Sławomir Kozłowski wrote:
Hi,
I have one little problem with squid. I use squid now as configured
manually, but can't force it to work in transparent mode.

So first Q: __what version of squid__ ???

Debian has somewhere between 9 and a few hundred Squid versions currently in-use depending on how recently you upgraded and which Debian release you have.

"squid -v" should give some indication what version it is.


My whole config is:
1. network

{internet} -> router cisco 2821 (with 2 vlans) -> switch -> client is
on vlan 201, squid is on vlan 2

2. cisco config: FastEthernet0/0 is external interface with direct
connection to the Internet, with external IP address (77.77.77.12 is
fake), FastEthernet0/1.201 is vlan interface with all clients,
FastEthernet0/1.2 is vlan interface with squid machine in it

ip wccp web-cache
ip cef

interface FastEthernet0/0
 ip address 77.77.77.12 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

interface FastEthernet0/1.2
 encapsulation dot1Q 201
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 no snmp trap link-status

interface FastEthernet0/1.201
 encapsulation dot1Q 201
 ip address 192.168.201.1 255.255.255.0
 ip wccp web-cache redirect out
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 no snmp trap link-status

3. network config on machine with squid

iface eth0 inet static
        address 192.168.2.243
        netmask 255.255.255.0
        network 192.168.2.0
        broadcast 192.168.2.255
        gateway 192.168.2.1

4. squid config

wccp2_router 77.77.77.12
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
access_log /var/log/squid3/access.log
http_port 3128 transparent
acl blocksites url_regex "/etc/squid3/blocked-sites.acl"
http_access deny blocksites

You life will be easier, and your log emptier if you place the "transparent" option on a different port to which you get normal proxy requests. I recommend 3129 or such. Then firewall that port from any direct contact with devices other than the router. (but do the firewall bit later once you have WCCP working to be sure).


5. iptables config

$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -F -t mangle
$iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --$

You may also need a POSTROUTING -j MASQUERADE rule to unwind the reply packets Squid->Client.


6. tunnel config

/sbin/ip tunnel add wccp0 mode gre remote 77.77.77.12 local
192.168.2.243 dev eth0;
/sbin/ifconfig wccp0 192.168.2.243 netmask 255.255.255.255 up
/sbin/sysctl -w net.ipv4.conf.wccp0.rp_filter=0 ;
/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ;

Now, the problem. If I configure manually proxy on client all is
working fine. When I remove the proxy configuration from the browser,
then I cannot access any webpage.
I did some debug, and when I run tccpdump for wccp0 interface, and try
to access some webpage on client (squid in transparent mode) then I
see that some packets on the wccp0 interface, but no page is loading.
Also on cisco router, when I run: sh ip wccp web-cache i get:

Global WCCP information:
    Router information:
        Router Identifier:                   192.168.201.1
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            2089
        Process:                             116
        Fast:                                0
        CEF:                                 1973
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            139
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

and when I run: sh ip wccp web-cache detail i get:
WCCP Cache-Engine information:
        Web Cache ID:          192.168.2.243
        Protocol Version:      2.0
        State:                 Usable
        Initial Hash Info:     00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info:    FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:        256 (100.00%)
        Packets Redirected:    5
        Connect Time:          05:42:44
        Bypassed Packets
          Process:             0
          Fast:                0
          CEF:                 0

So, please help me set this up as transparent proxy.
Thanks in advance,
Slawek

In 4. squid config you specify:

> wccp2_router 77.77.77.12

In 6. tunnel config you specify:
  gre remote 77.77.77.12

yet WCCP indicates:
  Router Identifier: 192.168.201.1

I think your gre tunnel is probably going to the wrong IP.
To check, try adding a gre tunnel from the Squid box to all of the router IPs and seeing which one gets traffic.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

Reply via email to