Set-up pfSense Web Proxy with multi-WAN links (this configuration works!

)
Author Date Version : Dimitri Souleliac, CISSP (dimitri.souleliac [at] gmail.com) : May, 2011 : 2.0-RC1 (built on Sat Feb 26 15:30:26 EST 2011)

NETWORK DIAGRAM

STEP-BY-STEP HOWTO
1) Configure correctly your WAN1 and WAN2 interfaces (static IP or DHCP) and Gateways. WAN1 example:

WAN2 example:

Test your gateway (ping the router).

2) Configure your DNS server in General Setup tab Example:

Some explanations: - Provider for WAN1 uses 2 DNS servers. I configure the correct gateway to reach theses DNS - Provider for WAN2 uses the gateway as DNS server (!). In this case, I didnt configure the gateway to reach the DNS.

2) Configure a Gateway group in Routing tab Check the existing gateway (you may have one as Default Gateway)

As a monitor IP, I use the DNS servers of the providers.

Click on Groups and add one: - Chooser Tier 1 and Tier 2 to prioritize a gateway (failover) - or, Choose the same priority (load-balancing) In my opinion, Packet Loss is a good trigger.

Result:

3) Set-up firewall rules Set-up a Floating rule with the following parameter:

Explanations: - The floating rules apply on multiple interfaces, - Choose your WAN1 and WAN2 interfaces, and direction out - Choose HTTP as destination port - Specify the gateway with MULTIWAN (the most important thing!)

Result:

You can also create another rule (optional) to use MULTIWAN with other flows. Example on the LAN interface:

3) Set-up manual Outbound NAT (AON option) In NAT tab, you have to check Manual Outbound NAT rule generation

Then, -

add 2 mappings with WAN1 and WAN2 interfaces: Protocol = any Source = any Destination = any Translation = Interface address

4) Configure correctly Squid Web Proxy (the tricky thing!) I assume that you have installed Squid package. In installed SquidGuard (filter) and LightSquid (reports). my case, I also

In Proxy server tab / General settings, add the loopback interface:

I also use a transparent proxy. I you choose to activate this option, you must change the port for pfSense Web GUI (HTTPS instead of HTTP) in Advanced tab. Then, you have to add a Custom Options on the bottom of the page: tcp_outgoing_address 127.0.0.1; Dont forget to end with a semicolon.

5) Test it! Open your favorite Web Browser (Firefox) and go to http://myip.dk. Unplug the Tier 1 router and reload the page.

Your IP address may change in case of failover.

Comments on this document are welcome. Thanks to all!