Multi-WAN, Squid, SquidGuard - Working, but one small problem ("blocked" page)
-
I'm testing a pfSense 2.2.2 system with Multi-WAN, Squid (transparent) and SquidGuard (+ Captive Portal, to make things more interesting), and so far everything is working fine.
I've designed a custom SquidGuard "blocked"-page which is stored on a separate Linux system. The custom error page showed up fine, until I've setup Multi-WAN and the "special Squid options" ("tcp_outgoing_address 127.0.0.1", floating rule for DNS). As soon as "tcp_outgoing_address 127.0.0.1" is in Squid's config, I receive a "(49) Can't assign requested address" error message from Squid when I'm trying to open a blocked site. The custom "blocked" page is not displayed. When I remove the "tcp_outgoing_address 127.0.0.1" directive, the custom "blocked" page works again, but traffic isn't balanced between the WANs. The internal "blocked" page is working fine, but I'd rather use my custom one because of the security warnings in the client browsers (I'm using https for the pfSense web interface). I'm aware there are ways of "patching" pfSense system files to show a custom "blocked" page and/or display this one page over http instead of https, but I'd rather not change any system files.
I've already tried setting IPs and hostnames for the "blocked" page, and setting some additional DNS entries. This didn't make the "blocked" page work, and I can't figure out what the problem is (very little info on the error message on the web, too). I suspect it's a routing thing. Could you guys help me with this problem?
EDIT: looks like I've solved it myself after all, by using these lines in Squids "Custom ACLS (Before_Auth)" field:
acl NetzIntern src 192.168.0.0/16 acl NetzIntern src 10.0.0.0/8 acl NetzIntern src 172.16.0.0/12 tcp_outgoing_address [pfsense IP] NetzIntern tcp_outgoing_address 127.0.0.1 -
How did you make squid3 multiwan load balance, if you can explain i will be glad .
Thank you .
-
maxteo asked in a PM how I managed Multi-WAN with Squid, so here's the basic steps from what I remember (the info is all in the forums and on the web, unfortunately there doesn't seem to be a comnplete, detailed, and up-to-date howto anywhere):
-
My system already had a working Squid in transparent mode (pfSense 2.2.2, packages always up-to-date) for a single WAN. Later, I added a second WAN interface
-
After adding the second WAN I setup Load Balancing/Failover: verified WAN1 and WAN2 interface settings, created a Gateway group with both WAN interfaces on Tier 1
-
Squid is bound only to LAN interfaces (in Squid General Settings and Transparent Proxy Settings), not to localhost as some old howtos suggest
-
Added tcp_outgoing_address 127.0.0.1 to Custom Settings/Custom ACLS (Before_Auth) (plus the acl settings from my previous post in this thread, but those are not needed for load balacing to work). I'm pretty sure that Squid was using only one WAN until I've added the tcp_outgoing_address 127.0.0.1 directive
-
Added a LAN firewall rule to send all non-RFC1918 traffic to the gateway group (again, this probably isn't important for Squid Load Balacing)
-
Added a Floating Rule to send DNS traffic (Port 53 TCP+UDP) to the Gateway Group (got this one from some howto on the web, not entirely sure if it's needed at all)
That's about it I think. For testing, I've installed Deluge on a machine on the LAN, set Squid as proxy server, and started a large Torrent with many seeders (in this case, a Ubuntu DVD ISO). According to the traffic monitors, both WANs are used up to their physical limits. During "normal" usage, WAN1 is utilized much more than WAN2, I'd say the ratio is about 3:1. So the result isn't an even distribution of traffic over all WANs like one would expect, but I guess that's a result of the connection-based Round Robin method used in pfSense. The system has been working like this for several weeks now, without any problems (besides some OpenVPN stuff which isn't important here).
-
-
Thank you SaschaITM,
I installed 2.1.5 amd64 pfSense version and squid3-dev with squidGuard-dev version. I have 4 WiiMax Modem and i created group of router with Tier 1 than i create one rule from Firewall Lan Rules Tab i selected that Gateway for all lan network. I add custom options as you mentioned tcp_outgoing_address 127.0.0.1 but it doesn't work :( I didn't understod Added a Floating Rule to send DNS traffic (Port 53 TCP+UDP) to the Gateway Group (got this one from some howto on the web, not entirely sure if it's needed at all) this part ? Can you explain detail please ?
And i tried as so many forum post member explain : acl loadbalance random 0.5 and than tcp_outgoing_address wan ip adress for four modem its working but not well. Because when i use this custom options it means for each modem use randomly 0.5 percentage of the speed ? That meaning its not loadbalance :) Or multiwan ?
Thank you ,
-
@firatnemis @SaschaITM Hi guys were you able to solve this issue?
with the new pfSense would be the same concept?