Squid Multi-WAN patch

  • Hi!

    Firstly thanks for the huge amount of work you guys have invested in this wonderful project!

    I would like to use squid acls to route different clients through different routes. The same sort of idea might work with load balancing, but I haven't tried it yet. I am pasting my short patch to filter.inc below which basically adds a few source routes. After this tcp_outgoing_address custom commands can be used for the squid package config in order to get different routes for different client source addresses (or any other acl).

    --- filter.inc.orig     2008-01-25 18:33:41.000000000 +0100
    +++ filter.inc  2008-01-25 18:36:00.000000000 +0100
    @@ -2948,7 +2948,21 @@
            for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++)
                    $ifdescrs['opt' . $j] = "opt" . $j;
    -       /* go through primary and optional interfaces */
    +       /* SSH Hack */
    +        /* go through primary and optional interfaces */
    +        foreach ($ifdescrs as $ifdescr => $ifname) {   
    +                $return_gateway = $config['interfaces'][$ifname]['gateway'];
    +                if ($return_gateway) {
    +                        $int = filter_translate_type_to_real_interface($ifname);
    +                        update_filter_reload_status("Creating source routes...");
    +                        $ip = find_interface_ip($int);
    +                        $sn = $config['interfaces'][$ifname]['subnet'];
    +                        $sa = gen_subnet($ip, $sn);
    +                        $rule .= "pass out quick route-to ( {$int} {$return_gateway} ) from {$ip} to ! {$sa}/{$sn} keep state label \"Source route for squid\"\n";
    +                } 
    +        }
    +        /* End SSH Hack */
    +        /* go through primary and optional interfaces */
            foreach ($ifdescrs as $ifdescr => $ifname) {
                    $return_gateway = $config['interfaces'][$ifname]['gateway'];
                    $ints = array();

    My custom squid config e.g. then looks like this:

    acl slow src;tcp_outgoing_address slow;tcp_outgoing_address

    This makes routes the slow subnet through one WAN link and everything else through the other (both not the default WAN link).


  • On RELENG_1 you can create such rules from the GUI. So no need for the hack.

  • I doubt that you can create "pass out" rules. If you can, please tell me how. All rules created by pfSense in the frontend are "pass in" rules.

  • RELENG_1 is the branch that is to become pfSense 1.3.

  • Ah, ok, so the new version will support "pass out"s that's great then!


  • One thing that needs to be noted though, is that these rules need to be added before other "firewallout" rules, otherwise it won't work. I am not sure if that will be possible in 1.3…

  • Hi

    I hope this patch work with failover and 1.2 release
    I will test soon !!
    I can't wait for 1.3 sorry


Log in to reply