Multi-WAN + squid3 + ssl interception - sticky connections or policy based?



  • Hi,

    I am planning to upgrade to pfsense 2.1 and using squid3-dev with ssl interception.
    At the moment I am using pfsense 2.0.3 and squid2 which only runs as transparent proxy for http.

    I have 8 VLANs on my LAN site.
    I have 3 ADSL connections in a gateway group with same tier which I am using in my firewall rules for http traffic.
    For httpS traffic I created some extra gateway groups with different tier every GW and put these gateway groups in my firewall rules - doing "manual" load balancing. So I configured the https firewall rules for 2 VLANs on one gateway group and the other VLANs with a https rule for another gateway group.

    My question now is:
    When having squid running in transparent mode for port 80 (http) and port 443 (https) then the source IP address will always be the pfsense itself (127.0.0.1). So I do not have any possibility to load balance https traffic anymore.

    Any ideas how to make load balancing work with best performance for https?

    Does sticky connection mean (A):
    use always the same gateway if source-ip and destination-ip is the same as long as a connection/state is established?

    or does it mean (B):
    use always the same gateway if source-ip is the same no matter what destination-ip is used as long as a connection/state is established?

    Because the source-ip will always be 127.0.0.1 loadbalancing with sticky connections will only work if (A) is the fact of sticky connections. If (B) is the fact then there is no way to loadbalance https traffic?

    I would really appreciate any suggestion, ideas or experience.

    Thank you very much!



  • I am in the same boat, would like know more on this.



  • In the latest squid 3.3.4 post marcelloc gave me the hint to create different Source-ACLs and then use these with different "tcp_outgoing_address".



  • @Nachtfalke:

    In the latest squid 3.3.4 post marcelloc gave me the hint to create different Source-ACLs and then use these with different "tcp_outgoing_address".

    we stuck 2.1 squid3 wpad configured multiwan there any solution about 2.1 multiwan squid3 ?


Log in to reply