View
1.237
Download
38
Category
Preview:
Citation preview
Set-up pfSense transparent Web Proxy with failover on multi-WAN links.
Author : Dimitri Souleliac, CISSP (dimitri.souleliac [at] gmail.com) Date : November, 2012 pfSense Ver. : 2.0-RC1 (built on Sat Feb 26 15:30:26 EST 2011)
NETWORK DIAGRAM
PREREQUISITES / DNS CONFIGURATION
Since I wrote the first "pfSense Squid Web Proxy with multi-WAN links" in May, 2011, I noticed some issue with the DNS.
When my default gateway failed, following problems appears:
- SQUID proxy won't work anymore
- pfSense Configuration interface is very slow
- DNS solving is not working (or working very slow) : https://PFSENSE_IP/diag_dns.php
1/ Configure two open DNS servers (Google DNS : 8.8.8.8 and L3 DNS : 4.2.2.2), with no gateway.
2/ Force theses DNS in the Proxy Server config. (may not required, but it might helps)
3/ Create and new floating rule to correctly failover DNS solving (**most important thing**)
Testing
Unplug WAN1 or WAN2 routers and test it:
https://PFSENSE_IP/diag_dns.php
STEP-BY-STEP HOWTO 1°) Configure correctly your WAN1 and WAN2 interfaces (static IP or DHCP) and Gateways.
WAN1 example:
WAN2 example:
Test your gateway (ping the router).
2°) Configure your DNS server in “General Setup” tab
Example:
Some explanations: - Provider for WAN1 uses 2 DNS servers. I configure the correct gateway to reach theses DNS - Provider for WAN2 uses the gateway as DNS server (!). In this case, I didn’t configure the gateway to reach the DNS.
3°) Configure a “Gateway group” in “Routing” tab
Check the existing gateway (you may have one as “Default Gateway”) As a monitor IP, I use the DNS servers of the providers.
Click on “Groups” and add one: - Chooser Tier 1 and Tier 2 to prioritize a gateway (failover) - or, Choose the same priority (load-balancing) In my opinion, “Packet Loss” is a good trigger.
Result:
4°) Set-up firewall rules Set-up a “Floating” rule with the following parameter (for HTTP proxy)
Explanations: - The floating rules apply on multiple interfaces, - Choose your WAN1 and WAN2 interfaces, and direction “out” - Choose “HTTP” as destination port - Specify the gateway with “MULTIWAN” (the most important thing!)
Result:
Set-up a “Floating” rule with the following parameter (for DNS resolving)
5°) Set-up manual Outbound NAT (AON option)
In “NAT” tab, you have to check “Manual Outbound NAT rule generation”
Then, add 2 mappings with WAN1 and WAN2 interfaces: - Protocol = any - Source = any - Destination = any - Translation = Interface address
6°) Configure correctly Squid Web Proxy (the tricky thing!) I assume that you have installed Squid package. In my case, I also installed SquidGuard (filter) and LightSquid (reports). In “Proxy server” tab / General settings, add the loopback interface:
I also use a “transparent proxy”. I you choose to activate this option, you must change the port for pfSense Web GUI (HTTPS instead of HTTP) in “Advanced” tab. Then, you have to add a Custom Options on the bottom of the page:
tcp_outgoing_address 127.0.0.1;
Don’t forget to end with a semicolon.
6°) Test it! - Open your favorite Web Browser (Firefox) and go to “http://myip.dk”. - Unplug the “Tier 1 router” and reload the page. Your IP address may change in case of failover.
Recommended