The pfSense Store

Author Topic: [Solved] Router Transparent Forward Proxy Squid EXTREMELY slow  (Read 323 times)

0 Members and 1 Guest are viewing this topic.

Offline justsomeguy

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
[Solved] Router Transparent Forward Proxy Squid EXTREMELY slow
« on: December 19, 2017, 08:18:07 am »
Let me start by saying I'm new to nearly all of this.

I'm trying to do a proof of concept in a host with 2 VMs and 2 NICs before buying hardware, see the attached diagram. The goal is to use this in a lab setup where stuff of various OSs and configurations come and go without having to manually adjust settings or get on/off the larger corporate network.

Our corporate network requires traffic be routed through a (manually configured in each client) proxy for any HTTP and HTTPS requests. For HTTPS the corporate proxy just forwards it doesn't intercept.

What I'm trying to do is setup pfSense as a router than transparently forwards all HTTP and HTTPS requests to the upstream proxy server from any connected clients.

I'm ignoring the HTTPS part for the moment because that's a can of worms I'm not ready for yet.

I setup the DHCP and DNS and that all seems to work. I installed Squid and believe I have it setup correctly. The weird part is that it seems to be working, just EXTREMELY slowly for external websites, like wget was showing 500 B/s for http://www.cnn.com. Corporate LAN websites load quickly without issue and they are not bypassing the proxy.

I checked the CPU load in pfSense and it's not more than like 25% ever. I set the cache to null since I don't want to cache only forward. I tried various combinations of the via and x-forward settings without any change in results.

I'm running pfSense 2.4.2 I download and installed yesterday.

Open to any help I can get.
Thanks.
« Last Edit: December 21, 2017, 11:51:17 am by justsomeguy »

Offline sichent

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +9/-0
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #1 on: December 19, 2017, 01:19:52 pm »
Slow Squid is usually a sign of DNS misconfiguration these days :(

Offline justsomeguy

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #2 on: December 19, 2017, 01:34:48 pm »
I have DNS resolver and forwarder disabled on the pfSense. The pfSense DHCP passes the same DNS that is used on the corporate LAN. Using nslookup in the client seems to work just fine for internal and external addresses. Thoughts?

Offline KOM

  • Hero Member
  • *****
  • Posts: 5508
  • Karma: +681/-23
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #3 on: December 19, 2017, 03:06:55 pm »
Shell in and run:

Quote
squidclient -h LAN_IP_ADDRESS -p 3128 mgr:info

and look at the Median Service Times.  See if anything looks out of order.

Offline justsomeguy

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #4 on: December 19, 2017, 03:36:05 pm »
looks like i'm going to have a noob response to your question, it says access denied....

(see attachment)

Offline justsomeguy

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #5 on: December 19, 2017, 03:53:47 pm »
i'm also confused to report without any changes, wget and apt-get work in the terminal with good speed, but websites in the browser either spin or get the squid timeout page like www.cnn.com and neverssl.com respectively.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5508
  • Karma: +681/-23
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #6 on: December 19, 2017, 03:58:02 pm »
Services - Squid - Local Cache - External Cache Managers.  Make sure that 127.0.0.1 and your PC's LAN IP address are in the list separated by a semicolon and try again.  I can't answer your questions since I know nothing about your configuration.

Offline justsomeguy

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #7 on: December 19, 2017, 04:13:21 pm »
adding the IP where you suggested fixed that access denied issue. attached is the section with the median response times.

i've installed chromium on the client and potentially learned 2 new things. cnn even though not encrypted still has some ssl resources which i think are slowing the page down when loading in the browser, but not wget. neverssl seems to load fine in chromium, which i suspect means that firefox and chromium are doing different things with the headers??

is there a way to disable the in memory cache just to get things setup?

thanks a lot for the help btw.

Offline justsomeguy

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #8 on: December 19, 2017, 04:17:52 pm »
i take part of my last post back, there's some intermittentency for sure. neverssl won't load in chromium now and wget now returns 503.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5508
  • Karma: +681/-23
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #9 on: December 20, 2017, 07:54:58 am »
It's not a DNS issue, which it often is.  Probably something else in your config.  I only use squid as a platform for squidguard.  I don't do any caching.

You can't totally disable memory caching.

Offline justsomeguy

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Router Transparent Forward Proxy Squid EXTREMELY slow
« Reply #10 on: December 21, 2017, 11:50:59 am »
Thanks. Today the issue returned and being suspicious I check on another computer bypassing my whole pfSense setup (directly on corporate LAN) and the same issue exists. I'm confident it is an issue with the upstream proxy.

I'm going to mark this thread as solved, but I'm sure I'll be back in a day or 2 with a new issue as I try and bring this thing up. Thanks for the help, seems like a strong community.  :)