Hey, There is also another option. You can open a tunnel (IPIP, GRE, OTHER) between the proxy and the router to make it possible to directly route traffic to the proxy.
If you need some help with it let me know. Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -----Original Message----- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Hoggins! Sent: Tuesday, January 3, 2017 12:54 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Intercept mode failing Hello, (answering to both Amos and Antony here, you got the same questioning ;) ) Le 03/01/2017 à 11:45, Amos Jeffries a écrit : > On 2017-01-03 23:13, Hoggins! wrote: >> Okay, I get that. >> >> Le 03/01/2017 à 10:33, Antony Stone a écrit : >>> No - you must do the NAT (or REDIRECT) rule *on the Squid server*. >> >> Well, my Squid server is not on the same network as my clients, so I >> need something else than just a REDIRECT on the Squid itself. > > That does not matter when the DNAT or REDIRECT is done on the Squid > machine. OK, I'll have a deeper look into that, indeed I'm not familiar with what REDIRECT *exactly* does. > >> >>> >>> If you need to use policy routing to get the packets to the Squid >>> machine in the first place, that's okay, but this *must* be packet >>> routing, not address translation >> >> Policy routing was my first choice, but there is one important detail >> in my setup : between my gateway (192.168.22.10) and my Squid >> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a >> link-local route to 192.168.55.3 so I can't add the default route to >> it inside a routing table (I get "Network is unreachable", which is >> expected). >> >> So I guess I'm stuck. > > > So how did the packets get to the Squid machine after your DNAT ? > > The route does not have to be link-local. Any type of route will do so > long as all the routers handling the packets know which way to pass > them, and the dst-IP address is not changed. Well, xfrm routing is a lot different than "classic" routing, I learnt it the hard way. DNAT *will* work whereas policy routing won't if I don't explicitly declare all my subnets in my IPSec tunnel configuration. Got a big discussion about that on StrongSwan's mailing-list, and I believe this sums it up pretty nicely : http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png Anyway, yes, if I try to add a route by : ip route add default via <IP ADDRESS> table 123 <IP ADDRESS> *has* to be directly reachable. Or it has to be in the routing table somehow. But the routing table handling the tunnelled packets is not managed by iproute2. So as I can't do otherwise, I'm going to experiment a bit more with the REDIRECT + DNAT between the gateway and the Squid server. Thanks for your help ! > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
