Discussion:
[pfSense] Transparent Squid with Multiwan on 2.1.3?
Yannis Milios
2014-08-01 11:23:00 UTC
Permalink
Hello,

I have pfSense 2.1.3 with 2 Wan links + 1 Lan.
I have squid+squidguard packages installed.
Squid is working in transparent mode.
Is there a way to make Squid redirect http connections on Wan2 in case Wan1
is down?
I am mainly interested in failover and not so in loadbalancing http
connections.

thank you
Yannis
compdoc
2014-08-01 14:30:54 UTC
Permalink
Is there a way to make Squid redirect http connections on Wan2 in case Wan1 is down?
I'm setting up my first dual-wan firewall for a customer. No load balancing because one wan is a lot faster than the other, so just fall-over with a gateway group.

It looks to me as though squid listens on the lan port, and doesn’t care which wan is operating. I'll know more when I put this server into operation in a few days...
Nishant Sharma
2014-08-01 14:48:56 UTC
Permalink
Post by Yannis Milios
Is there a way to make Squid redirect http connections on Wan2 in
case Wan1 is down?
It is simple. Squid sends traffic through the default gateway without any specific configuration.

Just enable 'Default Gateway Switching' in System -> Advanced Settings and you are good to go.

Regards,
Nishant
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Yannis Milios
2014-08-01 16:41:31 UTC
Permalink
Tried that option but it does not seem to work.
When I disconnect wan1 I get the following error on clients browser:

"Connection to Failed
The system returned:

(49) Can't assign requested address"

With Squid disabled, fail over works as expected.
Maybe Squid is using a different mechanism to handle gateways?

I read different kinds of posts on forum about this issue.
There are people suggesting creating "Floating rules", inserting
"tcp_outgoing_address 127.0.0.1" on Squid configuration, but none of them
seem to work.

Yannis Milios
--------------------
Systems Administrator
Mob. +30 6932-657-029
Tel. +30 211-800-1230
Post by Nishant Sharma
Post by Yannis Milios
Is there a way to make Squid redirect http connections on Wan2 in
case Wan1 is down?
It is simple. Squid sends traffic through the default gateway without any
specific configuration.
Just enable 'Default Gateway Switching' in System -> Advanced Settings and
you are good to go.
Regards,
Nishant
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
List mailing list
https://lists.pfsense.org/mailman/listinfo/list
compdoc
2014-08-02 19:46:05 UTC
Permalink
Post by Yannis Milios
With Squid disabled, fail over works as expected.
In the lab I created to test this machine, I have squid with havp set to transparent. Also have snort. I don’t use squidguard.



If I disconnect wan #1, most browsers will time out. But I can often just refresh to get them going again. Squid never complains.



There are a couple of remote clients and programs that have to be closed and then opened again after the gateway fails. (maybe because they cache something?)



I'm pretty happy with it.
Post by Yannis Milios
(49) Can't assign requested address
What is your client connecting to? Is it some sort of secure remote session? A disconnect cannot be avoided with any type of secure connection. You're changing external ip addresses when it falls over, after all.



Are you able to recover normal connections to google or youtube, etc.? Close the browser and try again after waiting for the switch to happen.



There are settings for how long it takes pfSense to decide a gateway is down, and how it determines its down. I use just 'packet loss'.
Yannis Milios
2014-08-03 10:20:18 UTC
Permalink
ok I've managed to get it working.
The problem was that except from 2 Gateways I had also defined 2 additional
gateways (not for internet) and associated static routes to them.
Deleting and putting them below wan1 and wan2 did the trick.

thank you for your help!
Yannis

Sent by mobile
Post by compdoc
Post by Yannis Milios
With Squid disabled, fail over works as expected.
In the lab I created to test this machine, I have squid with havp set to
transparent. Also have snort. I don’t use squidguard.
If I disconnect wan #1, most browsers will time out. But I can often just
refresh to get them going again. Squid never complains.
There are a couple of remote clients and programs that have to be closed
and then opened again after the gateway fails. (maybe because they cache
something?)
I'm pretty happy with it.
Post by Yannis Milios
(49) Can't assign requested address
What is your client connecting to? Is it some sort of secure remote
session? A disconnect cannot be avoided with any type of secure connection.
You're changing external ip addresses when it falls over, after all.
Are you able to recover normal connections to google or youtube, etc.?
Close the browser and try again after waiting for the switch to happen.
There are settings for how long it takes pfSense to decide a gateway is
down, and how it determines its down. I use just 'packet loss'.
_______________________________________________
List mailing list
https://lists.pfsense.org/mailman/listinfo/list
Loading...