Squid bypassing why Multi Wan Group

  • Starting out with pfSense and building up to what I need. I have one WAN and one LAN connection. I then connected to two openvpn servers (VPN1 and VPN2). I set up Multi Wan and have the correct ordering going with failover (ordered such that the group has VPN1, then VPN2, then WAN).

    This all works great and I have LAN rules to direct traffic to this gateway group. I can configure rules to allow specific machines to exit say only a group of VPN1 and VPN2 etc.

    My next aim was to install Squid and SquidGuard and have this working. This in itself works fine. However, I noticed that the exit from Squid is via the WAN interface. Is there a way to have ONLY squid traffic exit via the MultiWan failover group I defined? I can't see a way to specify this or work out a firewall rule (on the WAN interface?) to do this.

    Any pointers greatly appreciated.

  • Netgate Administrator

    It's tough to make this work. If you search the forum you'll find a number of threads with details to do it though I'm not sure any have been confirmed in 2.2. The traffic from Squid, because it originates on the firewall itself, always uses the system routing table which means using the default WAN whatever you have that set as. It never hits the LAN firewall rules so it never gets redirected to the gateway group.
    All the threads about this I have read involve using a floating rule on WAN with direction OUT to catch the traffic from Squid. I've never tried that though.

    For example: https://forum.pfsense.org/index.php?topic=52171.0


  • Nothing I googled seems to point to this. Then I came up with an idea - not sure if its going to fly though.

    From looking at Squid and pfSense, Squid allows a tcp_outgoing_interface setting - and there was a thread where this was suggested though no replies or results. So not 100% sure this is supported or works.

    My thought is to create an alias ip on the LAN interface and set the tcp_outgoing_interface to that. For example assume that the LAN ip is (eth1). I create an eth1:1 with ip and try and set this for the outgoing squid interface. The LAN rules in the firewall should continue to work.

    Thoughts? Not possible? unlikely? caveats? pitfalls?

  • Netgate Administrator

    It might work, try it. Seems like someone else would have tried it already though.


  • Done the following:

    • Firewall -> Virtual IPs: Created a new virtual ip under the LAN subnet. i.e. for a, I added

    • Services -> Proxy Server / General: Under 'Custom ACLS (Before_Auth)' I added tcp_outgoing_address

    Restarted pfSense for good measure (and to reset a OpenVPN client state where it was connected but the service was marked as down).

    I set a browser to use the squid proxy as per normal - and the exit is still my wan even though I have a LAN rule for exiting via the OpenVPN connection. Confirmed by disabling proxy.

    Double checked that squid was exiting by running netstat -l | grep 253 and can see the squid connections to the websites I tested on.

    Any ideas why the LAN rule was bypassed when squid was exiting on address? When proxy off and testing on the client, the LAN rule to exit by OpenVPN works. The LAN rule is on Source 'LAN net'

  • the only way you can catch the squid-traffic is on wan by using floating rules …. this is still hackery and not really a stable setup. (but by all means, try and succeed or fail)

    -you can either get pure Failover by using default-gateway-switching (System: Advanced: Miscellaneous)


    -you can loadbalance WITHOUT failover using squid3 "acl random"  (https://forum.pfsense.org/index.php?topic=66822.msg457770#msg457770)


    you put squid on a different device inside your lan and everything will work fine.

  • I have read loads of threads suggesting that Squid is only on the WAN - but when I set the tcp_outgoing_interface in squid to a local lan address (an alias anyway on the LAN nic), the netstat output shows to be on the LAN address and not the WAN.

    Is this reported incorrectly by netstat? I was after some suggestions with respect to how I can prove or disprove that setting that setting the squid tcp_outgoing_interface configuration and using normal LAN rules to work or otherwise.

    I like to pursue this as I cannot find any other threads or information about this as a possible solution or a complete no-go. At least then there is a reference for anyone else attempting a similar scenario.

    NOTE: I am not using CARP (I think this is the feature where all traffic has to be routed via Squid). And this is not my use case as I like the ability to by pass squid also.

  • @heper:

    -you can either get pure Failover by using default-gateway-switching (System: Advanced: Miscellaneous)


    after searching, reading and trying to configure a lot I had no success to get a 'simple failover' on i386 pfSense 2.2.2 with squid 2.7.9 pkg v 4.3.6.

    The default-gateway-switching didn't seem to work.

    All I've done, only lead to no internet-connection (without configured proxy in the firefox or internet-explorer) nor ping etc. from the clients.

    Best result was an internet connection by proxy-configuration of the client-browser AND ping from pfSense to any website.

    So basically the 2nd WAN IS working, if the 1st is offline, but I wasn't able to find the (probable) mistakes by configuring this.

    If you -or any other member- have any advice or hint possibly to a document or anything else, all will be very appreciated.

    Thank you.

  • Virtual IPs don't seem to be affected by the LAN rules. However they do trigger floating rules. If you set a floating rule on the LAN interface from the Virtual IP to change the gateway, it may have a better chance of working since it's early in the chain. Floating rules on WAN don't work for changing the gateway.

Log in to reply