[squid-users] Re: [dansguardian] Re: DG without Squid
> My recommendation is to get your routing issue (different source IPs to > different ISPs) working first, and only then implement some kind of > filtering. It's nice to "plan ahead" to try to ensure the solution to one > problem doesn't "interfere" with the solution to the other problem. But don't > fall into the trap of thinking there must be just one solution to the two > separate problems (or even that the two solutions have anything to do with > each other, which they may not). Hi, Without DG & Squid, IPRoute2 rules work great in routing requests via specific gateways based on SRC IP (client pc ip). The moment, squid is implemented, the rules stop to work. When I say "the rules stop to work", what I mean is -- all requests are routed via the default g/w. On analyzing, it was found that the SRC IP of the packes was always 127.0.0.1. In this given context, do you think there is any tweak in getting client PC (SRC IP) based routing via multiple ISPs Thanks for your inputs. Best regards, Vai
Re: [squid-users] 3 ISPs: Routing problem
On Wed, May 20, 2009 at 3:06 AM, Chris Robertson wrote: > RSCL Mumbai wrote: >> >> On Sun, May 17, 2009 at 11:37 AM, Amos Jeffries >> wrote: >> >>> >>> RSCL Mumbai wrote: >>>> >>>> I tried " tcp_outgoing_address " by adding the following to squid.conf >>>> >>>> acl ip1 myip 10.0.0.120 >>>> acl ip2 myip 10.0.0.121 >>>> acl ip3 myip 10.0.0.122 >>>> tcp_outgoing_address 10.0.0.120 ip1 >>>> tcp_outgoing_address 10.0.0.121 ip2 >>>> tcp_outgoing_address 10.0.0.122 ip3 >>>> >>>> Restarted squid, but no help. >>>> >>>> Pls help how I can get the route rules to work. >>>> >>>> Simple requirement: >>>> If packets comes from src=10.0.0.120, forward it via ISP-1 >>>> If packets comes from src=10.0.0.121, forward it via ISP-2 >>>> If packets comes from src=10.0.0.122, forward it via ISP-3 >>>> And so forth. >>>> >>>> Thx in advance. >>>> Vai >>>> >>> >>> To prevent the first (default) one being used you may need to do: >>> >>> tcp_outgoing_address 10.0.0.120 ip1 !ip2 !ip3 >>> tcp_outgoing_address 10.0.0.121 ip2 !ip1 !ip3 >>> tcp_outgoing_address 10.0.0.122 ip3 !ip1 !ip2 >>> >> >> >> I do not have 5 real interfaces for 5 ISPs. >> And I believe virtual interfaces will not work in this scenario. >> > > Works for me (Squid 2.7, Linux kernel 2.6.9+, one physical interface, two > IPs) Be sure to set "server_persistent_connections off" in your squid.conf. I have them off. My squid.conf as below ~~ client_persistent_connections off server_persistent_connections off ~~ Chris, if possible, can you pls share your acl rules for "tcp_outgoing_address". Just want to make sure my rules are correct. I tried with 2 nics and it did not work. Also, I have to manage 5 ISPs. I do not have the possibility of adding 5 lan cards in my server. I read on the net that IPTables and route2 do not support virtual interfaces. Looks like I have limited / no options here. Thx. Vai
Re: [squid-users] 3 ISPs: Routing problem
On Sun, May 17, 2009 at 11:37 AM, Amos Jeffries wrote: > RSCL Mumbai wrote: >> >> On Fri, May 15, 2009 at 10:38 AM, Amos Jeffries >> wrote: >>> >>> RSCL Mumbai wrote: >>>> >>>> On Thu, May 14, 2009 at 4:33 PM, Jeff Pang wrote: >>>>> >>>>> RSCL Mumbai: >>>>> >>>>>> What would like to configure is setup "specific G/ws for specific >>>>>> clients". >>>>>> >>>>>> 192.168.1.100 to use G/w 192.168.1.1 >>>>>> 192.168.1.101 to use G/w 192.168.1.1 >>>>>> 192.168.1.102 to use G/w 192.168.1.2 >>>>>> 192.168.1.103 to use G/w 192.168.1.2 >>>>>> 192.168.1.104 to use G/w 192.168.1.2 >>>>>> 192.168.1.105 to use G/w 192.168.1.3 >>>>>> 192.168.1.106 to use G/w 192.168.1.3 >>>>>> >>>> >>>> >>>> I just found out that squid is removing the marking on the packet: >>>> This is what I am doing: >>>> >>>> (1) I marked packets coming from 10.0.0.120 to port 80, with "mark1" >>>> (mark1 corresponds to isp1) >>>> (2) I added a route rule which says that all packets having mark 1 >>>> will be routed through ISP 1 >>>> >>>> But the packets are not routing via ISP1 >>>> >>>> When I disable squid redirection rule in IPTables (post 80 redirection >>>> to 3128 squid), the markings are maintained and packets route via >>>> ISP1. >>>> >>>> Now the big question is why is squid removing the marking ?? >>> >>> Because the packets STOP at their destination software. >>> Normally the destination is a web server. When you NAT (redirect) a >>> packet >>> to Squid it STOPS there and gets read by Squid instead of passing on to >>> the >>> web server. >>> >>> IF Squid needs to fetch the HTTP object requested from the network a >>> brand >>> new TCP connection will be created only from Squid to the web server. >>> >>>> And how can this be prevented ?? >>> >>> By not intercepting packets. As you already noticed. >>> >>> >>> Squid offers alternatives, tcp_outgoing_address has already been >>> mentioned. >>> tcp_outgoing_tos is an alternative that allows you to mark packets >>> leaving >>> Squid. >> >> I tried " tcp_outgoing_address " by adding the following to squid.conf >> >> acl ip1 myip 10.0.0.120 >> acl ip2 myip 10.0.0.121 >> acl ip3 myip 10.0.0.122 >> tcp_outgoing_address 10.0.0.120 ip1 >> tcp_outgoing_address 10.0.0.121 ip2 >> tcp_outgoing_address 10.0.0.122 ip3 >> >> Restarted squid, but no help. >> >> Pls help how I can get the route rules to work. >> >> Simple requirement: >> If packets comes from src=10.0.0.120, forward it via ISP-1 >> If packets comes from src=10.0.0.121, forward it via ISP-2 >> If packets comes from src=10.0.0.122, forward it via ISP-3 >> And so forth. >> >> Thx in advance. >> Vai > > To prevent the first (default) one being used you may need to do: > > tcp_outgoing_address 10.0.0.120 ip1 !ip2 !ip3 > tcp_outgoing_address 10.0.0.121 ip2 !ip1 !ip3 > tcp_outgoing_address 10.0.0.122 ip3 !ip1 !ip2 I do not have 5 real interfaces for 5 ISPs. And I believe virtual interfaces will not work in this scenario. Any other option pls ?? Thx & regards, Vai
Re: [squid-users] 3 ISPs: Routing problem
On Sat, May 16, 2009 at 10:58 AM, Jeff Pang wrote:
> RSCL Mumbai:
>>
>> On Sat, May 16, 2009 at 9:50 AM, Jeff Pang wrote:
>>>
>>> RSCL Mumbai:
>>>
>>>> I tried " tcp_outgoing_address " by adding the following to squid.conf
>>>>
>>>> acl ip1 myip 10.0.0.120
>>>> acl ip2 myip 10.0.0.121
>>>> acl ip3 myip 10.0.0.122
>>>> tcp_outgoing_address 10.0.0.120 ip1
>>>> tcp_outgoing_address 10.0.0.121 ip2
>>>> tcp_outgoing_address 10.0.0.122 ip3
>>>>
>>>> Restarted squid, but no help.
>>>>
>>> It might be:
>>>
>>> tcp_outgoing_address ISP1_IP_ADDRESS ip1
>>> tcp_outgoing_address ISP2_IP_ADDRESS ip2
>>> tcp_outgoing_address ISP3_IP_ADDRESS ip3
>>>
>>> replace ISP{x}_IP_ADDRESS with real IPs.
>>
>>
>>
>>
>> On a different note, can I setup iproute2 rule using x-forwarded ip
>> address.
>> I believe this can solve my problem.
>>
>
> I don't think so.
> b/c x-forwarded-for is a http header element.
Hmm... Any other option to route packets via specific internet g/w
based on the client IP ?
Thx
Vai
Re: [squid-users] 3 ISPs: Routing problem
On Sat, May 16, 2009 at 9:50 AM, Jeff Pang wrote:
> RSCL Mumbai:
>
>>
>> I tried " tcp_outgoing_address " by adding the following to squid.conf
>>
>> acl ip1 myip 10.0.0.120
>> acl ip2 myip 10.0.0.121
>> acl ip3 myip 10.0.0.122
>> tcp_outgoing_address 10.0.0.120 ip1
>> tcp_outgoing_address 10.0.0.121 ip2
>> tcp_outgoing_address 10.0.0.122 ip3
>>
>> Restarted squid, but no help.
>>
>
> It might be:
>
> tcp_outgoing_address ISP1_IP_ADDRESS ip1
> tcp_outgoing_address ISP2_IP_ADDRESS ip2
> tcp_outgoing_address ISP3_IP_ADDRESS ip3
>
> replace ISP{x}_IP_ADDRESS with real IPs.
On a different note, can I setup iproute2 rule using x-forwarded ip address.
I believe this can solve my problem.
Thx
Vai
Re: [squid-users] 3 ISPs: Routing problem
On Fri, May 15, 2009 at 10:38 AM, Amos Jeffries wrote: > RSCL Mumbai wrote: >> >> On Thu, May 14, 2009 at 4:33 PM, Jeff Pang wrote: >>> >>> RSCL Mumbai: >>> >>>> What would like to configure is setup "specific G/ws for specific >>>> clients". >>>> >>>> 192.168.1.100 to use G/w 192.168.1.1 >>>> 192.168.1.101 to use G/w 192.168.1.1 >>>> 192.168.1.102 to use G/w 192.168.1.2 >>>> 192.168.1.103 to use G/w 192.168.1.2 >>>> 192.168.1.104 to use G/w 192.168.1.2 >>>> 192.168.1.105 to use G/w 192.168.1.3 >>>> 192.168.1.106 to use G/w 192.168.1.3 >>>> >> >> >> >> I just found out that squid is removing the marking on the packet: >> This is what I am doing: >> >> (1) I marked packets coming from 10.0.0.120 to port 80, with "mark1" >> (mark1 corresponds to isp1) >> (2) I added a route rule which says that all packets having mark 1 >> will be routed through ISP 1 >> >> But the packets are not routing via ISP1 >> >> When I disable squid redirection rule in IPTables (post 80 redirection >> to 3128 squid), the markings are maintained and packets route via >> ISP1. >> >> Now the big question is why is squid removing the marking ?? > > Because the packets STOP at their destination software. > Normally the destination is a web server. When you NAT (redirect) a packet > to Squid it STOPS there and gets read by Squid instead of passing on to the > web server. > > IF Squid needs to fetch the HTTP object requested from the network a brand > new TCP connection will be created only from Squid to the web server. > >> And how can this be prevented ?? > > By not intercepting packets. As you already noticed. > > > Squid offers alternatives, tcp_outgoing_address has already been mentioned. > tcp_outgoing_tos is an alternative that allows you to mark packets leaving > Squid. I tried " tcp_outgoing_address " by adding the following to squid.conf acl ip1 myip 10.0.0.120 acl ip2 myip 10.0.0.121 acl ip3 myip 10.0.0.122 tcp_outgoing_address 10.0.0.120 ip1 tcp_outgoing_address 10.0.0.121 ip2 tcp_outgoing_address 10.0.0.122 ip3 Restarted squid, but no help. Pls help how I can get the route rules to work. Simple requirement: If packets comes from src=10.0.0.120, forward it via ISP-1 If packets comes from src=10.0.0.121, forward it via ISP-2 If packets comes from src=10.0.0.122, forward it via ISP-3 And so forth. Thx in advance. Vai
[squid-users] tcp_outgoing_address Not working
Hi, I have setup "tcp_outgoing_address" as follows: --- acl ip1 myip 10.0.0.120 acl ip2 myip 10.0.0.121 acl ip3 myip 10.0.0.122 tcp_outgoing_address 10.0.0.120 ip1 tcp_outgoing_address 10.0.0.121 ip2 tcp_outgoing_address 10.0.0.122 ip3 -- I have route2 rules which will change the g/w IP for the packets based on the above rules. Example: if SRC=10.0.0.120 then G/w=10.0.0.1 etc tcp_outgoing_address does not seem to be working; How can I verify is the SOURCE_IP is manitained ? ELSE: Where else should I check to learn why the SRC IP is not maintained. Please help. Thx Vai
Re: [squid-users] 3 ISPs: Routing problem
On Thu, May 14, 2009 at 4:33 PM, Jeff Pang wrote: > RSCL Mumbai: > >> >> What would like to configure is setup "specific G/ws for specific >> clients". >> >> 192.168.1.100 to use G/w 192.168.1.1 >> 192.168.1.101 to use G/w 192.168.1.1 >> 192.168.1.102 to use G/w 192.168.1.2 >> 192.168.1.103 to use G/w 192.168.1.2 >> 192.168.1.104 to use G/w 192.168.1.2 >> 192.168.1.105 to use G/w 192.168.1.3 >> 192.168.1.106 to use G/w 192.168.1.3 >> I just found out that squid is removing the marking on the packet: This is what I am doing: (1) I marked packets coming from 10.0.0.120 to port 80, with "mark1" (mark1 corresponds to isp1) (2) I added a route rule which says that all packets having mark 1 will be routed through ISP 1 But the packets are not routing via ISP1 When I disable squid redirection rule in IPTables (post 80 redirection to 3128 squid), the markings are maintained and packets route via ISP1. Now the big question is why is squid removing the marking ?? And how can this be prevented ?? Thx Vai
[squid-users] 3 ISPs: Routing problem
Hi, I have 3 ISPs: 192.168.1.1 (this is our defaulf G/w) 192.168.1.2 (Backup ISP-1) 192.168.1.3 (Backup ISP-2) FC9 Server is 192.168.1.4 (Squid + DG) Clients are 192.168.1.100, 101, 102... 120 Squid + Dg are working fine as content filter and caching. All requests from clients are processed by SQUID+DG and sent out via the default g/w 192.168.1.1. What would like to configure is setup "specific G/ws for specific clients". 192.168.1.100 to use G/w 192.168.1.1 192.168.1.101 to use G/w 192.168.1.1 192.168.1.102 to use G/w 192.168.1.2 192.168.1.103 to use G/w 192.168.1.2 192.168.1.104 to use G/w 192.168.1.2 192.168.1.105 to use G/w 192.168.1.3 192.168.1.106 to use G/w 192.168.1.3 But proxy requests sent via squid only goes out via default g/w. I have tried IPRoute2. iproute2 works if SQUID is disabled. The pakcets do not follow IPROUTE2 rules post-squid processing. Pls help. All suggestions & pointers are warmly welcome. Thx Vai
