0

i have pfsense 2.3.2 and i want to make it work as a traffic controller through limiter and be web cache but this is a bug limiter don't not work where nat is applied

so if i got a machine with pfsense installed act as a limiter and a second machine before lan interface to the lan act as a web cache it will work

first machine will control traffic while the second machine will cache without been affected by the first machine traffic control

what i want from the second machine is to be a bridge and a web cache

web cache that don't change source ip so the first machine can control the traffic based on lan ips(clients)

internet ------ first machine ------ second machine ------- clients

nizzard0094
  • 1
  • 3
  • Perhaps you're looking for Squid reverse proxy? However, this does not require a chain of devices like you describe. It can all be done on the same pfsense host / cluster. – Spooler Oct 17 '16 at 13:59
  • no reverse proxy is nat changing source ip – nizzard0094 Oct 17 '16 at 14:46

1 Answers1

2

This is achievable with squid as a transparent proxy on a "second machine", which will intercept all the traffic and optionally cache it. However, there's little sense in that: modern Web is growing towards the HTTPS, furthermore HTTP/2, newly introduced standard is based on the HTTPS. At the time of this writing, all of the modern browsers stated that they only support the HTTP/2 over TLS. And when clients use HTTPS you cannot cache anything. So you have two alternatives: either your HIT ratio will decay over time, or you need to implement sslBumping techniques on your transparent proxy. The latter are tricky, plus, once again, modern Web is developing a large set of methods to prevent any man-in-the-middle attacks, which sslBump is by it's nature - for instance HTTP Key Pinning.

drookie
  • 8,051
  • 1
  • 17
  • 27
  • i know about the web is moving toward https but bandwidth its still very limited in our country and squid act as nat change source ip when communicating with wan side – nizzard0094 Oct 17 '16 at 14:44
  • When your clients are behind NAT it doesn't matter. Caching service needs to establish a connection from some IP anyway. If you insisting that you need a tool for transparent caching in one hand, and not tampering with IPs in any way on another, then you need to write it yourself, because I'm afraid there's no such one. Even Cisco WCCP Cache engines use squid and tamper with IP addressing. – drookie Oct 17 '16 at 14:56
  • squid from the client side is transparent but from the wan side from the first machine is side is not first machine can't see clients ip – nizzard0094 Oct 17 '16 at 14:56
  • so how to make a traffic control that don't not throttle web cache bandwidth – nizzard0094 Oct 17 '16 at 15:00
  • You can use *delay_pools* on squid to limit the speed to a specific IP, and use pfSense to limit all the other traffic. I don't see a way for a cached traffic to be totally unlimited. – drookie Oct 17 '16 at 15:02
  • but with my diagram you can see it just if there is a web cache with this feature – nizzard0094 Oct 17 '16 at 15:05
  • you can switch the order - place caching server closer to WAN, and implement shaping between it and the clients. – drookie Oct 17 '16 at 15:21
  • that would be good if my data is limited but is not what is limited is my bandwidth – nizzard0094 Oct 17 '16 at 15:22