I use squid + dansguardian for my clients and was able to successfully configure it with Dual WAN support. The key to accomplishing this in my network is policy based routing (PBR) on juniper netscreen devices. Here are the basics. You can of course do simliar setups with cisco or sonicwall routers if you understand the basics.
1. configure squid and dansguardian server. Dansguardian is listening on port 8080 and redirecting to squid port 3129. iptables is redirecting port 80 to port 8080 for easy config of workstations and juniper router. Server has 2 NICs so instead of using transparent mode i configure the 2 NICs with different IPs so that they can be on different LANs as i will explain later. 2. configure router I use policy based routing that allows me to define source IP/port destination IP/port and transport protocol to define several rules such as the ones below. if source is ip from workstation pool redirect all port 80 traffic to squid server port 8080 if source is ip is from local server pool do not redirect any port 80 traffic (allows servers to skip proxy) if destination ip is an intranet webserver or company webserver do not redirect traffic through the proxy and allow direct communication. 3. configure dual wan for fail-over and selective redirection. On juniper routers you can have more than one virtual router. This allows me to have two active default gateways on the same device. So this is what i do Virtual router 1 contains the default LAN and the default WAN interface and gateway. virtual router 2 contains the backup WAN interface and gateway and secondary LAN. The trick to setting up both connections is route statements. on VR1 (virtual router 1) i have the following. 0.0.0.0/0 -> GW-ip ->GW-interface metric=0 0.0.0.0/0 -> virtual router 2 metric=10 lan2-ip -> virtual router 2 virtual router 2 has the following. 0.0.0.0/0 -> GW-ip -> GW-interface metric=0 0.0.0.0/0 -> virtual router 1 metric=10 lan1-ip -> virtual router 1 I know this is a very stripped down routing table but this is basically what happens. Since there are 2 routes in each vr 0.0.0.0/0 the metric determines which one is active and which is not. Higher metric = lower priority so by metric 10 routes are inactive if metric 0 route is active When ISP 1 or 2 goes down. the first default route fails and the 2nd default route with metric 10 now becomes active redirecting all traffic to the other virtual router where it can make its way to the internet. to force certain local workstations to use either ISP1 or 2 i would use the fact that i have the squid server with 2 NICs one in the LAN1 and the other NIC in LAN2. By default all traffic in LAN1 goes to squid server NIC1 then back to LAN1 to go out to the internet. To force some computer to use the slow internet. All i need to do is use a source based route source ip/subnet mask -> virtual router 2 This means traffic from this ip is pushed to VR2 where policy based routing checks against its rules and determines whether to send to internet on slow connection. Or whether to send through proxy on LAN2 then to internet on slow connection. Lastly when one internet connection goes down all traffic is redicrected to the other virtual router where squid rules still apply and failover is almost instantaneous :) On Fri, Jul 22, 2011 at 8:31 AM, Peter C. Ndikuwera <[email protected]>wrote: > Hi, > > Anyone have experience with using squid with multiple outgoing connections? > > Some conditions: > - squid cannot be in transparent mode > - some IPs must be set to use conn #1 (the faster one) > - if either conn #1 or #2 go down, squid should always use the active > connection. > > Ideas? > > Peter > > -- > Evolution (n): A hypothetical process whereby infinitely improbable events > occur with alarming frequency, order arises from chaos, and no one is given > credit. > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. > -- Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ Google Voice: (954) 324-1365 E- fax: (435) 578 7411
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
