MULTIWAN SQUID SQUIDGUARD

edanpedragosa

Hi!

First of all, I really want to thank all the developers contributing to PFSENSE. This is really a great project and is working very well.

I just would like to ask if someone has successfully implemented a pfsense machine with squid and squidguard running on multi-wan for PFSENSE 2.2 64-bit?

My current setup is two PFSENSE machines, one acting as multiwan and the other as the gateway for clients with squid and squidguard.

I just wish I can eliminate the other server and run it in just one high capacity server and re-purpose the other server for other use.

Thank you so much in advance for your response!

heper

short answer: no

-you can either get pure Failover by using default-gateway-switching (System: Advanced: Miscellaneous)

or

-you can loadbalance WITHOUT failover using squid3.3 "acl random"  (https://forum.pfsense.org/index.php?topic=66822.msg457770#msg457770)

irontec

Hello,

I've trying to make it working and I have the approach that I need, but there's no real multiwan in my setup (pfsense 2.2)

My scenario:

WAN1 (em0) -> 192.168.0.246
LAN1 (em1) -> 192.168.100.1/24
WAN2 (em2) -> 10.10.0.246
LAN2 (em3) -> 192.168.200.1/24

What I want is that all traffic from LAN1 goes through WAN1 and all traffic from LAN2 goes through WAN2. This is easy adding in the LAN2 rule it's default gateway to be WAN2.

If we add squid+squidguard to the equation (it must be squid3, my setup is with squid 3.4.10_2 pkg 0.2.6 and squidGuard-squid3), you can see that all the traffic from LAN2 goes through default gateway which is WAN1.

To make the traffic goes as I wanted, I must introduce the next configuration in the squid3, in the "Custom ACLS (Before_Auth)" config box in the pfsense web:

acl LAN1 src 192.168.100.1/24
acl LAN2 src 192.168.200.1/24

tcp_outgoing_address 192.168.0.246 LAN1
tcp_outgoing_address 10.10.0.246 LAN2

After doing that, all the traffic from LAN1 and LAN2 goes through squid+squidGuard (where we can filter all we want) and after that, squid send the traffic through the WAN watching its ACLs.

I've been trying to make the same configuration just using firewall rules, but if I put in the squid config "tcp_outgoing_address 127.0.0.1" and then use the "floating rules" all the traffic goes through WAN1 and I cannot make it works as I wanted.

I know that maybe this isn't what you need, but maybe is useful for somebody.

bellera

http://www.communig8.com/articles/64-open-source/137-pfsense-multi-wan-how-to-really-make-it-work

See HTTP Proxy (squid) section

If it works, let me know, please.

I don't need for me and I haven't an scenario for testing it. But I'm interested to know about it. Thanks!

bellera

A idea will be to run one parent for each WAN using WAN as tcp_outgoing_address and configure the parents for the "main" squid.

Something like this (in a unique box):

http://wiki.mikrotik.com/wiki/Multi_squid_redirections

Up to now I'm using two pfSense boxes. First box as firewall + squid, second box as outgoing balancer and policy routing.

reneboyz

i have a 2 WAN and 3 LAN setup. and i am looking for the answer.

im using a pf 2.2.2 version and tried a simple solution and it work for me like a charmed.

since Squid is always hook up in the default gateway. i triED the simple way by ticking and Enable default gateway switching >>>System: Advanced: Miscellaneous and State Killing on Gateway Failure us unchecked.

still under the testing phase though.

edanpedragosa

Hi!

Any news if this is now possible in PFSENSE 2.2.4 64-bit?

Thank you so much for sharing the light…

edosselio

@irontec:

acl LAN1 src 192.168.100.1/24
acl LAN2 src 192.168.200.1/24

tcp_outgoing_address 192.168.0.246 LAN1
tcp_outgoing_address 10.10.0.246 LAN2

After doing that, all the traffic from LAN1 and LAN2 goes through squid+squidGuard (where we can filter all we want) and after that, squid send the traffic through the WAN watching its ACLs.

Altough this configuration works  (i don't know how to achieve this via firewall rules, as policy based routing is not working with squid), the question is: in case of fail of one of the two gateways (in your case 192.168.0.246 or 0.10.0.246) squid will use the faulty link; how to solve this?
I thought at a script that removes the "tcp_outgoing_address" directive when the gateway goes down, but i would avoid to use it in production enviroment…

Edoardo