Re: [squid-users] Even/Odd SRC ACL
Hi Francesco, On Friday 27 June 2014 01:35 PM, Kinkie wrote: > Hi Sharma, >would using a "random" ACL for outgoing IP selection be good enough? > > Francesco "random" ACL with sticky outgoing IP per client to take care of HTTPS and badly designed HTTP portals which log a user off if his/her source IP changes. Thanks & regards, Nishant
Re: [squid-users] Even/Odd SRC ACL
Hi Sharma, would using a "random" ACL for outgoing IP selection be good enough? Francesco On Fri, Jun 27, 2014 at 9:18 AM, Nishant Sharma wrote: > > On Friday 27 June 2014 12:34 PM, Amos Jeffries wrote: >> Ah, Squid-3 is using CIDR masking. Sorry should have remembered earlier >> how strict this is. >> >> The two /25 subnets (or groups of /26 etc) is the way to go. > > Thanks for the clarification. So, would it be possible in future? > > I don't know how complicated it would be to implement. > > Thanks again. > > Regards, > Nishant -- Francesco
Re: [squid-users] Even/Odd SRC ACL
On Friday 27 June 2014 12:34 PM, Amos Jeffries wrote: > Ah, Squid-3 is using CIDR masking. Sorry should have remembered earlier > how strict this is. > > The two /25 subnets (or groups of /26 etc) is the way to go. Thanks for the clarification. So, would it be possible in future? I don't know how complicated it would be to implement. Thanks again. Regards, Nishant
Re: [squid-users] Even/Odd SRC ACL
On 27/06/2014 6:43 p.m., Nishant Sharma wrote: > On Friday 27 June 2014 11:58 AM, Nishant Sharma wrote: >> >> On Friday 27 June 2014 10:05 AM, Amos Jeffries wrote: acl even src 0.0.0.0/0.0.0.1 tcp_outgoing_address wan1 even tcp_outgoing_address wan2 !even >> wan1 & wan2 in the config are the actual WAN IP Addresses (IPv4) and NAT >> rules are properly set-up for both the WANs. If I divide the LAN into >> two /25 subnets it works fine. But not with masked bits. >> >> Is there any debug option that I could enable to see how these ACLs are >> being matched or by-passed? "debug_options ALL,9" can be an overkill for >> this? > > Here are the debug logs. I see that it is trying to compare SRC-IP:Port > pair against the ACL and result is always "0". > > Any pointers? Ah, Squid-3 is using CIDR masking. Sorry should have remembered earlier how strict this is. The two /25 subnets (or groups of /26 etc) is the way to go. Amos
Re: [squid-users] Even/Odd SRC ACL
On Friday 27 June 2014 11:58 AM, Nishant Sharma wrote: > > On Friday 27 June 2014 10:05 AM, Amos Jeffries wrote: >>> acl even src 0.0.0.0/0.0.0.1 >>> tcp_outgoing_address wan1 even >>> tcp_outgoing_address wan2 !even >>> > wan1 & wan2 in the config are the actual WAN IP Addresses (IPv4) and NAT > rules are properly set-up for both the WANs. If I divide the LAN into > two /25 subnets it works fine. But not with masked bits. > > Is there any debug option that I could enable to see how these ACLs are > being matched or by-passed? "debug_options ALL,9" can be an overkill for > this? Here are the debug logs. I see that it is trying to compare SRC-IP:Port pair against the ACL and result is always "0". Any pointers? 2014/06/27 12:02:37.882| ACLList::matches: checking !EVEN 2014/06/27 12:02:37.883| ACL::checklistMatches: checking 'EVEN' 2014/06/27 12:02:37.883| aclIpAddrNetworkCompare: compare: 192.168.2.121:49287/[:::::::] (192.168.2.121:49287) vs 0.0.0.0-[::]/[:::::::] 2014/06/27 12:02:37.883| aclIpMatchIp: '192.168.2.121:49287' NOT found 2014/06/27 12:02:37.883| ACL::ChecklistMatches: result for 'EVEN' is 0 2014/06/27 12:02:37.883| ACLList::matches: result is true 2014/06/27 12:02:37.883| aclmatchAclList: 0xbfbfe290 returning true (AND list satisfied) 2014/06/27 12:02:37.883| ACLChecklist::markFinished: 0xbfbfe290 checklist processing finished 2014/06/27 12:02:37.883| FilledChecklist.cc(168) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbfbfe290 2014/06/27 12:02:37.883| ACLChecklist::~ACLChecklist: destroyed 0xbfbfe290 2014/06/27 12:02:37.883| FilledChecklist.cc(168) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbfbfe2b0 2014/06/27 12:02:37.883| ACLChecklist::~ACLChecklist: destroyed 0xbfbfe2b0 2014/06/27 12:02:37.883| fwdConnectStart: got outgoing addr 2xx.1xx.3x.xx, tos 0 Thanks & regards, Nishant
Re: [squid-users] Even/Odd SRC ACL
On 27/06/2014 4:07 p.m., Nishant Sharma wrote: > Hi, > > I have 2 WANs and would like to loadbalance the traffic by configuring > tcp_outgoing_address based on source IPs. Squid version is 3.1.20 > running on FreeBSD 8.3-release-p11 (pfSense 2.1-RELEASE). > > I have tried this: > > acl even src 0.0.0.0/0.0.0.1 > tcp_outgoing_address wan1 even > tcp_outgoing_address wan2 !even > > But this doesn't seem to work. All the traffic is going to WAN2. Default > route is on WAN1. > > Am I missing something? You have not described any of the load balancing part of the configuration. All the Squid settings do is set the Squid outgoing IP. The operating system still has to take that and do things based on it. You will benefit from an upgrade to squid-3.3 or later where the tcp_outgoing_address is compatible with HTTP persistent connections. ALso, if "wan1" and "wan2" are in yoru config as that exactly they need to be DNS resolvable host names with exactly 1 IP address. Amos
[squid-users] Even/Odd SRC ACL
Hi, I have 2 WANs and would like to loadbalance the traffic by configuring tcp_outgoing_address based on source IPs. Squid version is 3.1.20 running on FreeBSD 8.3-release-p11 (pfSense 2.1-RELEASE). I have tried this: acl even src 0.0.0.0/0.0.0.1 tcp_outgoing_address wan1 even tcp_outgoing_address wan2 !even But this doesn't seem to work. All the traffic is going to WAN2. Default route is on WAN1. Am I missing something? Thanks in advance. Regards, Nishant