Multi-WAN with squid3 proxy server



  • I understand that squid3 listens at port 3128 but how does it work in the background when incorporated in pfsense?

    So a computer in the LAN connects to the proxy server at port 3128. Then the squid3 proxy service receives the request and does the packet follow the policy-based routong rules of pfsense to know which WAN interface it will go out to?

    I have two WANs that are load balanced in a gateway group. And then I have a rule for that gateway group that routes outbound traffic with any destination address port. So if a request from a computer in the LAN is initiated, which really comes first the pfsense policy-based routing rules or squid3?

    I'm looking for network diagrams in the Internet that explains this but I can't find anything.



  • Are there new methods for pfsense 2.2.5 to make this work? I'm trying to implement the techniques mentioned in some of the old guides here but they don't seem to work. Specifically, what I did was to put "tcp_outgoing_address 127.0.0.1" in the custom options of the squid settings and then created a floating rule that would use my multi-wan gateway group but squid seems to still use the default gateway.

    Please help. Thanks.



  • Anyone please?



  • We are doing load-balancing but I'm not at work right now.
    I will look tomorrow and tell you how we're doing it.
    As far as I remember with regard to the rules the sequence is nat then floating thenĀ  Interface group then interface.

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    I will get back to you in the morning.

    Our set up maybe a little more complicated or not. We have multiple wan and also multiple Pfsense boxes.



  • Sure, thanks. I'll wait for your reply.



  • Do we have anything on this?



  • BUMP!



  • From what I know, squid will always use the default gateway in a multi-WAN config no matter what you do.



  • @KOM:

    From what I know, squid will always use the default gateway in a multi-WAN config no matter what you do.

    By default, yes. But there were "fixes" for this on the past versions of pfsense. These don't work on the latest version though and I don't really understand how they work (which is why I decided to make my own thread).

    If you think of it though, localhost services should have a way to use the multiwan gateway. Pfsense itself, when downloading a firmware update, only uses the default gateway by default.



  • Anybody please?



  • Please help? Anyone? Is this not a valid question?



  • If nobody has responded then it usually means that nobody knows.



  • Have you ever tried the floating rules? There you can target the firewall itself as the source. I haven't tried this yet, but soon I'll have to.



  • @reinaldo.gomes:

    Have you ever tried the floating rules? There you can target the firewall itself as the source. I haven't tried this yet, but soon I'll have to.

    Yes I did. If you've read post # 2 of this thread, the details of the rule I've made are there.


Log in to reply