I do apologize for that oversight in terminology! my proxy server is not working well as is said earlier! I would appreciate it if you could help me out here.
>Lets start with the title... > >Your Squid is being used as an interception proxy. Not an accelerator / >reverse-proxy. Getting the terms right will greatly improve your ability >to search for relevant information. > > >On 8/03/2014 6:59 a.m., Oluseyi Akinboboye wrote: >> I have been long searching for a solution and finally this morning I got it >> to work. My setup is as follows: >> >> Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink >> switch >> >> >> I have added a squid with its input from the Wan directly and then I have >> put the squid directly to the mikrotik. >> > >So to translate your diagram and description: > > WAN -> Squid -> Router -> LAN > >is that correct? > >I am assuming from the description that Squid is running on the ClearOS >machine. > > >> I did the following configurations: >> >> >> Wan: >> >> Wan -> mikrotik 172.16.10.1/24 >> Wan -> squid 172.16.11.1/24 >> > >Huh? > if I'm reading that right you have two distinct routes that packets >from the WAN -> LAN may take. Only one of which goes through Squid. > Be very VERY careful with the packet flows when doing this. > > >> >> Mikrotik >> >> >> Ether1 >> 172.16.10.2/24 Via setup CLI >> >> >> Ether2 (Hotspot) >> 10.5.50.1/24 >> >> >> Ether3 to squid >> 192.168.50.2 Via setup CLI >> >> >> Squid >> >> >> Ether1 from Wan >> 172.16.11.2 >> >> >> Ether2 from mikrotik >> 192.168.50.1:3128 >> > >I dont understand how that relates to the actual packet flows sorry. Too >many undefined details like: > - how all the "EtherN" are plugged together > - what the terminal command line interface (CLI) has to do with routing, > - which part(s) of your network each of those IP ranges identifies > >> >> The squid is configured transparently. >> > >How? there are 8 transparent interception configurations for Squid. And >a great many more ways to mis-configure it. > > > >> The CLI commands used are as follows: > >Are these on the Mikrotik or ClearOS? > >> >> >> #Mark All HTTP Port 80 Traffic, so that you can use these Marked Packets in >> Route section. >> >> /ip firewall nat >> add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp >> >> /ip firewall mangle >> add action=mark-routing chain=prerouting disabled=no dst-port=80 >> new-routing-mark=http passthrough=yes protocol=tcp >> >> /ip route >> add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) >> routing-mark=http scope=30 target-scope=10 >> >> add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) >> scope=30 target-scope=10 >> >> >> /ip firewall mangle add chain=postrouting tos=48 action=mark-packet >> new-packet-mark=proxy-hit passthrough=no >> >> >> /ip firewall mangle add chain=postrouting action=mark-packet >> new-packet-mark=proxy-hit passthrough=no >> >> /queue tree add name="pmark" parent=global-out packet-mark=proxy-hit \ >> limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 >> burst-threshold=0 burst-time=0s >> >> >> >> /ip firewall filter >> >> add action=add-src-to-address-list address-list=Syn_Flooder >> address-list-timeout=30m chain=input \ >> comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no >> protocol=tcp tcp-flags=syn >> add action=drop chain=input comment="Drop to syn flood list" disabled=no >> src-address-list=Syn_Flooder >> add action=add-src-to-address-list address-list=Port_Scanner >> address-list-timeout=1w chain=input comment="Port Scanner Detect"\ >> disabled=no protocol=tcp psd=21,3s,3,1 >> add action=drop chain=input comment="Drop to port scan list" disabled=no >> src-address-list=Port_Scanner > >You might want to ensure Squid cannot be caught and listed as a SYN-flooder. > Squid will potentially open many hundreds of connections per second if >lots of clients are using it. Without the proxy that would be spread >over many client IPs and not hit flooding limits. > > >> add action=jump chain=input comment="Jump for icmp input flow" disabled=no >> jump-target=ICMP protocol=icmp >> add action=drop chain=input\ >> comment="Block all access to the winbox - except to support list >> add action=jump chain=forward comment="Jump for icmp forward flow" >> disabled=no jump-target=ICMP protocol=icmp >> add action=drop chain=forward comment="Drop to bogon list" disabled=no >> dst-address-list=bogons >> add action=add-src-to-address-list address-list=spammers >> address-list-timeout=3h chain=forward comment="Add Spammers to the list for >> 3 hours"\ >> connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp >> add action=drop chain=forward comment="Avoid spammers action" disabled=no >> dst-port=25,587 protocol=tcp src-address-list=spammers >> add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 >> protocol=udp >> add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 >> protocol=tcp >> add action=accept chain=input comment="Accept to established connections" >> connection-state=established\ >> disabled=no >> add action=accept chain=input comment="Accept to related connections" >> connection-state=related disabled=no >> add action=accept chain=input comment="Full access to SUPPORT address list" >> disabled=no src-address-list=support >> add action=drop chain=input comment="Drop anything else! >> add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" >> disabled=no icmp-options=8:0 limit=1,5 protocol=icmp >> add action=accept chain=ICMP comment="Echo reply" disabled=no >> icmp-options=0:0 protocol=icmp >> add action=accept chain=ICMP comment="Time Exceeded" disabled=no >> icmp-options=11:0 protocol=icmp >> add action=accept chain=ICMP comment="Destination unreachable" disabled=no >> icmp-options=3:0-1 protocol=icmp >> add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 >> protocol=icmp >> add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no >> protocol=icmp > >ICMP is not optional. There are very specific message types like *echo* >that can cause annoying effects in IPv4. But having a default drop >action for other message types is a bad idea. > >Also, it is a good idea to put the ICMP control *after* the control >allowing established connections and related packets through. Since the >most desirable ICMP messages are usually the ones related to some >established connection. > > >> add action=jump chain=output comment="Jump for icmp output" disabled=no >> jump-target=ICMP protocol=icmp >> >> >> >> >> ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 >> protocol=tcp to-addresses=10.5.50.5 to-ports=8080 >> >> >> ip firewall nat add action=dst-nat dst-port=80 protocol=tcp >> src-address=10.5.50.0/24 to-addresses=10.5.50.5 to-ports=8080 chain=dstnat > > -> this rule seems useless. The top chain=dstnat rule already changed >*all* the TCP port 80 packets. > >> >> ip firewall nat add chain=dstnat src-address=10.5.50.0/24 >> in-interface=ether1 dst-port=80 protocol=tcp action=dst-nat >> to-address=10.5.50.5 to-port=8080 >> > > -> this rule seems useless. The top chain=dstnat rule already changed >*all* the TCP port 80 packets. > > >> ip firewall nat add chain=dstnat src-address=10.5.50.5 dst-port=80 >> protocol=tcp action=accept >> > > -> this rule seems useless. The top chain=dstnat rule already changed >*all* the TCP port 80 packets into port 8080 packets. > > >> ip firewall nat add chain=dstnat src-address=10.5.50.0/24 dst-port=80 >> protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080 > > -> this rule seems useless. The top chain=dstnat rule already changed >*all* the TCP port 80 packets. > > > >> >> When i run the tail command in the squid i get a lot of activity within the >> cache; for example >> >> 1394214401.152 103 192.168.50.2 TCP_MISS_ABORTED/000 0 GET >> http://facedakar.com/ - HIER_DIRECT/178.33.239.95 - >> 1394214401.216 0 192.168.50.2 TCP_IMS_HIT/304 285 GET >> http://www.fifa.com/imgml/worldcup/dots_03.png - HIER_NONE/- image/png >> 1394214401.255 96 192.168.50.2 TCP_MISS_ABORTED/000 0 GET >> http://facedakar.com/ - HIER_DIRECT/178.33.239.95 - >> 1394214401.363 101 192.168.50.2 TCP_MISS_ABORTED/000 0 GET >> http://facedakar.com/ - HIER_DIRECT/178.33.239.95 - >> 1394214401.473 102 192.168.50.2 TCP_MISS_ABORTED/000 0 GET >> http://facedakar.com/ - HIER_DIRECT/178.33.239.95 - >> 1394214401.502 982 192.168.50.2 TCP_MISS_ABORTED/000 0 POST >> http://dlarray-europ-secsrv021.gdatasecurity.de/query - >> HIER_DIRECT/92.51.171.68 - >> >> Also when i run a NetStat grep the result i get seems okay: >> >> squid:/home/netsnap # netstat -a | grep 443 -h >> tcp 1 0 squid.squidoz:44358 a92-122-210-13:www-http >> CLOSE_WAIT >> tcp 0 1 squid.squidoz:35443 ns236400.ovh.n:www-http SYN_SENT >> >> tcp 1 0 squidoz:ndl-aas 192.168.50.2:34439 >> CLOSE_WAIT >> tcp 1 0 squidoz:ndl-aas 192.168.50.2:34443 >> CLOSE_WAIT >> tcp 1 0 squidoz:ndl-aas 192.168.50.2:34436 >> CLOSE_WAIT >> tcp 1 0 squid.squidoz:44350 a92-122-210-13:www-http >> CLOSE_WAIT >> tcp 1 0 squidoz:ndl-aas 192.168.50.2:34438 >> CLOSE_WAIT >> >> >> Now the browsing is not really faster just that pages like yahoo.com, >> gmail.com & such that you have to sign in to open pretty fast but other >> pages crawl to say the least and if at at they open it just shows text and >> links without pictures especially for siites like bbc.co.uk etc and most >> times it brings this error essage out: >> >> ERROR >> >> The requested URL could not be retrieved >> >> Die volgende fout is teëgekom tydens verkryging van die URL: >> http://www.speedtest.net/user-settings.php >> >> Verbinding na 93.184.219.82 het misluk >> >> Die stelsel het die volgende teruggestuur: (110) Connection timed out > > ===>> "Connection timed out" > >Squid hitting problems at the TCP data transfer stage. >The DNS lookup stage has worked okay. The TCP setup stage (SYN/SYN-ACK) >*seems* to have worked okay as well. > >> >> I am not sure what exactly it is i am doing wrong! I am not even sure at >> this point if it is mikrotik or squid that is giving me the problem. > > >I am suspecting one of these things happen: > >1) TCP is setup through the Mikrotik. Which loops it back at Squid. > - forwarding loop by the router. > >2) TCP setup to WAN server but response data packets hit an MTU size, >ECN or window scaling issue. > >3) TCP setup works fine, but response data packets get routed or >firewalled differently somewhere. > > > >Squid box. The ClearOS settings themselves probably. > >* check the default gateway it is configured with is the WAN interface. > >* check that Squid outgoing IP address on connections uses the IP from >NIC connected to the WAN. > >* check that the WAN connections from the Squid box are not routed via >the Mikrotik in any way. > > >Also, it may help simplify if the primary NIC was the one plugged into >the WAN. It is usually the NIC chosen by default for route and IP >address assignment. Plugging it in that way avoids having to explicitly >setup routing rules to override the OS algorithms. > > >Amos
