You are on page 1of 8

Set-up pfSense transparent Web Proxy

with failover on multi-WAN links.
Author : Dimitri Souleliac, CISSP (dimitri.souleliac [at] gmail.com)
Date : November, 2012
pfSense Ver. : 2.0-RC1 (built on Sat Feb 26 15:30:26 EST 2011)

NETWORK DIAGRAM

PREREQUISITES / DNS CONFIGURATION
Since I wrote the first "pfSense Squid Web Proxy with multi-WAN links" in May, 2011, I noticed some issue with the DNS.
When my default gateway failed, following problems appears:
- SQUID proxy won't work anymore
- pfSense Configuration interface is very slow
- DNS solving is not working (or working very slow) : https://PFSENSE_IP/diag_dns.php

1/ Configure two open DNS servers (Google DNS : 8.8.8.8 and L3 DNS : 4.2.2.2), with no gateway.

2/ Force theses DNS in the Proxy Server config. (may not required. but it might helps) 3/ Create and new floating rule to correctly failover DNS solving (**most important thing**) .

Testing Unplug WAN1 or WAN2 routers and test it: https://PFSENSE_IP/diag_dns.php .

STEP-BY-STEP HOWTO 1°) Configure correctly your WAN1 and WAN2 interfaces (static IP or DHCP) and Gateways. . WAN1 example: WAN2 example: Test your gateway (ping the router).

Chooser Tier 1 and Tier 2 to prioritize a gateway (failover) .or. “Packet Loss” is a good trigger.Provider for WAN1 uses 2 DNS servers. I didn’t configure the gateway to reach the DNS. I configure the correct gateway to reach theses DNS . In this case.Provider for WAN2 uses the gateway as DNS server (!). I use the DNS servers of the providers. . 3°) Configure a “Gateway group” in “Routing” tab Check the existing gateway (you may have one as “Default Gateway”) As a monitor IP.2°) Configure your DNS server in “General Setup” tab Example: Some explanations: . Click on “Groups” and add one: . Choose the same priority (load-balancing) In my opinion.

Result: 4°) Set-up firewall rules Set-up a “Floating” rule with the following parameter (for HTTP proxy) .

Source = any .The floating rules apply on multiple interfaces. add 2 mappings with WAN1 and WAN2 interfaces: .Translation = Interface address . and direction “out” .Choose your WAN1 and WAN2 interfaces.Choose “HTTP” as destination port . you have to check “Manual Outbound NAT rule generation” Then.Destination = any . .Explanations: .Specify the gateway with “MULTIWAN” (the most important thing!) Result: Set-up a “Floating” rule with the following parameter (for DNS resolving) 5°) Set-up manual Outbound NAT (AON option) In “NAT” tab.Protocol = any .

Unplug the “Tier 1 router” and reload the page.1. add the loopback interface: I also use a “transparent proxy”. Don’t forget to end with a semicolon. 6°) Test it! . . I also installed SquidGuard (filter) and LightSquid (reports). In my case.6°) Configure correctly Squid Web Proxy (the tricky thing!) I assume that you have installed Squid package. you have to add a Custom Options on the bottom of the page: tcp_outgoing_address 127. I you choose to activate this option. Then. Your IP address may change in case of failover. you must change the port for pfSense Web GUI (HTTPS instead of HTTP) in “Advanced” tab. In “Proxy server” tab / General settings.0. .0.Open your favorite Web Browser (Firefox) and go to “http://myip.dk”.