Multi-Wan with SQUID Theoretical Setup
-
Hi,
Having read the forums, it seems that Squid works best on a Single WAN set. So, for multi-wan (load-balanced), multi-lan configurations that want to implement squid maybe configuring two pfsense boxes will work?
The first (pfsense01) will accept the multi-wan connection and the second (pfsense 02) will have squid on a multi-lan configuration shown in the attached image.
The thing is three (3) static public IP addresses will be needed.
Any thoughts on this please?
-
this way is good idea but how to people manage gateways ( groupped lan users ? )
-
Hello,
As Necati Selim GÜNER said, if you want a group of IP addresses to go out via WAN1 on pfSense01 and another group to go out via WAN2 on pfSense01, I think this will not work.
As far as I remember, Squid on pfSense02 will use the loopback IP address 127.0.0.1 to process all incoming packets and therefore, it will not be possible to distinguish between different groups of IP addresses when the packets go out pfSense02, unless tcp_outgoing_address is used (I haven't tried it, so cannot say anything).
I myself want to use content filtering with policy-based routing on a multi-WAN setup, but having read different threads on the forums, I am not sure it works properly.
Can anyone ascertain that this setup does work properly?
-
It does not work out of the box but you still can distinguish IP-groups using dirty hack with Outbound-NAT-Port ranges:
- create another loopback interface:
ifconfig lo1 create 127.0.0.2
- set up acls in the squid 'custom options':
acl LAN1 src 192.168.1.0/24;
acl LAN2 src 192.168.2.0/24;
tcp_outgoing_address 127.0.0.1 LAN1;
tcp_outgoing_address 127.0.0.2 LAN2- put Outbound NAT in manual mode and, assuming WAN1 is default WAN, alter 127.0.0.0-NAT rules as fololows:
WAN1 127.0.0.1/32 * * * * 1024:33279 NO
WAN1 127.0.0.2/32 * * * * 33280:65535 NO
WAN2 127.0.0.0/8 * * * * 1024:65535 NOso after SNAT processing LAN1 outgoing port range will be 1024:33279 and LAN2 - 33280:65535
- Now in the 'Floating' tab of firewall rules (see: http://forum.pfsense.org/index.php/topic,33895.0.html) you can choose different gateway group for each outgoing port range (IP group):
TCP WAN1 address 1024 - 33279 * 80 (HTTP) WAN1FailsToWAN2 none
TCP WAN1 address 33280 - 65535 * 80 (HTTP) WAN2FailsToWAN1 noneNote: this is a working setup with squid in transparent mode on a single pfSense machine
-
It does not work out of the box but you still can distinguish IP-groups using dirty hack with Outbound-NAT-Port ranges:
- create another loopback interface:
ifconfig lo1 create 127.0.0.2
- set up acls in the squid 'custom options':
acl LAN1 src 192.168.1.0/24;
acl LAN2 src 192.168.2.0/24;
tcp_outgoing_address 127.0.0.1 LAN1;
tcp_outgoing_address 127.0.0.2 LAN2- put Outbound NAT in manual mode and, assuming WAN1 is default WAN, alter 127.0.0.0-NAT rules as fololows:
WAN1 127.0.0.1/32 * * * * 1024:33279 NO
WAN1 127.0.0.2/32 * * * * 33280:65535 NO
WAN2 127.0.0.0/8 * * * * 1024:65535 NOso after SNAT processing LAN1 outgoing port range will be 1024:33279 and LAN2 - 33280:65535
- Now in the 'Floating' tab of firewall rules (see: http://forum.pfsense.org/index.php/topic,33895.0.html) you can choose different gateway group for each outgoing port range (IP group):
TCP WAN1 address 1024 - 33279 * 80 (HTTP) WAN1FailsToWAN2 none
TCP WAN1 address 33280 - 65535 * 80 (HTTP) WAN2FailsToWAN1 noneNote: this is a working setup with squid in transparent mode on a single pfSense machine
If you explain with screen shots better for us.
And it works on squid version ?
And we need loadbalance multi gw to. not only failover. -
I am using pfSenese 2.0.3 RELEASE with squid 2.7.9 pkg v.4.3.3
LoadBalance breaks some sites connectivity, so I do not use it, but there is no problem to use LoadBalance gateway group bypassing proxy for such sites
For screenshots of initial multy-wan squid setup you can look at first post of this topic: http://forum.pfsense.org/index.php?topic=34810.0 (russian is hard to be translated by google))
I will try to post screenshots of actual IP-group squid policy routijng tomorrow/ -
Here is screen shots
SQUID General settings and ACLs:
My actual ACLs is different than I posted yesterday because I have only one LAN and two IP-groups that stored in w1w2.acl and w2w1.acl files. In fact first file contains odd IP-numbers of my local subnet and second - even ones. Don't pay attention on it if you have two or more LAN interfaces.
Outbound NAT settings:
Firewall Floating Rules:
Rule details:
-
we stuck in pfsense 2.1 squid3 version.
2.0.3 guide not working.
-
Thank you for all the input. I didn't realize that there was a lot of interest with squid and multi - wan :D
Was trying to simplify it as follows:
( Doing all this on paper for now as I do not have the luxury to tweak with existing setup or create a sandbox)internet <–> modem <---> pfsense01 (multi wan, single lan ) <----> pfsense02 (single wan, single lan).
pfsense02 has squid, cp, etc and as far as pfsense01 is concerned, it has only one (1) client.
pfsense01
wan1: static public ip
wan2: dhcp public ip
wan3: dhcp public ip
lan: static public ippfsense02
wan : static public ip;
lan : your LAN network.ALL Static Public IPs are on the same IP Block (subnet)
-
Hello rubic & TechnicaL,
I don't want to hijack turk182's thread, should I post a question on your setup in another thread?
@turk182: sorry for using your thread for my questions.
Thanks
-
Hi NetSysAdmin,
I have no issues with you posting the questions in another thread for as long as we can get this setup working properly :-)
Can you just please post a link to the thread?
Thanks!
-
Hi,
Having read the forums, it seems that Squid works best on a Single WAN set. So, for multi-wan (load-balanced), multi-lan configurations that want to implement squid maybe configuring two pfsense boxes will work?
The first (pfsense01) will accept the multi-wan connection and the second (pfsense 02) will have squid on a multi-lan configuration shown in the attached image.
The thing is three (3) static public IP addresses will be needed.
Any thoughts on this please?
Hi, turk182
This scenario will not work unless each of 3 ISP you are connected to has a static route to ip3 through pfSense01. Being ISP1 how could I know that ip3 given to you by ISP3 is behind WAN1 of pfSense01? Suppose I accept incoming packet from you with source ip3, where should I send answer? According to my routing table I will send it to ISP3 which will send it to your WAN3 where it will be dropped as packet comming in on wrong interface.
You do not need public IP net between pfSense boxes. Using private net with double NAT is mach easier. -
Hi, turk182
This scenario will not work unless each of 3 ISP you are connected to has a static route to ip3 through pfSense01. Being ISP1 how could I know that ip3 given to you by ISP3 is behind WAN1 of pfSense01? Suppose I accept incoming packet from you with source ip3, where should I send answer? According to my routing table I will send it to ISP3 which will send it to your WAN3 where it will be dropped as packet comming in on wrong interface.
You do not need public IP net between pfSense boxes. Using private net with double NAT is mach easier.Thank Rubic,
So if it were double NAT, pfsense01 will just have one client which is pfsense02.