[Shorewall-users] Tproxy + Squid + IPv6

Fri, 30 Jun 2017 19:53:30 -0700 

Hi again.
Spent the last week getting my home network(s) online with IPv6. I think I'm on the finishing stretch. One last issue has popped up that I am not sure how to fix. 


I'm running squid in transparent proxy mode via tproxy. Had it like that 
for years on ipv4.



I've pretty much just followed the guide at the bottom here: 
http://shorewall.org/Shorewall_Squid_Usage.html


I've attached a shorewall6 dump for good measure


Before I enabled the tproxy rules over ipv6 (and thus not using squid), 
all tests on this site passed: http://test-ipv6.com/


Once I got the tproxy rules enabled, one test started failing.


That was the "Test IPv6 large packet" test. Your browser basically 
fetches a url with 1600 characters in it. I shortened it and added it 
here: http://preview.tinyurl.com/y9vy2j3u



I can fetch that url fine without squid and tproxy. But once it is 
enabled, I can't. Looking at tcpdump, I see the request made goes out of 
my wan nic, what comes back is an icmp "packet too big" response. That 
icmp packet then flows back out (through shorewall) to the computer on 
the lan that made the request. I'm thinking since squid intercepted the 
HTTP request, that the icmp response should be going to squid. So I 
don't know if this is just an issue of iptable rules or something else 
at play here. Any thoughts? Googling for squid + mtu+ ipv6 + tproxy 
doesn't give me too many results other than someone with the same issue 
here (which never responds back with what the fix was): 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-Timeouts-on-Select-Websites-td4657073.html




I've not found any websites that are proxied that don't work. Only issue 
seems to be with the ipv6 test website. So perhaps I can ignore this...



Regards,
Samuel Smith




Attachment:
dump.txt.gz

Description: application/gzip


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to