For people with issues getting squid to failover



  • In testing 2.1.1 today, I noticed this still wasn't resolved. I did a little experimenting and came up with a workaround for pure failover. Note that this won't do anything for it not load-balancing. This assumes you have your failover group set correctly, default gateway switching enabled, and squid using tcp_outgoing_address 127.0.0.1.

    Edit /etc/inc/gwlb.inc around line 93:

    Original:

    
    alarm default {
            command on "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' "
            command off "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' "
            combine 10s
    }
    
    

    Change to:

    
    alarm default {
            command on "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' -c '/usr/local/etc/rc.d/squid.sh restart' "
            command off "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' -c '/usr/local/etc/rc.d/squid.sh restart' "
            combine 10s
    }
    
    

    Then restart the apinger service.

    Do note that there will be a service interruption for as long as it takes to restart squid (when your group link goes down, not when you restart apinger), and do remember that this does not affect load balancing capabilities - if squid wasn't doing it before, it won't do it with this. This is only for people who have not been able to get squid to use failover groups correctly in 2.1.



  • @timthetortoise:

    In testing 2.1.1 today, I noticed this still wasn't resolved. I did a little experimenting and came up with a workaround for pure failover. Note that this won't do anything for it not load-balancing. This assumes you have your failover group set correctly, default gateway switching enabled, and squid using tcp_outgoing_address 127.0.0.1.

    Edit /etc/inc/gwlb.inc around line 93:

    Original:

    
    alarm default {
            command on "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' "
            command off "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' "
            combine 10s
    }
    
    

    Change to:

    
    alarm default {
            command on "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' -c '/usr/local/etc/rc.d/squid.sh restart' "
            command off "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' -c '/usr/local/etc/rc.d/squid.sh restart' "
            combine 10s
    }
    
    

    Then restart the apinger service.

    Do note that there will be a service interruption for as long as it takes to restart squid (when your group link goes down, not when you restart apinger), and do remember that this does not affect load balancing capabilities - if squid wasn't doing it before, it won't do it with this. This is only for people who have not been able to get squid to use failover groups correctly in 2.1.

    Hello,

    there is any possibility to use the PBR (Policy based routing) with this workaround?

    I seen that if i specify a "gateway" for a host (or subnet), squid ignores this (it uses only the default route).
    It seems that squid uses the secondary route only if the default goes down (and default gateway switching is enabled)
    I searched in the forum and i see that many users have this trouble, but i am not able to find a definitely solution.

    Is there any workaroung for this?
    Thanks,

    Edoardo



  • You may be able to use some ACLs within Squid to achieve that, but using the gateway rules in pfSense still does not work with squid.



  • @timthetortoise:

    You may be able to use some ACLs within Squid to achieve that, but using the gateway rules in pfSense still does not work with squid.

    Ok, i followed the instruction at http://www.squid-cache.org/Doc/config/tcp_outgoing_address/.
    In particular, to do some test, i have set in the custom options:

    tcp_outgoing_address x.y.z.k  –>  where x.y.z.k is the secondary wan's interface ip address.

    It seems that the directive is well read by squid (for error i've inserted a wrong ip address and i got a squid error on the client) but ignored (the traffic always goes through the default route).
    I have done the tests with the last version of pfsense 2.1.2 (either i386/amd64) with both the squid packages available (squid 3.1.20 pkg 2.0.6 and squid 2.7.9 pkg v.4.3.3), but the result doesn't change.

    Any suggestions about this?

    Edoardo



  • In 2.1.3 (and maybe in previous versions, too), I've observed that squid can continue without issue when default gateway is switched manually.

    Is the workaround you gave here still required if failover group isn't used for squid traffic?



  • Patch for GUI. Need package "System patches" -
    Valid for pfsence 2.1.4

    Path strip count - "0", Base directory "/"

    --- /etc/inc/gwlb.inc	2014-06-21 00:04:52.000000000 +0700
    +++ gwlb_new.inc	2014-08-17 17:17:03.000000000 +0700
    @@ -90,8 +90,8 @@
    
     ## These parameters can be overridden in a specific alarm configuration
     alarm default {
    -	command on "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' "
    -	command off "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' "
    +	command on "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' -c '/usr/local/etc/rc.d/squid.sh restart' "
    +	command off "/usr/local/sbin/pfSctl -c 'service reload dyndns %T' -c 'service reload ipsecdns' -c 'service reload openvpn %T' -c 'filter reload' -c '/usr/local/etc/rc.d/squid.sh restart' "
     	combine 10s
     }
    
    


  • or you guys could just check the box "Allow default gateway switching" @ System: Advanced: Miscellaneous

    this'll basically do what you want to do, except, without a patch ?



  • It was not working correctly on my machine, which is why I made this thread. If it had been, there wouldn't have been a point.