pfSense » pfSense Packages

probably better off posting this to the packages board on the forum, the maintainers tend to not look here.

Please, read this post (and the entire thread there): https://forum.pfsense.org/index.php?topic=46067.msg256634#msg256634

Listening on CARP VIP just doesn't make sense, there's nothing to failover here with Squid.

Close this bug, please.

That's nice, but nothing in that thread addresses the problem; JimP completely missed the point. And I believe you're dead wrong - there is something to failover here with Squid.

Browsers are configured to talk to a proxy at a known IP address. Browsers do not have the capability (except through a WPAD script) to failover to another configured proxy IP address. Therefore, if I have a pfSense HA pair running Squid, the only LAN-side IP address that fails over from system A to system B is the CARP VIP.
The aim is to not have to reconfigure every single browser when an HA failover takes place. I don't care about state, I only care about Squid still being reachable at that single configured address.

And, my original question remains - and is also not addressed by JimP's response in that thread - what's the point of config sync on a package that can't usefully fail over?

The XMLRPC sync is there to synchronize configuration. You will NOT get any failover with Squid, as already explained on the thread... Use WPAD or whatever.

For those getting bit by the missing CARP interfaces, a viable workaround is to

• Bind Squid to Loopback (127.0.0.1) interface.
• Create a port forward from <CARP IP>:3128 to 127.0.0.1:3128.
• Have your users hit <CARP IP>:3128.

You will obviously not get any kind of graceful/stateful failover (i.e. all in-transit HTTP transfers will be aborted) but when your end-users retry their HTTP request (or when their webapp retries it in the background) they will succeed and not call you to complain at 03:00.