Sorry for being so stupid but I just cannot get this working. ifconfig vio0 rdomain 1 ifconfig vio0 192.168.10.1/24 route -T1 add default 192.168.10.250 route -T1 add 127/8 127.0.0.1 ifconfig lo1 inet 127.0.0.1/8 rdomain 1
ifconfig vio1 rdomain 2 ifconfig vio1 192.168.10.2/24 route -T2 add default 192.168.10.251 route -T2 add 127/8 127.0.0.1 ifconfig lo2 inet 127.0.0.1/8 rdomain 2 ifconfig vio2 rdomain 3 ifconfig vio2 192.168.10.3/24 route -T3 add default 192.168.10.252 route -T3 add 127/8 127.0.0.1 ifconfig lo3 inet 127.0.0.1/8 rdomain 3 If executing the traceroute with certain routing tables the traffic goes out on the correct GW, that is ok. However executing the ping with different routing tables T1/T2/T3 the ping always goes out from the base route on T0. When I run the squid on T3 for example the port becomes open on 0.0.0.0:3129 if I list it with netstat -T3 but from that point its not reachable from the lan. I have now added 3 virtual interfaces. I doubt they are really needed. Any ideas? Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, June 28, 2019 9:47 AM, slackwaree <slackwa...@protonmail.com> wrote: > Hello, > > That worked however it was not the root cause of the requests hanging and did > not get rid of these warnings: > > 2019/06/28 09:37:02| Created PID file (/var/run/squid.pid) > 2019/06/28 09:37:02 kid1| WARNING: (B) '127.0.0.1' is a subnetwork of (A) > '127.0.0.1' > 2019/06/28 09:37:02 kid1| WARNING: because of this '127.0.0.1' is ignored to > keep splay tree searching predictable > 2019/06/28 09:37:02 kid1| WARNING: You should probably remove '127.0.0.1' > from the ACL named 'localhost' > 2019/06/28 09:37:02 kid1| WARNING: (B) '127.0.0.1' is a subnetwork of (A) > '127.0.0.1' > 2019/06/28 09:37:02 kid1| WARNING: because of this '127.0.0.1' is ignored to > keep splay tree searching predictable > 2019/06/28 09:37:02 kid1| WARNING: You should probably remove '127.0.0.1' > from the ACL named 'localhost' > 2019/06/28 09:37:02 kid1| WARNING: (B) '::1' is a subnetwork of (A) '::1' > 2019/06/28 09:37:02 kid1| WARNING: because of this '::1' is ignored to keep > splay tree searching predictable > 2019/06/28 09:37:02 kid1| WARNING: You should probably remove '::1' from the > ACL named 'localhost' > 2019/06/28 09:37:02 kid1| WARNING: (B) '::1' is a subnetwork of (A) '::1' > 2019/06/28 09:37:02 kid1| WARNING: because of this '::1' is ignored to keep > splay tree searching predictable > 2019/06/28 09:37:02 kid1| WARNING: You should probably remove '::1' from the > ACL named 'localhost' > 2019/06/28 09:37:02 kid1| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) > '127.0.0.0/8' > 2019/06/28 09:37:02 kid1| WARNING: because of this '127.0.0.0/8' is ignored > to keep splay tree searching predictable > 2019/06/28 09:37:02 kid1| WARNING: You should probably remove '127.0.0.0/8' > from the ACL named 'to_localhost' > 2019/06/28 09:37:02 kid1| WARNING: (B) '0.0.0.0' is a subnetwork of (A) > '0.0.0.0' > 2019/06/28 09:37:02 kid1| WARNING: because of this '0.0.0.0' is ignored to > keep splay tree searching predictable > 2019/06/28 09:37:02 kid1| WARNING: You should probably remove '0.0.0.0' from > the ACL named 'to_localhost' > 2019/06/28 09:37:02 kid1| WARNING: (B) '0.0.0.0' is a subnetwork of (A) > '0.0.0.0' > 2019/06/28 09:37:02 kid1| WARNING: because of this '0.0.0.0' is ignored to > keep splay tree searching predictable > 2019/06/28 09:37:02 kid1| WARNING: You should probably remove '0.0.0.0' from > the ACL named 'to_localhost' > 2019/06/28 09:37:02 kid1| WARNING: (B) '::1' is a subnetwork of (A) '::1' > 2019/06/28 09:37:02 kid1| WARNING: because of this '::1' is ignored to keep > splay tree searching predictable > 2019/06/28 09:37:02 kid1| WARNING: You should probably remove '::1' from the > ACL named 'to_localhost' > 2019/06/28 09:37:02 kid1| WARNING: (B) '::1' is a subnetwork of (A) '::1' > 2019/06/28 09:37:02 kid1| WARNING: because of this '::1' is ignored to keep > splay tree searching predictable > 2019/06/28 09:37:02 kid1| WARNING: You should probably remove '::1' from the > ACL named 'to_localhost' > 2019/06/28 09:37:02 kid1| ERROR: Directive 'url_rewrite_concurrency' is > obsolete. > 2019/06/28 09:37:02 kid1| WARNING: url_rewrite_concurrency upgrade overriding > url_rewrite_children settings. > WARNING: Cannot write log file: syslog:daemon.info > syslog:daemon.info: Permission denied > messages will be sent to 'stderr'. > 2019/06/28 09:37:02 kid1| Set Current Directory to /var/spool/squid > 2019/06/28 09:37:03 kid1| Starting Squid Cache version 4.6 for > x86_64-unknown-openbsd6.5... > 2019/06/28 09:37:03 kid1| Service Name: squid > 2019/06/28 09:37:03 kid1| Process ID 51791 > 2019/06/28 09:37:03 kid1| Process Roles: worker > 2019/06/28 09:37:03 kid1| With 1024 file descriptors available > 2019/06/28 09:37:03 kid1| Initializing IP Cache... > 2019/06/28 09:37:03 kid1| DNS Socket created at [::], FD 6 > 2019/06/28 09:37:03 kid1| DNS Socket created at 0.0.0.0, FD 7 > 2019/06/28 09:37:03 kid1| Adding nameserver 4.2.2.1 from /etc/resolv.conf > 2019/06/28 09:37:03 kid1| helperOpenServers: Starting 0/1 'squidGuard' > processes > 2019/06/28 09:37:03 kid1| helperOpenServers: No 'squidGuard' processes needed. > 2019/06/28 09:37:03 kid1| Logfile: opening log syslog:daemon.info > 2019/06/28 09:37:03 kid1| Store logging disabled > 2019/06/28 09:37:03 kid1| Swap maxSize 0 + 65536 KB, estimated 5041 objects > 2019/06/28 09:37:03 kid1| Target number of buckets: 252 > 2019/06/28 09:37:03 kid1| Using 8192 Store buckets > 2019/06/28 09:37:03 kid1| Max Mem size: 65536 KB > 2019/06/28 09:37:03 kid1| Max Swap size: 0 KB > 2019/06/28 09:37:03 kid1| Using Least Load store dir selection > 2019/06/28 09:37:03 kid1| Set Current Directory to /var/spool/squid > 2019/06/28 09:37:03 kid1| Finished loading MIME types and icons. > 2019/06/28 09:37:03 kid1| HTCP Disabled. > 2019/06/28 09:37:03 kid1| Adaptation support is off. > 2019/06/28 09:37:03 kid1| Accepting HTTP Socket connections at > local=0.0.0.0:3129 remote=[::] FD 8 flags=9 > 2019/06/28 09:37:03 kid1| Accepting HTTP Socket connections at > local=0.0.0.0:3129 remote=[::] FD 9 flags=9 > 2019/06/28 09:37:04 kid1| storeLateRelease: released 0 objects > 2019/06/28 09:37:32 kid1| Starting new redirector helpers... > 2019/06/28 09:37:32 kid1| helperOpenServers: Starting 1/1 'squidGuard' > processes > > The issue was that the nameserver was taken from the local 192.168.10 network > which was not present in T3 so the requests were hanging forever but after > replacing it with 4.2.2.1 it worked because the defgw is set. > > Now I also start to understand why did you say that I will need 3 ips because > if squid opens the port on 3129 that is only open and reachable in T3 I don't > even see it in netstat so I can only do: > > curl -x http://127.0.0.1:3129/ -L https://www.myip.com/ > > instead of > > curl -x http://192.168.10.1:3129/ -L https://www.myip.com/ > > and therefore the squid is unreachable right now from the .10. network for > other machines as well. Since this is a VM multiple solutions would be > possible. First I could just add 2 more virtual interfaces being bridged into > the same 192.168.10.x network. > > Would this be possible by just having 1 virtual interface vio0 and using ip > aliases for the other ips? > > Thanks. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Thursday, June 27, 2019 10:29 PM, Sebastian Benoit benoit-li...@fb12.de > wrote: > > > slackwaree(slackwa...@protonmail.com) on 2019.06.26 13:11:19 +0000: > > > > > Hello, > > > Well this is not so simple as it looks but I have made success with > > > traceroute. > > > route -T1 exec '/usr/sbin/traceroute' -n > > > route -T2 exec '/usr/sbin/traceroute' -n > > > route -T3 exec '/usr/sbin/traceroute' -n > > > Goes out on proper gateways so it works. > > > For Squid things gets a little bit more complicated. > > > For example I use squidguard which is spawned by squid so I don't know if > > > the alternative routing table applied to this as well. > > > |-+= 03951 root /usr/local/sbin/squid > > > | \--- 06369 _squid (squid-1) --kid squid-1 (squid) > > > When I start squid I get: > > > route -T3 exec '/usr/local/sbin/squid' > > > 2019/06/26 14:50:35| WARNING: (B) '127.0.0.1' is a subnetwork of (A) > > > '127.0.0.1' > > > 2019/06/26 14:50:35| WARNING: because of this '127.0.0.1' is ignored to > > > keep splay tree searching predictable > > > 2019/06/26 14:50:35| WARNING: You should probably remove '127.0.0.1' from > > > the ACL named 'localhost' > > > 2019/06/26 14:50:35| WARNING: (B) '127.0.0.1' is a subnetwork of (A) > > > '127.0.0.1' > > > 2019/06/26 14:50:35| WARNING: because of this '127.0.0.1' is ignored to > > > keep splay tree searching predictable > > > 2019/06/26 14:50:35| WARNING: You should probably remove '127.0.0.1' from > > > the ACL named 'localhost' > > > 2019/06/26 14:50:35| WARNING: (B) '::1' is a subnetwork of (A) '::1' > > > 2019/06/26 14:50:35| WARNING: because of this '::1' is ignored to keep > > > splay tree searching predictable > > > 2019/06/26 14:50:35| WARNING: You should probably remove '::1' from the > > > ACL named 'localhost' > > > 2019/06/26 14:50:35| WARNING: (B) '::1' is a subnetwork of (A) '::1' > > > 2019/06/26 14:50:35| WARNING: because of this '::1' is ignored to keep > > > splay tree searching predictable > > > 2019/06/26 14:50:35| WARNING: You should probably remove '::1' from the > > > ACL named 'localhost' > > > 2019/06/26 14:50:35| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) > > > '127.0.0.0/8' > > > 2019/06/26 14:50:35| WARNING: because of this '127.0.0.0/8' is ignored to > > > keep splay tree searching predictable > > > 2019/06/26 14:50:35| WARNING: You should probably remove '127.0.0.0/8' > > > from the ACL named 'to_localhost' > > > 2019/06/26 14:50:35| WARNING: (B) '0.0.0.0' is a subnetwork of (A) > > > '0.0.0.0' > > > 2019/06/26 14:50:35| WARNING: because of this '0.0.0.0' is ignored to > > > keep splay tree searching predictable > > > 2019/06/26 14:50:35| WARNING: You should probably remove '0.0.0.0' from > > > the ACL named 'to_localhost' > > > 2019/06/26 14:50:35| WARNING: (B) '0.0.0.0' is a subnetwork of (A) > > > '0.0.0.0' > > > 2019/06/26 14:50:35| WARNING: because of this '0.0.0.0' is ignored to > > > keep splay tree searching predictable > > > 2019/06/26 14:50:35| WARNING: You should probably remove '0.0.0.0' from > > > the ACL named 'to_localhost' > > > 2019/06/26 14:50:35| WARNING: (B) '::1' is a subnetwork of (A) '::1' > > > 2019/06/26 14:50:35| WARNING: because of this '::1' is ignored to keep > > > splay tree searching predictable > > > 2019/06/26 14:50:35| WARNING: You should probably remove '::1' from the > > > ACL named 'to_localhost' > > > 2019/06/26 14:50:35| WARNING: (B) '::1' is a subnetwork of (A) '::1' > > > 2019/06/26 14:50:35| WARNING: because of this '::1' is ignored to keep > > > splay tree searching predictable > > > 2019/06/26 14:50:35| WARNING: You should probably remove '::1' from the > > > ACL named 'to_localhost' > > > 2019/06/26 14:50:35| ERROR: Directive 'url_rewrite_concurrency' is > > > obsolete. > > > 2019/06/26 14:50:35| WARNING: url_rewrite_concurrency upgrade overriding > > > url_rewrite_children settings. > > > I see that this might be an issue of the loopback not being present on > > > that table so I have added: > > > route -T3 add -net 127.0.0.0/8 127.0.0.1 > > > route -T3 add -host localhost localhost > > > > just run > > ifconfig lo3 inet 127.0.0.1/8 rdomain 3 > > route -T3 add 127/8 127.0.0.1 > > and you will get > > route -T3 -n show > > ================== > > Routing tables > > Internet: > > Destination Gateway Flags Refs Use Mtu Prio Iface > > 127/8 127.0.0.1 UGS 0 0 32768 8 lo3 > > 127.0.0.1 127.0.0.1 UHhl 1 2 32768 1 lo3 > > Internet6: > > Destination Gateway Flags Refs Use Mtu Prio Iface > > ::1 ::1 UHl 0 0 32768 1 lo3 > > fe80::1%lo3 fe80::1%lo3 UHl 0 0 32768 1 lo3 > > ff01::%lo3/32 fe80::1%lo3 Um 0 1 32768 4 lo3 > > ff02::%lo3/32 fe80::1%lo3 Um 0 1 32768 4 lo3 > > > > > route -T3 show > > > Routing tables > > > Internet: > > > Destination Gateway Flags Refs Use Mtu Prio Iface > > > default 192.168.10.252 UGS 0 5 - 8 vio0 > > > 127/8 localhost UGS 0 1 32768 8 lo0 > > > localhost localhost UGHS 0 0 32768 8 lo0 > > > IPV4 I don't need. > > > Maybe I did not add the localhost correctly?! since if I compare this > > > with the main routing table I see different flags: > > > 127/8 localhost UGRS 0 0 32768 8 lo0 > > > localhost localhost UHhl 3 98 32768 1 lo0 > > > Anyway Squid starts with the mentioned warnings but any request I try to > > > make through it hangs. > > > ????????????????????? Original Message ????????????????????? > > > On Monday, June 24, 2019 11:07 AM, Claudio Jeker cje...@diehard.n-r-g.com > > > wrote: > > > > > > > On Mon, Jun 24, 2019 at 08:47:38AM +0000, slackwaree wrote: > > > > > > > > > Hello, > > > > > Could you maybe provide a full case study for this as it is fairly > > > > > uncommon task? > > > > > Do you mean that I will also need +2 ip aliases next to the boxes > > > > > main ip? > > > > > > > > No. You can use either option. The question is how are the proxy users > > > > talking to those 3 different proxies? If you want to use port 8080 for > > > > all > > > > of them you want 3 different IPs. > > > > > > > > > Eg instead of > > > > > 192.168.10.1: 3128 3129 3130 > > > > > 192.168.10.1:3128 using gateway 192.168.10.250 > > > > > 192.168.10.2:3128 using gateway 192.168.10.251 > > > > > 192.168.10.3:3128 using gateway 192.168.10.252 > > > > > > > > Try it out yourself. Create an extra table and run a proxy in it. > > > > Use tools like tcpdump, nc, etc to check if it works. > > > > Start with: > > > > route -T1 add default 192.168.10.250 > > > > route -T1 exec "squid command to run ideal with debugging on" > > > > :wq Claudio > > > > > > > > > ????????????????????? Original Message ????????????????????? > > > > > On Friday, June 21, 2019 8:27 PM, Brian Brombacher > > > > > brian.brombac...@planetunix.net wrote: > > > > > > > > > > > You???ll also need PF rules to allow incoming traffic from your > > > > > > squid clients to go to the routing table where your squid process > > > > > > is running. > > > > > > > > > > > > > On Jun 21, 2019, at 10:28 AM, Claudio Jeker > > > > > > > cje...@diehard.n-r-g.com wrote: > > > > > > > > > > > > > > > On Fri, Jun 21, 2019 at 02:11:53PM +0000, slackwaree wrote: > > > > > > > > Hello, > > > > > > > > I wonder if the following scenario can be solved with OpenBSD > > > > > > > > on 1 single machine or with VMM: > > > > > > > > I got 3 OpenBSD vms, all of them are exactly the same running > > > > > > > > squid except they use different default routers to route their > > > > > > > > traffic out. > > > > > > > > I would like to merge these to one VM if it is possible somehow > > > > > > > > to tell OpenBSD to use different gateway depending on the squid > > > > > > > > process. > > > > > > > > If not would the same thing be possible with VMMs? All the > > > > > > > > gateways are in the same IP range. > > > > > > > > > > > > > > A simple way to solve this is with multiple routing tables. > > > > > > > Create multiple routing tables with: > > > > > > > route -T1 add default <gw1> > > > > > > > route -T2 add default <gw2> > > > > > > > route -T3 add default <gw3> > > > > > > > And start the 3 squid processes with route -T1 exec, route -T2 > > > > > > > exec. > > > > > > > You can also use the the *_rtable variable in rc.d(8) to do that > > > > > > > automatically. > > > > > > > This requires that the 3 squids listen on different IPs or ports. > > > > > > > :wq Claudio > > > > --
