Set-up pfSense transparent Web Proxy with failover on multi-WAN links.

Author : Dimitri Souleliac, CISSP (dimitri.souleliac [at] gmail.com) Date : November, 2012 pfSense Ver. : 2.0-RC1 (built on Sat Feb 26 15:30:26 EST 2011)

NETWORK DIAGRAM

PREREQUISITES / DNS CONFIGURATION

Since I wrote the first "pfSense Squid Web Proxy with multi-WAN links" in May, 2011, I noticed some issue with the DNS.

When my default gateway failed, following problems appears:

- SQUID proxy won't work anymore

- pfSense Configuration interface is very slow

- DNS solving is not working (or working very slow) : https://PFSENSE_IP/diag_dns.php

1/ Configure two open DNS servers (Google DNS : 8.8.8.8 and L3 DNS : 4.2.2.2), with no gateway.

2/ Force theses DNS in the Proxy Server config. (may not required, but it might helps)

3/ Create and new floating rule to correctly failover DNS solving (**most important thing**)

Testing

Unplug WAN1 or WAN2 routers and test it:

https://PFSENSE_IP/diag_dns.php

STEP-BY-STEP HOWTO 1) Configure correctly your WAN1 and WAN2 interfaces (static IP or DHCP) and Gateways.

WAN1 example:

WAN2 example:

Test your gateway (ping the router).

2) Configure your DNS server in General Setup tab

Example:

Some explanations: - Provider for WAN1 uses 2 DNS servers. I configure the correct gateway to reach theses DNS - Provider for WAN2 uses the gateway as DNS server (!). In this case, I didnt configure the gateway to reach the DNS.

3) Configure a Gateway group in Routing tab

Check the existing gateway (you may have one as Default Gateway) As a monitor IP, I use the DNS servers of the providers.

Click on Groups and add one: - Chooser Tier 1 and Tier 2 to prioritize a gateway (failover) - or, Choose the same priority (load-balancing) In my opinion, Packet Loss is a good trigger.

Result:

4) Set-up firewall rules Set-up a Floating rule with the following parameter (for HTTP proxy)

Explanations: - The floating rules apply on multiple interfaces, - Choose your WAN1 and WAN2 interfaces, and direction out - Choose HTTP as destination port - Specify the gateway with MULTIWAN (the most important thing!)

Result:

Set-up a Floating rule with the following parameter (for DNS resolving)

5) Set-up manual Outbound NAT (AON option)

In NAT tab, you have to check Manual Outbound NAT rule generation

Then, add 2 mappings with WAN1 and WAN2 interfaces: - Protocol = any - Source = any - Destination = any - Translation = Interface address

6) Configure correctly Squid Web Proxy (the tricky thing!) I assume that you have installed Squid package. In my case, I also installed SquidGuard (filter) and LightSquid (reports). In Proxy server tab / General settings, add the loopback interface:

I also use a transparent proxy. I you choose to activate this option, you must change the port for pfSense Web GUI (HTTPS instead of HTTP) in Advanced tab. Then, you have to add a Custom Options on the bottom of the page:

tcp_outgoing_address 127.0.0.1;

Dont forget to end with a semicolon.

6) Test it! - Open your favorite Web Browser (Firefox) and go to http://myip.dk. - Unplug the Tier 1 router and reload the page. Your IP address may change in case of failover.