On Mon, Jan 26, 2004 at 01:42:30PM +1030, Adam Smith said: > On Sun, Jan 25, 2004 at 11:46:34PM +0200, Roman Synyuk said: > > Hello. > > > > You need to configure forwarding incoming packets from GRE interface > > to squid process: > > > > # ipfw add fwd 127.0.0.1,3128 ip from any to any via gre0 in > > # ipfw add permit ip from any to any > > I tried this, however I'm still not seeing it work, and now I have more > questions! > > IPFW: > > I am now counting any packets on my GRE rule:
Sorry, "now" should read "not". > 01300 0 0 fwd 127.0.0.1,3128 ip from any to any via gre0 in > > I'm also not entirely sure at which level of my firewall rules I should be > inserting this rule. I've tried just before "allow ip from me to any" and > I've tried right at the very start but still, no packets are counted. > > CISCO 837: > > Which interface am I actually supposed to be running the WCCP redirect on? > I'm starting to think it should be on my Ethernet0 interface, as this is > where the GRE tunnel ends. It sorta makes better sense. Adding the > wccp-redirect lines to it doesn't make any difference though -- users can > still get out without anything going back to the proxy. > > If users are getting through, does this mean the wccp redirect is failing > at the router end? > > Thanks for any pointers. > > > > Hello! > > > > > > I'm trying to set up a transparent proxy, but I'm running in to some > > > difficulty. Here is my set up: > > > > > > * Cisco 837 running Cisco IOS 12.3 > > > * FreeBSD 5.1 > > > * squid-2.5.4_6 with WCCP compiled in > > > * (also running apache-2.0.48_1, running on port 80) > > > > > > I have so far taken the following steps: > > > > > > In squid.conf: > > > -------------- > > > > > > ## WCCP Redirection (Transparent Proxy) > > > ## ------------------------------------ > > > httpd_accel_host virtual > > > httpd_accel_port 3128 > > > httpd_accel_with_proxy on > > > httpd_accel_uses_host_header on > > > wccp_router 10.0.0.254 > > > wccp_version 3 > > > > > > On the Cisco 837: > > > ----------------- > > > > > > ip wccp version 1 > > > ip wccp web-cache redirect-list 2 > > > ! > > > interface BVI1 > > > description --- Bridging Interface --- > > > ip address 150.101.x.x 255.255.255.248 > > > ip wccp web-cache redirect in > > > ip nat outside > > > end > > > ! > > > access-list 2 permit 10.0.0.0 0.0.0.255 > > > > > > On FreeBSD 5.1: > > > --------------- > > > > > > <compiled 'device gre' into kernel> > > > > > > configured device with: > > > > > > # ifconfig gre0 create > > > # ifconfig gre0 10.0.0.3 10.0.0.254 netmask 255.255.255.255 up > > > # ifconfig gre0 tunnel 10.0.0.3 10.0.0.254 > > > # route delete 10.0.0.254 > > > > > > ifconfig: > > > > > > gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476 > > > tunnel inet 10.0.0.3 --> 10.0.0.254 > > > inet6 fe80::240:5ff:fe03:3fb1%gre0 prefixlen 64 scopeid 0x5 > > > inet 10.0.0.3 --> 255.255.255.0 netmask 0xff000000 > > > > > > Once all this is done and Squid starts I get the following messages on my > > > 837: > > > > > > router#deb ip wccp event > > > router#deb ip wccp packet > > > *Mar 1 19:57:04.715: WCCP-PKT: Sending I_See_You packet to 10.0.0.3 w/ rcvd_id > > > 000000C2 > > > *Mar 1 19:57:14.739: WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, > > > change # 0000000B > > > *Mar 1 19:57:14.739: %WCCP-5-CACHEFOUND: Web Cache 10.0.0.3 acquired > > > *Mar 1 19:57:14.739: WCCP-PKT: Received valid Here_I_Am packet from 10.0.0.3 > > > w/rcvd_id 000000C2 > > > *Mar 1 19:57:14.739: WCCP-PKT: Sending I_See_You packet to 10.0.0.3 w/ rcvd_id > > > 000000C3 > > > *Mar 1 19:57:25.759: WCCP-PKT: Received valid Here_I_Am packet from 10.0.0.3 > > > w/rcvd_id 000000C3 > > > *Mar 1 19:57:25.759: WCCP-PKT: Sending I_See_You packet to 10.0.0.3 w/ rcvd_id > > > 000000C4 > > > > > > So they're talking WCCP, however users can still browse the web and it > > > seems to me as though the router isn't forwarding the traffic: > > > > > > router#sh ip wccp web-cache detail > > > WCCP Cache-Engine information: > > > Web Cache ID: 0.0.0.0 > > > Protocol Version: 0.3 > > > State: Usable > > > Initial Hash Info: 00000000000000000000000000000000 > > > 00000000000000000000000000000000 > > > Assigned Hash Info: 00000000000000000000000000000000 > > > 00000000000000000000000000000000 > > > Hash Allotment: 0 (0.00%) > > > Packets Redirected: 0 > > > Connect Time: 00:03:35 > > > > > > I am not sure if interface BVI1 is supposed to be redirect in or redirect > > > out, but so far having either has shown the same results. > > > > > > Squid logs are not showing anything. > > > > > > Is my understanding correct if I say that my 837 intercepts traffic on port > > > 80 and then, using the GRE tunnel, redirects it to my FreeBSD box still on > > > port 80, where squid handles it like a normal request? If this is the > > > case, am I supposed to set up some kind of firewall rule that captures > > > traffic in port 80 and remaps it to port 3128? If I do this, how can I > > > have apache and squid running together? > > > > > > This is sort of what I have worked out after reading the setup steps for > > > all sorts of linux/freebsd configurations, but I'm not so sure it's what I > > > need to do. To test this I changed the listening port of squid to 80, and > > > still saw no entries in my access.log tending me to believe that the > > > wccp-redirect just ain't workin'. > > > > > > Can anyone shed any light? > > > > > > > > > Cheers, > > > > > > -- > > > Adam Smith : [EMAIL PROTECTED] > > > Internode : http://www.internode.on.net > > > Phone : (08) 8228 2999 > > > > > -- > Adam Smith : [EMAIL PROTECTED] > Internode : http://www.internode.on.net > Phone : (08) 8228 2999 -- Adam Smith : [EMAIL PROTECTED] Internode : http://www.internode.on.net Phone : (08) 8228 2999