next »

[igmic]

didn't work for me as well..

[3dinfluence]

I just put a patch that will include localhost(127.0.0/8) on the default nat rules so AON will not be needed anymore in the configuration.
Should be easier now by just creating a floating rule and selecting the gateway group on it.

Is this patch now in the public RC1 builds?  I have the build from Tue Mar 15 08:53:58 EDT 2011 and when I go into the NAT rules and AON I'm not seeing any default rules for 127.0.0/8.

[dave99]

Is there anyone trying to do this with multiple vlans also? I had it working per the various posts in this thread, but it broke my ability to get to http sites on other vlans. I think having squid using 127.0.0.1 is what breaks it.

[onkeldave83]

and when i use although havp with parent to squid??

in this case :

tcp_outgoing_address 127.0.0.1;never_direct allow all;cache_peer 127.0.0.1 parent 4444 0 name=havp no-query no-digest no-netdb-exchange default;redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf;redirector_bypass on;redirect_children 3


what is with cache peer to loopback?

[nassman]

Still not work.
What is the solution?

[rubic]

Heper, thanks for your guide!
What advanced option used in the "matching rule, to stop balance twice" floating rule?
I used TCP flags: out of: SYN.
It works!

[heper]

rubic:

it's possible to 'mark' packets when they hit one of your rules. Afterwards you can "search" for them packets using other rules, sort of

so basically i use a floating rule to push all http traffic through de gateway-group; at the same time i 'mark' them.

i put another floating rule IN FRONT of my loadbalance-rule and added option 'quick' ; there i push packets out without going through gateway-group ; here i specify to 'match' the packets i 'marked' in my secondary rule.


see this

[rubic]

Hm... will think about... however, looking at pf packet flow diagram, I wonder if floating load-balance rule can fire twice
by the way, in my case your solution works even without binding squid to loopback

[rubic]

heper, you were right!
when default WAN is down, an outgoing packet hits the rule twice (both on WAN fnd OPT-WAN interface)
if you don't mind I would like to translate your how-to for russian pfSense community
thanks!

[ermal]

It hits it twice but really it does not execute the policy routing the second time.
Only the nat rules are executed.

[rubic]

Only the nat rules are executed.

There is one moment with NAT unclear to me. According to pf packet flow diagram (http://homepage.mac.com/quension/pf/flow.png) filtering happen after SNAT. That's why in the rule log we see: if:WAN src:WAN IP -> dst:remote host IP. But when packet rerouted by the policy routing rule reaches OPT-WAN outgoing chain (assuming WAN is down) it's source address appears magically restored to 127.0.0.1. Which block on the diagram do that?

[heper]

my "how-to" can be translated in any language ... it's only purpose was to return the info i got from ermal to the community

[ermal]

rubic, its pfSense customized pf(4), by me.

This functionality can not be done with standard pf(4), at least the version that is used on FreeBSD, without too much tinkering.

[rubic]

rubic, its pfSense customized pf(4), by me.

This functionality can not be done with standard pf(4), at least the version that is used on FreeBSD, without too much tinkering.

Ok, now I see Thank you for your work!
translated: http://forum.pfsense.org/index.php/topic,34810.0.html

[lnaimi]

Ok the guide works with FailOver, but for LoadBalance? Thanks