Re: [squid-users] Squid not accelerating properly
Feel free to share it. It will help a lot. Eliezer On 08/03/2014 13:20, Oluseyi Akinboboye wrote: Is it possible i attach my network diagram & send to you? It will ake explaining a lot easier. Or is there anywhere i can put it up for a few minutes? -- Oluseyi Akinboboye Netsnap Ltd 1st Floor, 28 Randle Road, Apapa – Lagos 234-803-301-4769 e-mail:seyi.akinbob...@netsnap.com.ng
Re: [squid-users] Squid not accelerating properly;
Hey there, Can you isolate the issue to one client in a forward proxy mode only? forward is not intercept and also the squid.conf is relevant for this case. My testing environment shows that corei3 CPU and intel ATOM cpus are different by nature and one might not take the other load the same way. Eliezer On 08/03/2014 13:00, Oluseyi Akinboboye wrote: I do apologize for that oversight in terminology! my proxy server is not working well as is said earlier! I would appreciate it if you could help me out here.
Re: Re: [squid-users] Squid not accelerating properly
Is it possible i attach my network diagram & send to you? It will ake explaining a lot easier. Or is there anywhere i can put it up for a few minutes? -- Oluseyi Akinboboye Netsnap Ltd 1st Floor, 28 Randle Road, Apapa Lagos 234-803-301-4769 e-mail: seyi.akinbob...@netsnap.com.ng == This message has been produced automatically by NetSnap Ltd e-mail exchange service, based on the most current inquiry about our service(s).For any additional support you may require in relation to this or any other services, please contact your local Customer Services Department. DISCLAIMER: Privileged/Confidential information may be contained within this message. If you are not the intended recipient, you must not use, copy, retain, distribute, or disclose any of its content to others. Instead, please notify the sender immediately and then delete this e-mail entirely. We have checked this e-mail for any viruses and harmful components. However; we cannot guarantee it to be secured or virus free. NetSnap Ltd does not accept any responsibility for any damages or any consequences therefrom. Copyright(c) 2009 NetSnap Ltd. All Rights Reserved. == >I do apologize for that oversight in terminology! >my proxy server is not working well as is said earlier! >I would appreciate it if you could help me out here. > > >On Sat, Mar 8, 2014 at 6:05 AM, Amos Jeffries wrote: > >> Lets start with the title... >> >> Your Squid is being used as an interception proxy. Not an accelerator / >> reverse-proxy. Getting the terms right will greatly improve your ability >> to search for relevant information. >> >> >> On 8/03/2014 6:59 a.m., Oluseyi Akinboboye wrote: >> > I have been long searching for a solution and finally this morning I got >> it to work. My setup is as follows: >> > >> > Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink >> switch >> > >> > >> > I have added a squid with its input from the Wan directly and then I >> have put the squid directly to the mikrotik. >> > >> >> So to translate your diagram and description: >> >> WAN -> Squid -> Router -> LAN >> >> is that correct? >> >> I am assuming from the description that Squid is running on the ClearOS >> machine. >> >> >> > I did the following configurations: >> > >> > >> > Wan: >> > >> > Wan -> mikrotik 172.16.10.1/24 >> > Wan -> squid 172.16.11.1/24 >> > >> >> Huh? >> if I'm reading that right you have two distinct routes that packets >> from the WAN -> LAN may take. Only one of which goes through Squid. >> Be very VERY careful with the packet flows when doing this. >> >> >> > >> > Mikrotik >> > >> > >> > Ether1 >> > 172.16.10.2/24 Via setup CLI >> > >> > >> > Ether2 (Hotspot) >> > 10.5.50.1/24 >> > >> > >> > Ether3 to squid >> > 192.168.50.2 Via setup CLI >> > >> > >> > Squid >> > >> > >> > Ether1 from Wan >> > 172.16.11.2 >> > >> > >> > Ether2 from mikrotik >> > 192.168.50.1:3128 >> > >> >> I dont understand how that relates to the actual packet flows sorry. Too >> many undefined details like: >> - how all the "EtherN" are plugged together >> - what the terminal command line interface (CLI) has to do with routing, >> - which part(s) of your network each of those IP ranges identifies >> >> > >> > The squid is configured transparently. >> > >> >> How? there are 8 transparent interception configurations for Squid. And >> a great many more ways to mis-configure it. >> >> >> >> > The CLI commands used are as follows: >> >> Are these on the Mikrotik or ClearOS? >> >> > >> > >> > #Mark All HTTP Port 80 Traffic, so that you can use these Marked Packets >> in Route section. >> > >> > /ip firewall nat >> > add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp >> > >> > /ip firewall mangle >> > add action=mark-routing chain=prerouting disabled=no dst-port=80 >> new-routing-mark=http passthrough=yes protocol=tcp >> > >> > /ip route >> > add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) >> routing-mark=http scope=30 target-scope=10 >> > >> > add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) >> scope=30 target-scope=10 >> > >> > >> > /ip firewall mangle add chain=postrouting tos=48 action=mark-packet >> new-packet-mark=proxy-hit passthrough=no >> > >> > >> > /ip firewall mangle add chain=postrouting action=mark-packet >> new-packet-mark=proxy-hit passthrough=no >> > >> > /queue tree add name="pmark" parent=global-out packet-mark=proxy-hit \ >> limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 >> burst-threshold=0 burst-time=0s >> > >> > >> > >> > /ip firewall filter >> > >> > add action=add-src-to-address-list address-list=Syn_Flooder >> address-list-timeout=30m chain=input \ >> > comment="Add Syn Flood IP to the list" connection-limit=30,32 >> disabled=no protocol=tcp tcp-flags=syn >> > add action=drop c
Re: [squid-users] Squid not accelerating properly
On 8/03/2014 11:34 p.m., Oluseyi Akinboboye wrote: > I do apologize for that oversight in terminology! > my proxy server is not working well as is said earlier! > I would appreciate it if you could help me out here. > Did you see the other comments in-line? Amos
Re: Re: [squid-users] Squid not accelerating properly;
I do apologize for that oversight in terminology! my proxy server is not working well as is said earlier! I would appreciate it if you could help me out here. >Lets start with the title... > >Your Squid is being used as an interception proxy. Not an accelerator / >reverse-proxy. Getting the terms right will greatly improve your ability >to search for relevant information. > > >On 8/03/2014 6:59 a.m., Oluseyi Akinboboye wrote: >> I have been long searching for a solution and finally this morning I got it >> to work. My setup is as follows: >> >> Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink >> switch >> >> >> I have added a squid with its input from the Wan directly and then I have >> put the squid directly to the mikrotik. >> > >So to translate your diagram and description: > > WAN -> Squid -> Router -> LAN > >is that correct? > >I am assuming from the description that Squid is running on the ClearOS >machine. > > >> I did the following configurations: >> >> >> Wan: >> >> Wan -> mikrotik 172.16.10.1/24 >> Wan -> squid 172.16.11.1/24 >> > >Huh? > if I'm reading that right you have two distinct routes that packets >from the WAN -> LAN may take. Only one of which goes through Squid. > Be very VERY careful with the packet flows when doing this. > > >> >> Mikrotik >> >> >> Ether1 >> 172.16.10.2/24 Via setup CLI >> >> >> Ether2 (Hotspot) >> 10.5.50.1/24 >> >> >> Ether3 to squid >> 192.168.50.2 Via setup CLI >> >> >> Squid >> >> >> Ether1 from Wan >> 172.16.11.2 >> >> >> Ether2 from mikrotik >> 192.168.50.1:3128 >> > >I dont understand how that relates to the actual packet flows sorry. Too >many undefined details like: > - how all the "EtherN" are plugged together > - what the terminal command line interface (CLI) has to do with routing, > - which part(s) of your network each of those IP ranges identifies > >> >> The squid is configured transparently. >> > >How? there are 8 transparent interception configurations for Squid. And >a great many more ways to mis-configure it. > > > >> The CLI commands used are as follows: > >Are these on the Mikrotik or ClearOS? > >> >> >> #Mark All HTTP Port 80 Traffic, so that you can use these Marked Packets in >> Route section. >> >> /ip firewall nat >> add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp >> >> /ip firewall mangle >> add action=mark-routing chain=prerouting disabled=no dst-port=80 >> new-routing-mark=http passthrough=yes protocol=tcp >> >> /ip route >> add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) >> routing-mark=http scope=30 target-scope=10 >> >> add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) >> scope=30 target-scope=10 >> >> >> /ip firewall mangle add chain=postrouting tos=48 action=mark-packet >> new-packet-mark=proxy-hit passthrough=no >> >> >> /ip firewall mangle add chain=postrouting action=mark-packet >> new-packet-mark=proxy-hit passthrough=no >> >> /queue tree add name="pmark" parent=global-out packet-mark=proxy-hit \ >> limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 >> burst-threshold=0 burst-time=0s >> >> >> >> /ip firewall filter >> >> add action=add-src-to-address-list address-list=Syn_Flooder >> address-list-timeout=30m chain=input \ >> comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no >> protocol=tcp tcp-flags=syn >> add action=drop chain=input comment="Drop to syn flood list" disabled=no >> src-address-list=Syn_Flooder >> add action=add-src-to-address-list address-list=Port_Scanner >> address-list-timeout=1w chain=input comment="Port Scanner Detect"\ >> disabled=no protocol=tcp psd=21,3s,3,1 >> add action=drop chain=input comment="Drop to port scan list" disabled=no >> src-address-list=Port_Scanner > >You might want to ensure Squid cannot be caught and listed as a SYN-flooder. > Squid will potentially open many hundreds of connections per second if >lots of clients are using it. Without the proxy that would be spread >over many client IPs and not hit flooding limits. > > >> add action=jump chain=input comment="Jump for icmp input flow" disabled=no >> jump-target=ICMP protocol=icmp >> add action=drop chain=input\ >> comment="Block all access to the winbox - except to support list >> add action=jump chain=forward comment="Jump for icmp forward flow" >> disabled=no jump-target=ICMP protocol=icmp >> add action=drop chain=forward comment="Drop to bogon list" disabled=no >> dst-address-list=bogons >> add action=add-src-to-address-list address-list=spammers >> address-list-timeout=3h chain=forward comment="Add Spammers to the list for >> 3 hours"\ >> connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp >> add action=drop chain=forward comment="Avoid spammers action" disabled=no >> dst-port=25,587 protocol=tcp src-address-list=spammers >> add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 >> protocol=udp >> add
Re: [squid-users] Squid not accelerating properly
Lets start with the title... Your Squid is being used as an interception proxy. Not an accelerator / reverse-proxy. Getting the terms right will greatly improve your ability to search for relevant information. On 8/03/2014 6:59 a.m., Oluseyi Akinboboye wrote: > I have been long searching for a solution and finally this morning I got it > to work. My setup is as follows: > > Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink > switch > > > I have added a squid with its input from the Wan directly and then I have put > the squid directly to the mikrotik. > So to translate your diagram and description: WAN -> Squid -> Router -> LAN is that correct? I am assuming from the description that Squid is running on the ClearOS machine. > I did the following configurations: > > > Wan: > > Wan -> mikrotik 172.16.10.1/24 > Wan -> squid 172.16.11.1/24 > Huh? if I'm reading that right you have two distinct routes that packets from the WAN -> LAN may take. Only one of which goes through Squid. Be very VERY careful with the packet flows when doing this. > > Mikrotik > > > Ether1 > 172.16.10.2/24 Via setup CLI > > > Ether2 (Hotspot) > 10.5.50.1/24 > > > Ether3 to squid > 192.168.50.2 Via setup CLI > > > Squid > > > Ether1 from Wan > 172.16.11.2 > > > Ether2 from mikrotik > 192.168.50.1:3128 > I dont understand how that relates to the actual packet flows sorry. Too many undefined details like: - how all the "EtherN" are plugged together - what the terminal command line interface (CLI) has to do with routing, - which part(s) of your network each of those IP ranges identifies > > The squid is configured transparently. > How? there are 8 transparent interception configurations for Squid. And a great many more ways to mis-configure it. > The CLI commands used are as follows: Are these on the Mikrotik or ClearOS? > > > #Mark All HTTP Port 80 Traffic, so that you can use these Marked Packets in > Route section. > > /ip firewall nat > add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp > > /ip firewall mangle > add action=mark-routing chain=prerouting disabled=no dst-port=80 > new-routing-mark=http passthrough=yes protocol=tcp > > /ip route > add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) > routing-mark=http scope=30 target-scope=10 > > add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) > scope=30 target-scope=10 > > > /ip firewall mangle add chain=postrouting tos=48 action=mark-packet > new-packet-mark=proxy-hit passthrough=no > > > /ip firewall mangle add chain=postrouting action=mark-packet > new-packet-mark=proxy-hit passthrough=no > > /queue tree add name="pmark" parent=global-out packet-mark=proxy-hit \ > limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 > burst-threshold=0 burst-time=0s > > > > /ip firewall filter > > add action=add-src-to-address-list address-list=Syn_Flooder > address-list-timeout=30m chain=input \ > comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no > protocol=tcp tcp-flags=syn > add action=drop chain=input comment="Drop to syn flood list" disabled=no > src-address-list=Syn_Flooder > add action=add-src-to-address-list address-list=Port_Scanner > address-list-timeout=1w chain=input comment="Port Scanner Detect"\ > disabled=no protocol=tcp psd=21,3s,3,1 > add action=drop chain=input comment="Drop to port scan list" disabled=no > src-address-list=Port_Scanner You might want to ensure Squid cannot be caught and listed as a SYN-flooder. Squid will potentially open many hundreds of connections per second if lots of clients are using it. Without the proxy that would be spread over many client IPs and not hit flooding limits. > add action=jump chain=input comment="Jump for icmp input flow" disabled=no > jump-target=ICMP protocol=icmp > add action=drop chain=input\ > comment="Block all access to the winbox - except to support list > add action=jump chain=forward comment="Jump for icmp forward flow" > disabled=no jump-target=ICMP protocol=icmp > add action=drop chain=forward comment="Drop to bogon list" disabled=no > dst-address-list=bogons > add action=add-src-to-address-list address-list=spammers > address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 > hours"\ > connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp > add action=drop chain=forward comment="Avoid spammers action" disabled=no > dst-port=25,587 protocol=tcp src-address-list=spammers > add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 > protocol=udp > add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 > protocol=tcp > add action=accept chain=input comment="Accept to established connections" > connection-state=established\ > disabled=no > add action=accept chain=input comment="Accept to related connections" > connection-state=related disabled
