Hey Vieri, I am missing couple pieces to understand and maybe re-produce the issue. What Linux and Squid version are you using?
A tproxy setup is using the OS network stack for selecting the proper source and destination addresses. I have not implemented such a setup for a very long time but it's possible that you will need a simple REDIRECT iptables/nftables rule for specific LAN traffic. I'm not sure how would you apply the policies but what I understand is that you are in a TPROXY mess. A TPROXY setup should have a static routing rules and usually cannot use multiple ISPs on the SQUID box (assuming each of the ISPs provides a different IPv4 address) I can see the point in such a setup but to make sure it works I will need more information. It's probably possible to use 2 ISPs if you have some kind of routing and iptables rules in place. I am missing too much technical details to give you a way how to implement such a setup. Eliezer ---- Eliezer Croitoru NgTech, Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Web: https://ngtech.co.il/ My-Tube: https://tube.ngtech.co.il/ -----Original Message----- From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of Vieri Sent: Tuesday, 16 August 2022 10:52 To: squid-users@lists.squid-cache.org Subject: [squid-users] forwarding TPROXY squid and multi-ISP Hi, I'm using squid as a forward transparent proxy with something like this: https_port 3130 tproxy ssl-bump [etc.] The Squid service is running on a Linux FW which is the LAN's default gateway. The host uses TPROXY such as: 25873 5262K TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 TPROXY redirect 0.0.0.0:3130 mark 0x200/0x200 This router has multiple physical and logical interfaces with a default route via 172.16.0.2. The latter IP address is assigned to another Linux host acting as gateway to Internet. Now, the Squid firewalling router also has a network interface connected to a different Internet provider (say, ISP2). Some LAN hosts are required to use that provider instead of the Internet gateway I mentioned before (via 172.16.0.2). If I do NOT apply TPROXY to these hosts (ie. if they by-pass squid) then they can access the alternate WAN provider after I apply some simple routing rules (eg. "from HOST_IP_ADDR lookup ISP2"). The rest of the hosts with TPROXIED traffic through Squid can also correctly access Internet via 172.16.0.2. The only scenario that's failing is if I want to force LAN traffic through Squid for those hosts that need to access Internet via ISP2. I'm guessing that it may be because the Squid process is fetching data via 172.16.0.2 *always*. How can I fix this? What are my options? Is it possible to properly configure the same Squid system for this, or is it necessary to set up another Squid system via ISP2? Regards _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
