On 7/13/2012 2:33 PM, Wayne Lee wrote:
Hello List
My first post here but have been using squid for a while.
Trying to implement a transparent proxy for some of our DSL users.
I've setup a test LNS on a Cisco 2821, the connections come in via the
standard PPPoA and are sent via L2TP from the provider. Standard stuff
which works. WCCPv2 is setup and working OK, I can see the packets
arriving on the box. The trouble I'm having is that the packets are
arriving on the squid box but don't seem to be diverted into squid
daemon.
Details
LNS = Cisco 2821, (C2800NM-SPSERVICESK9-M), Version 12.4(3b). LNS is
acting as a router on a stick (1 active interface)
(IP's changed to protect the guilty. NAT is not used in this network)
LNS IP = 172.16.254.253 /30
LNS GW = 172.16.254.254 /30
DSL user IP = 10.10.254.254 /32
SNIP>
if you could be more accurate about the cables setup and logic and not
just ip it can help understand things.
Packet traces
traffic from dsl connection directed via wccp to squid
root@squid:~# !tcpdump
tcpdump -niwccp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
12:19:54.287278 IP 10.10.254.254.46360 > 80.239.148.170.80: Flags [S],
seq 975284290, win 13600, options [mss 1360,sackOK,TS val 2009935 ecr
0,nop,wscale 4], length 0
12:19:54.445694 IP 10.10.254.254.46361 > 80.239.148.170.80: Flags [S],
seq 1791319806, win 13600, options [mss 1360,sackOK,TS val 2009975 ecr
0,nop,wscale 4], length 0
12:19:55.285531 IP 10.10.254.254.46360 > 80.239.148.170.80: Flags [S],
seq 975284290, win 13600, options [mss 1360,sackOK,TS val 2010185 ecr
0,nop,wscale 4], length 0
12:19:55.445826 IP 10.10.254.254.46361 > 80.239.148.170.80: Flags [S],
seq 1791319806, win 13600, options [mss 1360,sackOK,TS val 2010225 ecr
0,nop,wscale 4], length 0
the problem is that the traffic that comes from the internet suppose to
get into the proxy machine but it's going to the client which is not
listening to the same socket.
wccp + tproxy dont play good together!!!
if you will run tcpdump on the client machine you will see packets of
sessions that started on the squid box arriving to it.
you dont need to be with this 3 days.
just buy a 1Gbit Ethernet card and put a small bridge between the cisco
and the next hop.
I have followed several guides on the wiki, tried different distro's,
DNAT without Tproxy and now with Tproxy. Any pointers on where I'm
going wrong will be helpful as I've been at this for 3 days now. If I
set this up in a "normal" network with LAN, WAN and squid being the
gateway device it works in non-transparent and transparent modes. This
feels like a issue with the DSL connections being rejected by squid or
iptables but I'm at a loss to explain where or how.
When tested using the DNAT method the packets were routed via the
squid box although still bypassed the squid daemon, the packets would
return from the webserver but were then dropped. Using the Tproxy
method shows the packets never getting to squid and not leaving the
box to the webserver.
Do I require multiple interfaces on the squid box and maybe use
ebtables or is what I'm trying to achieve possible on 1 interface ?
it depends.
you can always do something with vlans and stuff to make one interface
act like two.
with tproxy the traffic that comes from the proxy is the same as the one
that comes from the client.
10.10.254.254 comes in and 10.10.254.254 comes out.
so the only options you have are:
use some routing technique such as routing map with next hop.
you can setup the cisco to send traffic to the squidbox using one ip
that squid will use as gw for the clients network.
and second ip to access the net and from the net.
this way squid will be a "router" on the way.
another option is the bridge thing with two networks cards.
you can play with vlans and bridge two vlans but it's pretty nasty to do so.
Regards,
Eliezer
Thanks for reading
Wayne
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
