Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MULTIWAN SQUID SQUIDGUARD

    Cache/Proxy
    6
    8
    5.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      edanpedragosa
      last edited by

      Hi!

      First of all, I really want to thank all the developers contributing to PFSENSE. This is really a great project and is working very well.

      I just would like to ask if someone has successfully implemented a pfsense machine with squid and squidguard running on multi-wan for PFSENSE 2.2 64-bit?

      My current setup is two PFSENSE machines, one acting as multiwan and the other as the gateway for clients with squid and squidguard.

      I just wish I can eliminate the other server and run it in just one high capacity server and re-purpose the other server for other use.

      Thank you so much in advance for your response!

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        short answer: no

        -you can either get pure Failover by using default-gateway-switching (System: Advanced: Miscellaneous)

        or

        -you can loadbalance WITHOUT failover using squid3.3 "acl random"  (https://forum.pfsense.org/index.php?topic=66822.msg457770#msg457770)

        1 Reply Last reply Reply Quote 0
        • I
          irontec
          last edited by

          Hello,

          I've trying to make it working and I have the approach that I need, but there's no real multiwan in my setup (pfsense 2.2)

          My scenario:

          
          WAN1 (em0) -> 192.168.0.246
          LAN1 (em1) -> 192.168.100.1/24
          WAN2 (em2) -> 10.10.0.246
          LAN2 (em3) -> 192.168.200.1/24
          
          

          What I want is that all traffic from LAN1 goes through WAN1 and all traffic from LAN2 goes through WAN2. This is easy adding in the LAN2 rule it's default gateway to be WAN2.

          If we add squid+squidguard to the equation (it must be squid3, my setup is with squid 3.4.10_2 pkg 0.2.6 and squidGuard-squid3), you can see that all the traffic from LAN2 goes through default gateway which is WAN1.

          To make the traffic goes as I wanted, I must introduce the next configuration in the squid3, in the "Custom ACLS (Before_Auth)" config box in the pfsense web:

          
          acl LAN1 src 192.168.100.1/24
          acl LAN2 src 192.168.200.1/24
          
          tcp_outgoing_address 192.168.0.246 LAN1
          tcp_outgoing_address 10.10.0.246 LAN2
          
          

          After doing that, all the traffic from LAN1 and LAN2 goes through squid+squidGuard (where we can filter all we want) and after that, squid send the traffic through the WAN watching its ACLs.

          I've been trying to make the same configuration just using firewall rules, but if I put in the squid config "tcp_outgoing_address 127.0.0.1" and then use the "floating rules" all the traffic goes through WAN1 and I cannot make it works as I wanted.

          I know that maybe this isn't what you need, but maybe is useful for somebody.

          1 Reply Last reply Reply Quote 0
          • belleraB
            bellera
            last edited by

            http://www.communig8.com/articles/64-open-source/137-pfsense-multi-wan-how-to-really-make-it-work

            See HTTP Proxy (squid) section

            If it works, let me know, please.

            I don't need for me and I haven't an scenario for testing it. But I'm interested to know about it. Thanks!

            1 Reply Last reply Reply Quote 0
            • belleraB
              bellera
              last edited by

              A idea will be to run one parent for each WAN using WAN as tcp_outgoing_address and configure the parents for the "main" squid.

              Something like this (in a unique box):

              http://wiki.mikrotik.com/wiki/Multi_squid_redirections

              Up to now I'm using two pfSense boxes. First box as firewall + squid, second box as outgoing balancer and policy routing.

              1 Reply Last reply Reply Quote 0
              • R
                reneboyz
                last edited by

                i have a 2 WAN and 3 LAN setup. and i am looking for the answer.

                im using a pf 2.2.2 version and tried a simple solution and it work for me like a charmed.

                since Squid is always hook up in the default gateway. i triED the simple way by ticking and Enable default gateway switching >>>System: Advanced: Miscellaneous and State Killing on Gateway Failure us unchecked.

                still under the testing phase though.

                1 Reply Last reply Reply Quote 0
                • E
                  edanpedragosa
                  last edited by

                  Hi!

                  Any news if this is now possible in PFSENSE 2.2.4 64-bit?

                  Thank you so much for sharing the light…

                  1 Reply Last reply Reply Quote 0
                  • E
                    edosselio
                    last edited by

                    @irontec:

                    
                    acl LAN1 src 192.168.100.1/24
                    acl LAN2 src 192.168.200.1/24
                    
                    tcp_outgoing_address 192.168.0.246 LAN1
                    tcp_outgoing_address 10.10.0.246 LAN2
                    
                    

                    After doing that, all the traffic from LAN1 and LAN2 goes through squid+squidGuard (where we can filter all we want) and after that, squid send the traffic through the WAN watching its ACLs.

                    Altough this configuration works  (i don't know how to achieve this via firewall rules, as policy based routing is not working with squid), the question is: in case of fail of one of the two gateways (in your case 192.168.0.246 or 0.10.0.246) squid will use the faulty link; how to solve this?
                    I thought at a script that removes the "tcp_outgoing_address" directive when the gateway goes down, but i would avoid to use it in production enviroment…

                    Edoardo

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.