Netgate m1n1wall

Author Topic: SQUID and Load Balancing doesn't work!!!! I tried for a week but nothing :'(  (Read 13930 times)

0 Members and 1 Guest are viewing this topic.

Offline vito

  • Full Member
  • ***
  • Posts: 180
  • Karma: +0/-0
    • View Profile

Does anyone have this working with Squid and HAVP?
thanks

Offline nassman

  • Jr. Member
  • **
  • Posts: 78
  • Karma: +0/-0
    • View Profile
Please i need the arrange steps, how to setup squid with load balance

Offline heper

  • Hero Member
  • *****
  • Posts: 673
  • Karma: +0/-0
    • View Profile
Please i need the arrange steps, how to setup squid with load balance

i'm having the same problem .... once i figure it out with ermal's help i'll write a simple how-to.

for now all i can accomplish is failover with custom scripting.
with the latest snapshot its possible to use the tcp_outgoing_adress directive in squids config in combination with a floating rule to get it working. changing the outgoing adress from WAN1 ip to WAN2 ip when either of them goes offline should be possible with fairly easy scripting.

i haven't been able to get any loadbalancing to work tho ... but its very well possible i just don't have enough braincells

Offline nassman

  • Jr. Member
  • **
  • Posts: 78
  • Karma: +0/-0
    • View Profile
I try apply the above setting, but i fail, the load balance and squid not work.
why not there any standard documents?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14976
  • Karma: +4/-0
    • View Profile
I try apply the above setting, but i fail, the load balance and squid not work.
why not there any standard documents?


Because nobody that has made it work has taken the time to write out any. :-)

It's a new feature of 2.0 and only recently has it been proven to work at all for some people... Once the config is documented it'll be on the doc wiki, but until someone in a position to (a) make it work and (b) write it out in a way people can follow, some patience is needed.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline nassman

  • Jr. Member
  • **
  • Posts: 78
  • Karma: +0/-0
    • View Profile
thanks

Offline heper

  • Hero Member
  • *****
  • Posts: 673
  • Karma: +0/-0
    • View Profile
I try apply the above setting, but i fail, the load balance and squid not work.
why not there any standard documents?


Because nobody that has made it work has taken the time to write out any. :-)

It's a new feature of 2.0 and only recently has it been proven to work at all for some people... Once the config is documented it'll be on the doc wiki, but until someone in a position to (a) make it work and (b) write it out in a way people can follow, some patience is needed.


Would you happen to know who those people are who got it to work, and how to get in touch with them ?

Offline OyyoDams

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +0/-0
    • View Profile

I'll try to write a howto later, but I haven't tested failover. In fact, my WAN interface goes directly to my ISP, and my OPT1 is an openvpn connexion to an alternative ISP.
Default gateway is WAN, but when the VPN connexion is established, the default gateway becomes OPT1.
So my goal was to route some addresses to WAN instead of OPT1 from the pfsense itself, because I use squid as transparent proxy, so http traffic is generated by pfsense, and so standard firewall rules (from LAN) can't be applied.

In my case here is how I got it to work:
1) add a floating rule with specific address as destination, and WAN gateway to force traffic on this gateway instead of OPT1
2) add a virtual IP alias on WAN interface, in WAN network range
3) add an outbound NAT rule, interface OPT1, source any, destination "the same specific address", NAT address "the virtual IP"

This last point is important, because if you only set the floating rule, traffic is sent from WAN interface, but with OPT1 address as source.

My english is not very good, so here is an example.
Imagine you want to reach http://my-i-p.com/ from WAN instead of VPN (OPT1) interface:
my-i-p.com ip address is 74.86.20.234
1) See step1 picture for floating rule
2) My WAN ip address is 192.168.0.1, let's add a virtual IP (for example 192.168.0.30) on this interface: see step2 picture
3) See step3 for NAT rule

Hope that helps you :)

This works on 30th november build. But it doesn't work with latest build (16th january).
It's very strange:
- I didn't change anything in my configuration
- I can't ping any address through WAN (i.e. 74.86.20.234)
- When I launch tcpdump, I see ping and echo reply, so the packet is sent and received back, but ping command doesn't see it
- When I revert back to 30th november it works again

Any idea ?

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3361
  • Karma: +0/-0
    • View Profile
Anybody please upgrade to a snapshot of Feb 9 and after and just create a floating rule with direction out and a gateway pool and activate AON with source put to any.