Re: [squid-users] transparent proxy not working!! any advice?
Nicholas ports are open now, however I'm still not seeing traffic on the tunnel (tcpdump -i gre0). Also I'm not certain if the ip_gre module is enough. I'm seeing many configurations using ip_wccp, but I do not have that one on my centos What is the proper way to verify that tunnel is working properly? I tried to create 2 VMs, and setup a GRE tunnel between them, and it worked. -- From: Ritter, Nicholas nicholas.rit...@americantv.com Sent: Tuesday, January 06, 2009 11:25 PM To: Roland Roland r_o_l_a_...@hotmail.com Cc: squid-users@squid-cache.org Subject: RE: [squid-users] transparent proxy not working!! any advice? Ok...so the squid server and the router are seeing eachother initiallythen it fails. On the squid box you need to make sure the firewall is allowing UDP port 2048 from the the router and that the GRE tunnel is functioning properly, and is setup in iptables properly. The other issue is that may be needed is that access-list (access-list 180, from my last email) should have the ip of the squid box in it as a deny entry. The reason for this is that you want to avoid traffic being 'looped' from the router to the squid box. You can setup WCCP where you are using no service groups and just the web-cache and web-cache redirect, etc. The two things that can break doing that are: multiple squid servers in a WCCP setup, and support for apps/ports other than port 80. Nick From: Roland Roland [mailto:r_o_l_a_...@hotmail.com] Sent: Tue 1/6/2009 1:48 PM To: Ritter, Nicholas; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, after adding the ACL below. I've got the following result. if im not mistaken, it has something to due with the dynamic issue? should I set it as standard 0 or ?! *Jan 6 20:21:39.294: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 0019 *Jan 6 20:21:39.298: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 0019 *Jan 6 20:21:57.290: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183 w/bad rcv_id *Jan 6 20:21:57.290: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001A *Jan 6 20:21:57.290: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183 w/bad rcv_id *Jan 6 20:21:57.290: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001A *Jan 6 20:22:04.294: WCCP-PKT:D90: Sending Removal_Query packet to 192.168.0.183w/ rcv_id 001B *Jan 6 20:22:04.298: WCCP-PKT:D80: Sending Removal_Query packet to 192.168.0.183w/ rcv_id 001B *Jan 6 20:22:09.294: %WCCP-1-SERVICELOST: Service 90 lost on WCCP client 192.168.0.183 *Jan 6 20:22:09.298: %WCCP-1-SERVICELOST: Service 80 lost on WCCP client 192.168.0.183 *Jan 6 20:22:15.298: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001C *Jan 6 20:22:15.298: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001C -- From: Roland Roland r_o_l_a_...@hotmail.com Sent: Monday, January 05, 2009 9:50 PM To: Ritter, Nicholas nicholas.rit...@americantv.com; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, thanks for the advice ill proceed and add the new ACL. in the meantime, to answer your question yes Squid is on the same interface as all the other clients. what sort of entries should I add to tht access list? PS: my IOS is Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811 (revision 53.51) -- From: Ritter, Nicholas nicholas.rit...@americantv.com Sent: Monday, January 05, 2009 9:23 PM To: r_o_l_a_...@hotmail.com; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: RE: [squid-users] transparent proxy not working!! any advice? The error on the Cisco router is stating that the squid box is trying to tell the router that it is able to service the wccp group 80 and 90, but for some reason the router does not see those groups as ones it is servicing. This is odd. Try doing the following in the router: ip access-list 180 permit any any ip wccp web-cache redirect-list 180 ip wccp 80 redirect-list 180 ip wccp 90 redirect-list 180 Is the squid box on the same router interface as the rest of the clients? If it is, you may need to add lines to the access-list 180, or put the squid box on the secondary interface of the router and do a ip wccp redirect exclude in statement on that interface. Which IOS feature set and version is this? WCCP is buggy in some IOS releases. From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com] Sent: Mon 1/5/2009 8:43 AM To: sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, actually I
RE: [squid-users] transparent proxy not working!! any advice?
ip_gre is enough...the IP_WCCP module was used prior to gre support in the kernel. CentOS 5 is new enough that that it uses a kernel that is gre capable. I have found that there are routing problems with some IOS versions because the squid cache may be sitting on a IP subnet that is not directly connected to the ip subnet the squid box is on. The way to check on this is to see if the Router Identifier in the sh ip wccp output on the router shows an IP address that is on the same IP subnet as the squid box. The solution is to make sure they are the same IP subnet, or update your IOS. I know the problem was fixed at or around IOS version 12.4(15)T3. I happen to be running (C2800NM-ADVSECURITYK9-M), Version 12.4(15)T3 and the problem is no longer there. But initially I was having the problem with an earlier 12.4 version of SPServices IOS. Nick From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com] Sent: Thu 1/8/2009 9:44 AM To: Ritter, Nicholas Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Nicholas ports are open now, however I'm still not seeing traffic on the tunnel (tcpdump -i gre0). Also I'm not certain if the ip_gre module is enough. I'm seeing many configurations using ip_wccp, but I do not have that one on my centos What is the proper way to verify that tunnel is working properly? I tried to create 2 VMs, and setup a GRE tunnel between them, and it worked. -- From: Ritter, Nicholas nicholas.rit...@americantv.com Sent: Tuesday, January 06, 2009 11:25 PM To: Roland Roland r_o_l_a_...@hotmail.com Cc: squid-users@squid-cache.org Subject: RE: [squid-users] transparent proxy not working!! any advice? Ok...so the squid server and the router are seeing eachother initiallythen it fails. On the squid box you need to make sure the firewall is allowing UDP port 2048 from the the router and that the GRE tunnel is functioning properly, and is setup in iptables properly. The other issue is that may be needed is that access-list (access-list 180, from my last email) should have the ip of the squid box in it as a deny entry. The reason for this is that you want to avoid traffic being 'looped' from the router to the squid box. You can setup WCCP where you are using no service groups and just the web-cache and web-cache redirect, etc. The two things that can break doing that are: multiple squid servers in a WCCP setup, and support for apps/ports other than port 80. Nick From: Roland Roland [mailto:r_o_l_a_...@hotmail.com] Sent: Tue 1/6/2009 1:48 PM To: Ritter, Nicholas; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, after adding the ACL below. I've got the following result. if im not mistaken, it has something to due with the dynamic issue? should I set it as standard 0 or ?! *Jan 6 20:21:39.294: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 0019 *Jan 6 20:21:39.298: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 0019 *Jan 6 20:21:57.290: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183 w/bad rcv_id *Jan 6 20:21:57.290: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001A *Jan 6 20:21:57.290: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183 w/bad rcv_id *Jan 6 20:21:57.290: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001A *Jan 6 20:22:04.294: WCCP-PKT:D90: Sending Removal_Query packet to 192.168.0.183w/ rcv_id 001B *Jan 6 20:22:04.298: WCCP-PKT:D80: Sending Removal_Query packet to 192.168.0.183w/ rcv_id 001B *Jan 6 20:22:09.294: %WCCP-1-SERVICELOST: Service 90 lost on WCCP client 192.168.0.183 *Jan 6 20:22:09.298: %WCCP-1-SERVICELOST: Service 80 lost on WCCP client 192.168.0.183 *Jan 6 20:22:15.298: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001C *Jan 6 20:22:15.298: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001C -- From: Roland Roland r_o_l_a_...@hotmail.com Sent: Monday, January 05, 2009 9:50 PM To: Ritter, Nicholas nicholas.rit...@americantv.com; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, thanks for the advice ill proceed and add the new ACL. in the meantime, to answer your question yes Squid is on the same interface as all the other clients. what sort of entries should I add to tht access list? PS: my IOS is Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811 (revision 53.51) -- From: Ritter, Nicholas nicholas.rit...@americantv.com Sent: Monday, January 05, 2009 9:23 PM
Re: [squid-users] transparent proxy not working!! any advice?
Hello, after adding the ACL below. I've got the following result. if im not mistaken, it has something to due with the dynamic issue? should I set it as standard 0 or ?! *Jan 6 20:21:39.294: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 0019 *Jan 6 20:21:39.298: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 0019 *Jan 6 20:21:57.290: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183 w/bad rcv_id *Jan 6 20:21:57.290: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001A *Jan 6 20:21:57.290: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183 w/bad rcv_id *Jan 6 20:21:57.290: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001A *Jan 6 20:22:04.294: WCCP-PKT:D90: Sending Removal_Query packet to 192.168.0.183w/ rcv_id 001B *Jan 6 20:22:04.298: WCCP-PKT:D80: Sending Removal_Query packet to 192.168.0.183w/ rcv_id 001B *Jan 6 20:22:09.294: %WCCP-1-SERVICELOST: Service 90 lost on WCCP client 192.168.0.183 *Jan 6 20:22:09.298: %WCCP-1-SERVICELOST: Service 80 lost on WCCP client 192.168.0.183 *Jan 6 20:22:15.298: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001C *Jan 6 20:22:15.298: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001C -- From: Roland Roland r_o_l_a_...@hotmail.com Sent: Monday, January 05, 2009 9:50 PM To: Ritter, Nicholas nicholas.rit...@americantv.com; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, thanks for the advice ill proceed and add the new ACL. in the meantime, to answer your question yes Squid is on the same interface as all the other clients. what sort of entries should I add to tht access list? PS: my IOS is Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811 (revision 53.51) -- From: Ritter, Nicholas nicholas.rit...@americantv.com Sent: Monday, January 05, 2009 9:23 PM To: r_o_l_a_...@hotmail.com; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: RE: [squid-users] transparent proxy not working!! any advice? The error on the Cisco router is stating that the squid box is trying to tell the router that it is able to service the wccp group 80 and 90, but for some reason the router does not see those groups as ones it is servicing. This is odd. Try doing the following in the router: ip access-list 180 permit any any ip wccp web-cache redirect-list 180 ip wccp 80 redirect-list 180 ip wccp 90 redirect-list 180 Is the squid box on the same router interface as the rest of the clients? If it is, you may need to add lines to the access-list 180, or put the squid box on the secondary interface of the router and do a ip wccp redirect exclude in statement on that interface. Which IOS feature set and version is this? WCCP is buggy in some IOS releases. From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com] Sent: Mon 1/5/2009 8:43 AM To: sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, actually I have both of set on the lan interface ( am I mistaken to set the redirect out on the lan interface? should I be setting it on the interface facing the internet?) ip wccp 80 redirect in ip wccp 90 redirect out as for the wiki provided, I fail to see what's missing! obviously there is something, but I'm not detecting it! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Monday, January 05, 2009 12:46 AM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: Hello, the output of the debugging is as such: *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183: service not active *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183: service not active what service is that?! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Sunday, January 04, 2009 9:33 PM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added
RE: [squid-users] transparent proxy not working!! any advice?
Ok...so the squid server and the router are seeing eachother initiallythen it fails. On the squid box you need to make sure the firewall is allowing UDP port 2048 from the the router and that the GRE tunnel is functioning properly, and is setup in iptables properly. The other issue is that may be needed is that access-list (access-list 180, from my last email) should have the ip of the squid box in it as a deny entry. The reason for this is that you want to avoid traffic being 'looped' from the router to the squid box. You can setup WCCP where you are using no service groups and just the web-cache and web-cache redirect, etc. The two things that can break doing that are: multiple squid servers in a WCCP setup, and support for apps/ports other than port 80. Nick From: Roland Roland [mailto:r_o_l_a_...@hotmail.com] Sent: Tue 1/6/2009 1:48 PM To: Ritter, Nicholas; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, after adding the ACL below. I've got the following result. if im not mistaken, it has something to due with the dynamic issue? should I set it as standard 0 or ?! *Jan 6 20:21:39.294: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 0019 *Jan 6 20:21:39.298: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 0019 *Jan 6 20:21:57.290: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183 w/bad rcv_id *Jan 6 20:21:57.290: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001A *Jan 6 20:21:57.290: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183 w/bad rcv_id *Jan 6 20:21:57.290: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001A *Jan 6 20:22:04.294: WCCP-PKT:D90: Sending Removal_Query packet to 192.168.0.183w/ rcv_id 001B *Jan 6 20:22:04.298: WCCP-PKT:D80: Sending Removal_Query packet to 192.168.0.183w/ rcv_id 001B *Jan 6 20:22:09.294: %WCCP-1-SERVICELOST: Service 90 lost on WCCP client 192.168.0.183 *Jan 6 20:22:09.298: %WCCP-1-SERVICELOST: Service 80 lost on WCCP client 192.168.0.183 *Jan 6 20:22:15.298: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001C *Jan 6 20:22:15.298: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.183 w/ rcv_id 001C -- From: Roland Roland r_o_l_a_...@hotmail.com Sent: Monday, January 05, 2009 9:50 PM To: Ritter, Nicholas nicholas.rit...@americantv.com; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, thanks for the advice ill proceed and add the new ACL. in the meantime, to answer your question yes Squid is on the same interface as all the other clients. what sort of entries should I add to tht access list? PS: my IOS is Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811 (revision 53.51) -- From: Ritter, Nicholas nicholas.rit...@americantv.com Sent: Monday, January 05, 2009 9:23 PM To: r_o_l_a_...@hotmail.com; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: RE: [squid-users] transparent proxy not working!! any advice? The error on the Cisco router is stating that the squid box is trying to tell the router that it is able to service the wccp group 80 and 90, but for some reason the router does not see those groups as ones it is servicing. This is odd. Try doing the following in the router: ip access-list 180 permit any any ip wccp web-cache redirect-list 180 ip wccp 80 redirect-list 180 ip wccp 90 redirect-list 180 Is the squid box on the same router interface as the rest of the clients? If it is, you may need to add lines to the access-list 180, or put the squid box on the secondary interface of the router and do a ip wccp redirect exclude in statement on that interface. Which IOS feature set and version is this? WCCP is buggy in some IOS releases. From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com] Sent: Mon 1/5/2009 8:43 AM To: sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, actually I have both of set on the lan interface ( am I mistaken to set the redirect out on the lan interface? should I be setting it on the interface facing the internet?) ip wccp 80 redirect in ip wccp 90 redirect out as for the wiki provided, I fail to see what's missing! obviously there is something, but I'm not detecting it! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Monday, January 05, 2009 12:46 AM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: Hello, the output of the debugging
Re: [squid-users] transparent proxy not working!! any advice?
Hello, actually I have both of set on the lan interface ( am I mistaken to set the redirect out on the lan interface? should I be setting it on the interface facing the internet?) ip wccp 80 redirect in ip wccp 90 redirect out as for the wiki provided, I fail to see what's missing! obviously there is something, but I'm not detecting it! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Monday, January 05, 2009 12:46 AM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: Hello, the output of the debugging is as such: *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183: service not active *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183: service not active what service is that?! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Sunday, January 04, 2009 9:33 PM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 icmp type 255 3ACCEPT esp -- 0.0.0.0/00.0.0.0/0 4ACCEPT ah -- 0.0.0.0/00.0.0.0/0 5ACCEPT udp -- 0.0.0.0/0224.0.0.251 udp dpt:5353 6ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:631 7ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:631 8ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 9ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:5900 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:2048 13 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited --- lsmod: Module Size Used by ip_conntrack_netbios_ns 6977 0 xt_state6209 4 ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state nfnetlink 10713 1
RE: [squid-users] transparent proxy not working!! any advice?
The error on the Cisco router is stating that the squid box is trying to tell the router that it is able to service the wccp group 80 and 90, but for some reason the router does not see those groups as ones it is servicing. This is odd. Try doing the following in the router: ip access-list 180 permit any any ip wccp web-cache redirect-list 180 ip wccp 80 redirect-list 180 ip wccp 90 redirect-list 180 Is the squid box on the same router interface as the rest of the clients? If it is, you may need to add lines to the access-list 180, or put the squid box on the secondary interface of the router and do a ip wccp redirect exclude in statement on that interface. Which IOS feature set and version is this? WCCP is buggy in some IOS releases. From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com] Sent: Mon 1/5/2009 8:43 AM To: sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, actually I have both of set on the lan interface ( am I mistaken to set the redirect out on the lan interface? should I be setting it on the interface facing the internet?) ip wccp 80 redirect in ip wccp 90 redirect out as for the wiki provided, I fail to see what's missing! obviously there is something, but I'm not detecting it! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Monday, January 05, 2009 12:46 AM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: Hello, the output of the debugging is as such: *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183: service not active *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183: service not active what service is that?! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Sunday, January 04, 2009 9:33 PM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 icmp type 255 3ACCEPT esp -- 0.0.0.0/00.0.0.0/0 4ACCEPT
Re: [squid-users] transparent proxy not working!! any advice?
Hello, thanks for the advice ill proceed and add the new ACL. in the meantime, to answer your question yes Squid is on the same interface as all the other clients. what sort of entries should I add to tht access list? PS: my IOS is Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811 (revision 53.51) -- From: Ritter, Nicholas nicholas.rit...@americantv.com Sent: Monday, January 05, 2009 9:23 PM To: r_o_l_a_...@hotmail.com; sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: RE: [squid-users] transparent proxy not working!! any advice? The error on the Cisco router is stating that the squid box is trying to tell the router that it is able to service the wccp group 80 and 90, but for some reason the router does not see those groups as ones it is servicing. This is odd. Try doing the following in the router: ip access-list 180 permit any any ip wccp web-cache redirect-list 180 ip wccp 80 redirect-list 180 ip wccp 90 redirect-list 180 Is the squid box on the same router interface as the rest of the clients? If it is, you may need to add lines to the access-list 180, or put the squid box on the secondary interface of the router and do a ip wccp redirect exclude in statement on that interface. Which IOS feature set and version is this? WCCP is buggy in some IOS releases. From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com] Sent: Mon 1/5/2009 8:43 AM To: sq...@vdvyver.net Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Hello, actually I have both of set on the lan interface ( am I mistaken to set the redirect out on the lan interface? should I be setting it on the interface facing the internet?) ip wccp 80 redirect in ip wccp 90 redirect out as for the wiki provided, I fail to see what's missing! obviously there is something, but I'm not detecting it! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Monday, January 05, 2009 12:46 AM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: Hello, the output of the debugging is as such: *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183: service not active *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183: service not active what service is that?! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Sunday, January 04, 2009 9:33 PM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT
Re: [squid-users] transparent proxy not working!! any advice?
Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 icmp type 255 3ACCEPT esp -- 0.0.0.0/00.0.0.0/0 4ACCEPT ah -- 0.0.0.0/00.0.0.0/0 5ACCEPT udp -- 0.0.0.0/0224.0.0.251 udp dpt:5353 6ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:631 7ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:631 8ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 9ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:5900 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:2048 13 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited --- lsmod: Module Size Used by ip_conntrack_netbios_ns 6977 0 xt_state6209 4 ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state nfnetlink 10713 1 ip_conntrack iptable_filter 7105 1 ip_tables 17029 1 iptable_filter ip6table_filter 6849 1 ip6_tables 18053 1 ip6table_filter nls_utf86208 1 ip_gre 16737 0 autofs424517 2 hidp 23105 2 rfcomm 42457 0 l2cap 29505 10 hidp,rfcomm bluetooth 53797 5 hidp,rfcomm,l2cap sunrpc144893 1 ipt_REJECT 9537 1 ip6t_REJECT 9409 1 xt_tcpudp 7105 15 x_tables 17349 6 xt_state,ip_tables,ip6_tables,ipt_REJECT,ip6t_REJECT,xt_tcpudp dm_multipath 22089 0 video 21193 0 sbs18533 0 backlight 10049 1 video i2c_ec 9025 1 sbs button 10705 0 battery13637 0 asus_acpi 19289 0 ac 9157 0 ipv6 258273 17 ip6t_REJECT xfrm_nalgo 13765 1 ipv6 crypto_api 11969 1 xfrm_nalgo lp 15849 0 floppy
Re: [squid-users] transparent proxy not working!! any advice?
Hello, the output of the debugging is as such: *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183: service not active *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183: service not active what service is that?! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Sunday, January 04, 2009 9:33 PM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 icmp type 255 3ACCEPT esp -- 0.0.0.0/00.0.0.0/0 4ACCEPT ah -- 0.0.0.0/00.0.0.0/0 5ACCEPT udp -- 0.0.0.0/0224.0.0.251 udp dpt:5353 6ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:631 7ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:631 8ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 9ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:5900 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:2048 13 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited --- lsmod: Module Size Used by ip_conntrack_netbios_ns 6977 0 xt_state6209 4 ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state nfnetlink 10713 1 ip_conntrack iptable_filter 7105 1 ip_tables 17029 1 iptable_filter ip6table_filter 6849 1 ip6_tables 18053 1 ip6table_filter nls_utf86208 1 ip_gre 16737 0 autofs424517 2 hidp 23105 2 rfcomm 42457 0 l2cap 29505 10 hidp,rfcomm bluetooth 53797 5 hidp,rfcomm,l2cap sunrpc144893 1 ipt_REJECT 9537 1 ip6t_REJECT 9409 1 xt_tcpudp 7105 15 x_tables 17349 6 xt_state,ip_tables
Re: [squid-users] transparent proxy not working!! any advice?
Roland Roland wrote: Hello, the output of the debugging is as such: *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183: service not active *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183: service not active what service is that?! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Sunday, January 04, 2009 9:33 PM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 icmp type 255 3ACCEPT esp -- 0.0.0.0/00.0.0.0/0 4ACCEPT ah -- 0.0.0.0/00.0.0.0/0 5ACCEPT udp -- 0.0.0.0/0224.0.0.251 udp dpt:5353 6ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:631 7ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:631 8ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 9ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:5900 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:2048 13 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited --- lsmod: Module Size Used by ip_conntrack_netbios_ns 6977 0 xt_state6209 4 ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state nfnetlink 10713 1 ip_conntrack iptable_filter 7105 1 ip_tables 17029 1 iptable_filter ip6table_filter 6849 1 ip6_tables 18053 1 ip6table_filter nls_utf86208 1 ip_gre 16737 0 autofs424517 2 hidp 23105 2 rfcomm 42457 0 l2cap 29505 10 hidp,rfcomm bluetooth 53797 5 hidp,rfcomm,l2cap sunrpc144893 1 ipt_REJECT 9537 1 ip6t_REJECT 9409 1 xt_tcpudp 7105 15 x_tables 17349
