Thursday, August 16, 2012

Setting Up pfSense 2.x with Multiple WAN Connections and Squid in Transparant Mode

Setting up pfSense with multiple WAN connections configured for failover is easy.  Setting one up in a pfSense that has Squid Proxy is not obvious - in fact, there is a lot of conflicting information.  Ultimately http://forum.pfsense.org/index.php/topic,38882.0.html provided the answers I was looking for.

Interesting Note 27-Aug-2012:  This configuration broke the ability of the package manager to check the repository and install packages resulting in unpredictable behavior at best.  To compensate you must  disable the Transparent Proxy and disable Allow Users on Interface as well as disabling the new floating rule that enables Squid to function.

Update 15-Oct-13:  The proper floating firewall rule + adding your DNS servers to the Squid General configuration page will fix the broken updates.  The Floating Firewall Rule you must create is:  Pass, select your WAN and Opt1 (or whatever you called your public interfaces), direction: Out, protocol: TCP, Source: Any, Destination: Any, Destination Port Range: HTTP, then under Advanced, Gateway: select your failover group.


5 comments:

Cisco said...

Can you please post some screenshots?
That pfsense forum link is also useless without the screenshots. I have been trying to get this to work.

Justin said...

I don't have access to a firewall running this scenario, but let me expound on what was done (no screenshots required):

1. I did this years ago and this may not work in 2.2.
2. Create a transparent Squid Proxy and make certain to give it DNS entries to look up - according to the forums this makes DNS for Squid more reliable in multiway situations.
3. Here's the secret sauce: you're going to create a floating rule which captures all outbound HTTP traffic and forces it out of a certain gateway. In your case this will be your failover group. The rule will read (in order of property box): Pass, select BOTH your WAN and Opt1 (or whatever you called your public interfaces), direction: Out, protocol: TCP, Source: Any, Destination: Any, Destination Port Range: HTTP, then under Advanced, Gateway:

Your Squid proxy will listen on the LAN adapter, churn out a request, make the request out the WAN adapter (usually) then be captured by the floating rule which will then redirect it out of whichever adapter is the gateway at that time.

Anonymous said...

Hi,

have you tried the new method or is this just an educated guess?

Justin said...
This comment has been removed by the author.
Justin said...

Both - I succeeded in making this go years ago under 2.0.x. A few nights ago I reread all of the currently available documentation and forum posts regarding this setup in newer versions and I have listed the steps in light of the new information. This scenario looks as if it would loop the packets inside of the pfSense, but my understanding is that once a packet is matched to a rule it is sent on without having to go back through the rules again.

Also, after the phrase Advanced, Gateway: you should choose your MultiWan failover/balancing group.

You may take this back to http://forums.pfsense.org and open a new thread or perhaps hit up the pfSense group on LinkedIn - they're a very motivated and helpful bunch.