Scribd
Upload
4K views

PfSense Web Proxy With Multi-WAN Links

This document provides steps to set up a transparent web proxy with failover on multiple WAN links using pfSense. It involves: 1) Configuring the WAN interfaces and gateways for each link and testing connectivity. 2) Configuring a gateway group in the routing table for failover between the links. 3) Setting up firewall rules to direct HTTP and DNS traffic through the gateway group. 4) Configuring Squid proxy and enabling the transparent proxy option.

Uploaded by

Alicia Smith
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4K views

PfSense Web Proxy With Multi-WAN Links

This document provides steps to set up a transparent web proxy with failover on multiple WAN links using pfSense. It involves: 1) Configuring the WAN interfaces and gateways for each link and testing connectivity. 2) Configuring a gateway group in the routing table for failover between the links. 3) Setting up firewall rules to direct HTTP and DNS traffic through the gateway group. 4) Configuring Squid proxy and enabling the transparent proxy option.

Uploaded by

Alicia Smith
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Set-up pfSense transparent Web Proxy with failover on multi-WAN links.

Author : Dimitri Souleliac, CISSP (dimitri.souleliac [at] gmail.com) Date : November, 2012 pfSense Ver. : 2.0-RC1 (built on Sat Feb 26 15:30:26 EST 2011)

NETWORK DIAGRAM

PREREQUISITES / DNS CONFIGURATION Since I wrote the first "pfSense Squid Web Proxy with multi-WAN links" in May, 2011, I noticed some issue with the DNS. When my default gateway failed, following problems appears: - SQUID proxy won't work anymore - pfSense Configuration interface is very slow - DNS solving is not working (or working very slow) : https://PFSENSE_IP/diag_dns.php 1/ Configure two open DNS servers (Google DNS : 8.8.8.8 and L3 DNS : 4.2.2.2), with no gateway.

2/ Force theses DNS in the Proxy Server config. (may not required, but it might helps)

3/ Create and new floating rule to correctly failover DNS solving (**most important thing**)

Testing
Unplug WAN1 or WAN2 routers and test it: https://PFSENSE_IP/diag_dns.php

STEP-BY-STEP HOWTO
1) Configure correctly your WAN1 and WAN2 interfaces (static IP or DHCP) and Gateways. WAN1 example:

WAN2 example:

Test your gateway (ping the router).

2) Configure your DNS server in General Setup tab Example:

Some explanations: - Provider for WAN1 uses 2 DNS servers. I configure the correct gateway to reach theses DNS - Provider for WAN2 uses the gateway as DNS server (!). In this case, I didnt configure the gateway to reach the DNS.

3) Configure a Gateway group in Routing tab


Check the existing gateway (you may have one as Default Gateway) As a monitor IP, I use the DNS servers of the providers.

Click on Groups and add one: - Chooser Tier 1 and Tier 2 to prioritize a gateway (failover) - or, Choose the same priority (load-balancing) In my opinion, Packet Loss is a good trigger.

Result:

4) Set-up firewall rules Set-up a Floating rule with the following parameter (for HTTP proxy)

Explanations: - The floating rules apply on multiple interfaces, - Choose your WAN1 and WAN2 interfaces, and direction out - Choose HTTP as destination port - Specify the gateway with MULTIWAN (the most important thing!) Result:

Set-up a Floating rule with the following parameter (for DNS resolving)

5) Set-up manual Outbound NAT (AON option) In NAT tab, you have to check Manual Outbound NAT rule generation

Then, add 2 mappings with WAN1 and WAN2 interfaces: - Protocol = any - Source = any - Destination = any - Translation = Interface address

6) Configure correctly Squid Web Proxy (the tricky thing!) I assume that you have installed Squid package. In my case, I also installed SquidGuard (filter) and LightSquid (reports). In Proxy server tab / General settings, add the loopback interface:

I also use a transparent proxy. I you choose to activate this option, you must change the port for pfSense Web GUI (HTTPS i nstead of HTTP) in Advanced tab. Then, you have to add a Custom Options on the bottom of the page:

tcp_outgoing_address 127.0.0.1;
Dont forget to end with a semicolon.

6) Test it! - Open your favorite Web Browser (Firefox) and go to http://myip.dk. - Unplug the Tier 1 router and reload the page. Your IP address may change in case of failover.

You might also like