this option (before I found this thread ^^):
    http://linuxaria.com/pills/setup-squid-to-use-multiple-outgoing-ip-addresses

    This thread seems the only one (with "content") who mentioned that there is a bug in pfSense 2.1 with floating rules.
    Because of right topic I add my information here, too.

    Since update from 2.0.1 to 2.1.0 we have in remote office also the problem that only our default WAN interface is accessible from outside... :( Here my test from yesterday night; we are using there 1st WAN with PPPoE, 2nd WAN with local modem-router.

    Here each a test to http://ident.me :

    21:48:14.600710 IP 177.103.xxx.xxx.51527 > 176.58.123.25.32362: Flags [s], seq 1591963423, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1064842937 ecr 0], length 0
    21:48:17.599925 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1064845937 ecr 0], length 0
    21:48:20.799857 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1064849137 ecr 0], length 0
    21:48:23.999792 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,sackOK,eol], length 0
    21:48:27.199723 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,sackOK,eol], length 0
    21:48:30.399660 IP 192.168.0.2.4478 > 176.58.123.25.80: Flags [s], seq 1591963423, win 65228, options [mss 1452,sackOK,eol], length 0
    
    [code]21:51:46.841211 IP 192.168.0.2.1286 > 176.58.123.25.24577: Flags [s], seq 187921402, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1065055182 ecr 0], length 0
    21:51:49.840521 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1065058182 ecr 0], length 0
    21:51:53.040452 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 1065061382 ecr 0], length 0
    21:51:56.240386 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,sackOK,eol], length 0
    21:51:59.440321 IP 177.103.xxx.xxx.23922 > 176.58.123.25.80: Flags [s], seq 187921402, win 65228, options [mss 1452,sackOK,eol], length 0
    
    Interesting part: the 1st line connects over backup WAN Interface with right IP but to wrong destination port... and every repeated initializing packet goes to right destination port but over wrong main WAN interface ?
    
    I was thinking about testing today if there is a difference between localhost and lan interface by accessing remote pbx but I forgot to deactivate floating rules so the employees had tested it before I had time for it ^^.
    
    Using normal rules works nice so it must be a floating rule bug... 
    => Is it perhaps possible easy to fix it with a "remote github" patch ?
    
    First I was not sure if it's really a floating rule bug because
    [list]
    [li] incoming connections to firewall on slave WAN interface are unusable since update, too.
    If you have same problems here the solution:
    => I fixed it with NATting:[list]
    [li]WAN1:22   => localhost:22,[/li]
    [li]WAN1:443 => localhost:443,[/li]
    [li]WAN2:22   => localhost:22 and[/li]
    [li]WAN2:443 => localhost:443.[/li]
    [/list][/li]
    [li]DynDNS service can't be updated anymore, too...
    But the service should be bound on 2nd WAN interface directly?[/li]
    [/list]
    
    Bests[/s][/s][/s][/s][/s][/code][/s][/s][/s][/s][/s][/s]
    


  • mmh… addititional strange behavior... I manually run / later re-checked on webgui.
    The registered dynamic name service is registered to use WAN2 ... but got IP from WAN1 and switched here to wrong IP

    Dec 3 14:55:58	php: rc.dyndns.update: phpDynDNS (xxx.no-ip.org): (Success) DNS hostname update successful.
    Dec 3 14:55:58	php: rc.dyndns.update: phpDynDNS: updating cache file /conf/dyndns_wannoip'xxx.no-ip.org'0.cache: 177.103.xxx.xxx
    Dec 3 14:55:57	php: rc.dyndns.update: DynDns (xxx.no-ip.org): 177.103.xxx.xxx extracted from checkip.dyndns.org
    Dec 3 14:55:57	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): Current Service: noip
    Dec 3 14:55:57	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): DynDns _checkStatus() starting.
    Dec 3 14:55:56	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): DynDns _update() starting.
    Dec 3 14:55:56	php: rc.dyndns.update: DynDns (xxx.no-ip.org): DynDns: cacheIP != wan_ip. Updating. Cached IP: 201.83.xxx.xxx WAN IP: 177.103.xxx.xxx
    Dec 3 14:55:56	php: rc.dyndns.update: DynDns (xxx.no-ip.org): Current WAN IP: 177.103.xxx.xxx Cached IP: 201.83.xxx.xxx
    Dec 3 14:55:56	php: rc.dyndns.update: DynDns (xxx.no-ip.org): 177.103.xxx.xxx extracted from checkip.dyndns.org
    Dec 3 14:55:53	php: rc.dyndns.update: DynDNS (xxx.no-ip.org): running get_failover_interface for wan. found re0
    Dec 3 14:55:53	php: rc.dyndns.update: DynDns (xxx.no-ip.org): 177.103.xxx.xxx extracted from checkip.dyndns.org
    Dec 3 14:55:53	php: rc.dyndns.update: DynDns: updatedns() starting
    

    Perhaps better for a new thread:
    Why is checkip.dyndns.org used for other dyndns services ?
    Would be nice if checking service can be made selectable.

    I knew its is / was a nice service. But since yesterday I don't think so anymore…
    I used them for my SQuiD loadbalancing tests... and got 127.0.0.1 back :D

    Also DynDNS won't check IPv6 addresses because they say in their supportforum it would always stay same IP.
    Ok this should be normally the case (especially for firewalls) but it would be nice service to get them either in response for re-check settings.

    http://ident.me offer IPv6/IPv4 address and showed me yesterday 127.0.0.1 and the right local IP address in answer page.
    http://v4.ident.me only IPv4
    http://v6.ident.me only IPv6



  • Hi,

    on normal usage a very nice option ;)

    @ruggero:

    i think i have a solution :
    instead of squid use squid3_dev .

    in custom options :
    "
    acl venticinque random 1/4
    acl settantacinquediv2 random 0.5

    tcp_outgoing_address 192.168.4.1 venticinque
    tcp_outgoing_address 192.168.3.1  settantacinquediv2
    tcp_outgoing_address 192.168.2.1

    I justed tested it with this additional ACL RegEx (needs perhaps some improvements) so we can let Youtube videos through the good line and block it in the not so good backup line:

    acl_youtube urlpath_regex http://www.youtube.com/watch\?v=.*
    acl wan2 random 1/2
    
    tcp_outgoing_address <wan1 ip=""> youtube
    tcp_outgoing_address <wan2 ip=""> wan2
    tcp_outgoing_address <wan1 ip=""></wan1></wan2></wan1>
    

    Pitily there is a problem if one of the lines are down… then every x request is timing out... :(

    Is it perhaps possible to let SQuiD know by local files/checks what lines are up?

    Not very RAM friendly would be a solution to run for each WAN interface a SQuiD instance and in front of it the main SQuiD with these SQuiDs as parents... then he can auto-select/fallback as he is allowed to ask them by rule.



  • @Reiner030:

    acl_youtube urlpath_regex http://www.youtube.com/watch\?v=.*
    acl wan2 random 1/2
    
    tcp_outgoing_address <wan1 ip=""> youtube
    tcp_outgoing_address <wan2 ip=""> wan2
    tcp_outgoing_address <wan1 ip=""></wan1></wan2></wan1>
    

    ah, squid3-dev matches irregulary in transparent mode also urlpath_regex - correct is url_regex.
    And I added further sniffed URLs also for HTML5 blocking (perhaps too much, but better than too few ;)):

    acl Youtube_Streams url_regex (youtube.com|youtube.be|m.ytimg.com|s.ytimg.com|s2.ytimg.com|s3.ytimg.com|googlevideo.com)/(.*\.(flv|swf)|player204|stream_204|watchtime|generate_204|videoplayback)
    
    tcp_outgoing_address <wan2 ip=""> Youtube_Streams</wan2>
    

    Actual my testing "live" pfSense goes out only on WAN1 even I set tcp_outgoing_address onto WAN2 IP ???.
    So I can't test it correctly but I guess it can be made shorter like this with ReGex:

    acl Youtube_Streams url_regex (youtube.com|youtube.be|m.ytimg.com|s\d*.ytimg.com|i\d*.ytimg.com|googlevideo.com)/(.*\.(flv|swf)|(player|stream_|generate_)204|watchtime|videoplayback)
    


  • I downloaded the lib modules for squid 3.3.8 from the following link

    http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

    please let me know that the acl random method solve the issue? and if the one Wan goes down what will happen then?
    it will send all the traffic to valid interface or it will still keep sending the packets to failed wan also?

    need clarification on this.

    Thanks



  • Hi,

    @Basit:

    I downloaded the lib modules for squid 3.3.8 from the following link

    http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/

    please let me know that the acl random method solve the issue? and if the one Wan goes down what will happen then?
    it will send all the traffic to valid interface or it will still keep sending the packets to failed wan also?

    need clarification on this.

    Thanks

    Its for us not an urgent task to use loadbalanced proxy and I had problems to getting SQuidGuard+SQuid3-dev both run.
    So I downgraded to stable SQuid and we use the fibre line as normal (with youtube bound to this wan ip).
    If the gateway failover then only non-youtube video content can be loaded.

    I used the i386 one on an Soekris appliance http://e-sac.siteseguro.ws/pfsense/8/All/ldd/ added like here described:
    http://forum.pfsense.org/index.php/topic,62256.msg373587.html#msg373587

    … ah just updated.... updates fetched... I must see If I had time for testing it out next weeks when less work is to do.

    Bests



  • Finally, after a long time trying pfSense Squid Package + Multi Wan and I have managed to find its way in a deadlock.
    pfSense 2.1 Squid Package + Multi Wan, no longer using the Floating Rules, but using the Interface Groups.
    Good Luck Everyone.

    ![Interface Groups.jpg](/public/imported_attachments/1/Interface Groups.jpg)
    ![Interface Groups.jpg_thumb](/public/imported_attachments/1/Interface Groups.jpg_thumb)
    ![Proxy Server.jpg](/public/imported_attachments/1/Proxy Server.jpg)
    ![Proxy Server.jpg_thumb](/public/imported_attachments/1/Proxy Server.jpg_thumb)
    ![Internet Rules.jpg](/public/imported_attachments/1/Internet Rules.jpg)
    ![Internet Rules.jpg_thumb](/public/imported_attachments/1/Internet Rules.jpg_thumb)
    ![Floating Rules.jpg](/public/imported_attachments/1/Floating Rules.jpg)
    ![Floating Rules.jpg_thumb](/public/imported_attachments/1/Floating Rules.jpg_thumb)



  • Thanks, and congratulations!

    What version of squid and squidguard are you using?

    Please send a screenshot of your system->routing screen showing your default route.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy