Re: [squid-users] Even/Odd SRC ACL

2014-06-27 Thread Nishant Sharma 
Hi Francesco,

On Friday 27 June 2014 01:35 PM, Kinkie wrote:
> Hi Sharma,
>would using a "random" ACL for outgoing IP selection be good enough?
> 
> Francesco

"random" ACL with sticky outgoing IP per client to take care of HTTPS
and badly designed HTTP portals which log a user off if his/her source
IP changes.

Thanks & regards,
Nishant

Re: [squid-users] Even/Odd SRC ACL

2014-06-27 Thread Kinkie 
Hi Sharma,
   would using a "random" ACL for outgoing IP selection be good enough?

Francesco

On Fri, Jun 27, 2014 at 9:18 AM, Nishant Sharma  wrote:
>
> On Friday 27 June 2014 12:34 PM, Amos Jeffries wrote:
>> Ah, Squid-3 is using CIDR masking. Sorry should have remembered earlier
>> how strict this is.
>>
>> The two /25 subnets (or groups of /26 etc) is the way to go.
>
> Thanks for the clarification. So, would it be possible in future?
>
> I don't know how complicated it would be to implement.
>
> Thanks again.
>
> Regards,
> Nishant



-- 
Francesco

Re: [squid-users] Even/Odd SRC ACL

2014-06-27 Thread Nishant Sharma 

On Friday 27 June 2014 12:34 PM, Amos Jeffries wrote:
> Ah, Squid-3 is using CIDR masking. Sorry should have remembered earlier
> how strict this is.
> 
> The two /25 subnets (or groups of /26 etc) is the way to go.

Thanks for the clarification. So, would it be possible in future?

I don't know how complicated it would be to implement.

Thanks again.

Regards,
Nishant

Re: [squid-users] Even/Odd SRC ACL

2014-06-27 Thread Amos Jeffries 
On 27/06/2014 6:43 p.m., Nishant Sharma wrote:
> On Friday 27 June 2014 11:58 AM, Nishant Sharma wrote:
>>
>> On Friday 27 June 2014 10:05 AM, Amos Jeffries wrote:
 acl even src 0.0.0.0/0.0.0.1
 tcp_outgoing_address wan1 even
 tcp_outgoing_address wan2 !even

>> wan1 & wan2 in the config are the actual WAN IP Addresses (IPv4) and NAT
>> rules are properly set-up for both the WANs. If I divide the LAN into
>> two /25 subnets it works fine. But not with masked bits.
>>
>> Is there any debug option that I could enable to see how these ACLs are
>> being matched or by-passed? "debug_options ALL,9" can be an overkill for
>> this?
> 
> Here are the debug logs. I see that it is trying to compare SRC-IP:Port
> pair against the ACL and result is always "0".
> 
> Any pointers?

Ah, Squid-3 is using CIDR masking. Sorry should have remembered earlier
how strict this is.

The two /25 subnets (or groups of /26 etc) is the way to go.

Amos

Re: [squid-users] Even/Odd SRC ACL

2014-06-26 Thread Nishant Sharma 
On Friday 27 June 2014 11:58 AM, Nishant Sharma wrote:
> 
> On Friday 27 June 2014 10:05 AM, Amos Jeffries wrote:
>>> acl even src 0.0.0.0/0.0.0.1
>>> tcp_outgoing_address wan1 even
>>> tcp_outgoing_address wan2 !even
>>>
> wan1 & wan2 in the config are the actual WAN IP Addresses (IPv4) and NAT
> rules are properly set-up for both the WANs. If I divide the LAN into
> two /25 subnets it works fine. But not with masked bits.
> 
> Is there any debug option that I could enable to see how these ACLs are
> being matched or by-passed? "debug_options ALL,9" can be an overkill for
> this?

Here are the debug logs. I see that it is trying to compare SRC-IP:Port
pair against the ACL and result is always "0".

Any pointers?

2014/06/27 12:02:37.882| ACLList::matches: checking !EVEN
2014/06/27 12:02:37.883| ACL::checklistMatches: checking 'EVEN'
2014/06/27 12:02:37.883| aclIpAddrNetworkCompare: compare:
192.168.2.121:49287/[:::::::]
(192.168.2.121:49287)  vs
0.0.0.0-[::]/[:::::::]
2014/06/27 12:02:37.883| aclIpMatchIp: '192.168.2.121:49287' NOT found
2014/06/27 12:02:37.883| ACL::ChecklistMatches: result for 'EVEN' is 0
2014/06/27 12:02:37.883| ACLList::matches: result is true
2014/06/27 12:02:37.883| aclmatchAclList: 0xbfbfe290 returning true (AND
list satisfied)
2014/06/27 12:02:37.883| ACLChecklist::markFinished: 0xbfbfe290
checklist processing finished
2014/06/27 12:02:37.883| FilledChecklist.cc(168) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0xbfbfe290
2014/06/27 12:02:37.883| ACLChecklist::~ACLChecklist: destroyed 0xbfbfe290
2014/06/27 12:02:37.883| FilledChecklist.cc(168) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0xbfbfe2b0
2014/06/27 12:02:37.883| ACLChecklist::~ACLChecklist: destroyed 0xbfbfe2b0
2014/06/27 12:02:37.883| fwdConnectStart: got outgoing addr
2xx.1xx.3x.xx, tos 0

Thanks & regards,
Nishant

Re: [squid-users] Even/Odd SRC ACL

2014-06-26 Thread Amos Jeffries 
On 27/06/2014 4:07 p.m., Nishant Sharma wrote:
> Hi,
> 
> I have 2 WANs and would like to loadbalance the traffic by configuring
> tcp_outgoing_address based on source IPs. Squid version is 3.1.20
> running on FreeBSD 8.3-release-p11 (pfSense 2.1-RELEASE).
> 
> I have tried this:
> 
> acl even src 0.0.0.0/0.0.0.1
> tcp_outgoing_address wan1 even
> tcp_outgoing_address wan2 !even
> 
> But this doesn't seem to work. All the traffic is going to WAN2. Default
> route is on WAN1.
> 
> Am I missing something?

You have not described any of the load balancing part of the
configuration. All the Squid settings do is set the Squid outgoing IP.
The operating system still has to take that and do things based on it.

You will benefit from an upgrade to squid-3.3 or later where the
tcp_outgoing_address is compatible with HTTP persistent connections.

ALso, if "wan1" and "wan2" are in yoru config as that exactly they need
to be DNS resolvable host names with exactly 1 IP address.

Amos

[squid-users] Even/Odd SRC ACL

2014-06-26 Thread Nishant Sharma 
Hi,

I have 2 WANs and would like to loadbalance the traffic by configuring
tcp_outgoing_address based on source IPs. Squid version is 3.1.20
running on FreeBSD 8.3-release-p11 (pfSense 2.1-RELEASE).

I have tried this:

acl even src 0.0.0.0/0.0.0.1
tcp_outgoing_address wan1 even
tcp_outgoing_address wan2 !even

But this doesn't seem to work. All the traffic is going to WAN2. Default
route is on WAN1.

Am I missing something?

Thanks in advance.
Regards,
Nishant