Set-up pfSense transparent Web Proxy

with failover on multi-WAN links.

Author : Dimitri Souleliac, CISSP (dimitri.souleliac [at] gmail.com)
Date : November, 2012
pfSense Ver. : 2.0-RC1 (built on Sat Feb 26 15:30:26 EST 2011)

NETWORK DIAGRAM

PREREQUISITES / DNS CONFIGURATION

Since I wrote the first "pfSense Squid Web Proxy with multi-WAN links" in May, 2011, I noticed some issue with the DNS.
When my default gateway failed, following problems appears:
- SQUID proxy won't work anymore
- pfSense Configuration interface is very slow
- DNS solving is not working (or working very slow) : https://PFSENSE_IP/diag_dns.php

1/ Configure two open DNS servers (Google DNS : 8.8.8.8 and L3 DNS : 4.2.2.2), with no gateway.
2/ Force theses DNS in the Proxy Server config. (may not required, but it might helps)

3/ Create and new floating rule to correctly failover DNS solving (**most important thing**)
Testing
Unplug WAN1 or WAN2 routers and test it:
https://PFSENSE_IP/diag_dns.php
STEP-BY-STEP HOWTO

1) Configure correctly your WAN1 and WAN2 interfaces (static IP or DHCP) and Gateways.

WAN1 example:

WAN2 example:

Test your gateway (ping the router).

2) Configure your DNS server in General Setup tab

Example:

Some explanations:
- Provider for WAN1 uses 2 DNS servers. I configure the correct gateway to reach theses DNS
- Provider for WAN2 uses the gateway as DNS server (!). In this case, I didnt configure the gateway to reach the DNS.

3) Configure a Gateway group in Routing tab

Check the existing gateway (you may have one as Default Gateway)
As a monitor IP, I use the DNS servers of the providers.

Click on Groups and add one:

- Chooser Tier 1 and Tier 2 to prioritize a gateway (failover)
- or, Choose the same priority (load-balancing)

In my opinion, Packet Loss is a good trigger.

Result:

4) Set-up firewall rules

Set-up a Floating rule with the following parameter (for HTTP proxy)
Explanations:
- The floating rules apply on multiple interfaces,
- Choose your WAN1 and WAN2 interfaces, and direction out
- Choose HTTP as destination port
- Specify the gateway with MULTIWAN (the most important thing!)

Result:

Set-up a Floating rule with the following parameter (for DNS resolving)

5) Set-up manual Outbound NAT (AON option)

In NAT tab, you have to check Manual Outbound NAT rule generation

Then, add 2 mappings with WAN1 and WAN2 interfaces:

- Protocol = any
- Source = any
- Destination = any
- Translation = Interface address
6) Configure correctly Squid Web Proxy (the tricky thing!)

I assume that you have installed Squid package. In my case, I also installed SquidGuard (filter) and LightSquid (reports).

In Proxy server tab / General settings, add the loopback interface:

I also use a transparent proxy. I you choose to activate this option, you must change the port for pfSense Web GUI (HTTPS instead
of HTTP) in Advanced tab.

Then, you have to add a Custom Options on the bottom of the page:

tcp_outgoing_address 127.0.0.1;

Dont forget to end with a semicolon.

6) Test it!
- Open your favorite Web Browser (Firefox) and go to http://myip.dk.
- Unplug the Tier 1 router and reload the page.

Your IP address may change in case of failover.