How many times the same files are downloaded over and over again maybe from different machines? Not to mention the common web sites frequently accessed everyday. One way to reduce the network bandwidth and improve response times is by caching content to a temporary location. This article covers the main steps to install and run pfSense SQUID configuration in a VMware homelab.
There are many benefits for doing so. Last but not least the ability to cache redundant data like for example Windows Updates recurring on a number of machines. Certainly, purpose built update managers like Windows Server Update Services (WSUS) offer way more specific features. With a more agnostic and flexible approach for an heterogeneous environment like a homelab the pfSense SQUID configuration is probably one of most cost effective way in terms of resources.
pfSense SQUID setup
First steps to proceed with the pfSense SQUID configuration is to download and install the package directly from the pfSense System > Package Manager > Available Packages.
Next is to search for “SQUID” and the first package to install is the one with same name (version 0.4.44_9 at the time of installing the package). Lightsquid and squidGuard will be covered in a different article. Once ready press install.
An additional screen will appear to confirm the package install. Upon confirmation, the selected package is downloaded and automatically installed. Before closing the window it is a good idea to copy the info on the package installation screen into a notepad or similar as it contains interesting extra info including documentation.
Now that the pfSense SQUID package is installed next step is to proceed with first configuration. It is recommended to setup all the desired configurations, save and then check the box to enable the Squid proxy service with latest config. In the Proxy interface(s) field the ability to select the individual networks or VLANs where the Web Proxy is enabled. Allows the selection of multiple networks. By default the Squid port is 3128. Can be changed if desired. In general default settings work for majority of installs.
In addition, it is also possible to specify for which network pfSense SQUID works as Transparent Web Proxy.
Next step is to move to Local Cache tab. From here the option to define finer details like the Cache Replacement Policy and the associated algorithms. In particular there are the following options:
- Heap LFUDA
Keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate.
- Heap GDSF
Optimizes object-hit rate by keeping smaller, popular objects in cache.
- Heap LRU
Works like LRU, but uses a heap instead.
- LRU
Keeps recently referenced objects (i.e., replaces the object that has not been accessed for the longest time).
Following on the screen it is possible to define the Hard Disk Cache Size. This was already part for the initial considerations when deploying pfSense to VMware. Depending on the size of the environment might be a good idea to allow the cache on a separate disk. Even though this is the first install it is always a good idea to Clear Disk Cache NOW to start from a clean state. The other values can be left as default.
Next item to review and config is the Squid Memory Cache Settings. In this case it is possible to specify the Memory Cache Size in MB and the maximum size for the object to keep in cache. In this case the value is in KB.
In order to optimise and allow a smoother experience to download content from Windows Updates it is possible to enable a sort of dynamic cache with specific instructions. It is a matter of enabling the Squid refresh pattern. A sample below includes the following:
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
After all changes a final Save to amend the configuration.
One last setting to control is the Squid Proxy Server Service status and eventually enable this one from the pfSense > Status > Services panel.
Hello Michele,
I am looking for a free and simple solution to isolate my network on my ESXi, this seems to be fine. If I understand correctly, above your ESXi, just a basic unmanageable switch and the router of your internet service provider?
Thanks for this tutorial for installing pfSense on a VMware homelab! I can’t wait to read the rest, keep on reading.
Jérémy
Hi Jeremy,
Yes, you are right! This is all you need and also what I use in my homelab. pfSense has loads of different configurations and use cases. To keep this simple, I would recommend to have one pfSense network card talking to your ISP router. All the rest can be on dedicated VLANs on a separate network card. Let’s say, this way if you need to reboot the router, at least everything will use default settings. Of course there are FW rules you can put in place to allow specific connections/protocols/ports etc.. I hope to cover this in the next pfSense articles hopefully next weekend. Simple FW configuration to get started. Would be great to hear/share from the Community! 🙂
Thanks for your comment and happy reading!
Kind Regards,
Michele