Re: transparent squid on Solaris+cisco.

>
> I was having the exact same problem on my Solaris box. I was testing it
> out on a Sparc20 Sol2.6.. I switched to linux and in about a day got it
> to work...
>

I also had the same problem on a Sun SS1000 Solaris 2.4 machine.

One thing I did that I haven't seen yet is that I went ahead and installed
tproxyd (with ip_filter support) and tried that. I got a lot of messages
in syslog about 'ioctl(SIOCGNATL) : no such process' (best approx. from
memory). I then installed tproxyd on a linux machine, redirecting to the
exact same squid setup, and it worked like a charm. My conclusion is that
ip_filters (this was version 3.2.9) has problems.

Someone posted a week ago that they had troubles redirecting from eth0 to
lo, and suggested redirecting from eth0 to eth0 (different port). I tried
that as well on the sun machine but had intermittent problems with resets
as before (although sometimes it would work fine). Pretty much the same
as the original poster describes below.

The best troubleshooting idea I have found so far for the transparent
proxying thing is to change the default route (gateway) on your work machine
to point at the squid proxy. This sends all your packets through that
machine exactly as if they were redirected by the router. If you can send
your packets through that machine (without proxy set on your browser) and
get out to sites, then the transparent proxy is set up right and you can
proceed on to the redirection part.

Doug

> I can email you the configs Ihave if you want..?
>
>
> On Fri, 27 Nov 1998, CyberPsychotic wrote:
>
> >
> >
> > Hello people,
> > here I am trying to configure transparent proxy on solaris machine, using
> > cisco router to redirect all the web traffic to solaris machine.
> > setup is following:
> >
> > ---------------+---------LAN--------------+-------------+---
> > _______|__________ _______|_____ __|__ |-- office
> > | sun_box with ipf | |cisco router | |Linux|--|machines
> > | | | | | | |(another LAN)
> > | here I run squid| | | | masq| |--iternal IPs
> > |and ipf with nat | ~~~~~|~~~~~~~ only
> > ~~~~~~~~~~~~~~~~~~~~ | Serial/FRAME-RELAY link.
> >
> > on cisco I have set 'next-hop for all packets sent to anyhost, port 80
> > should go to solaris machine,i.g. cisco redirects all the webtraffic to
> > sun_box.
> >
> > on sun_box machine I have nat configured (with ipf) like this:
> >
> > all packets sent to SOL.MACHINE.ETH.IP:80 go to 127.0.0.1
> > all packets sent to 0.0.0.0:80 go to SOL.MACHINE.ETH.IP:3128
> >
> > (the problem here is that when I used loopback address in latter case, I
> > was getting error "connection reset by peer" in browser right away..ideas?).
> >
> > The general problem, when I use browser with no proxy settings, it
> > downloads sites, but sometimes stops on the half way of the file, and
> > reports 'connection is reset by peer', while the other times it could
> > finish downloading up just fine. However sometimes it stops on the half
> > way of this and never finishes up.I had the feeling that it's my link
> > problem, but when I point out that I want to use proxy on browser, it
> > downloads the same site just fine.(I tested this from a client sitting
> > behind masqueraded machine, but I was told that machine with real IP works
> > the same way as well).
> >
> >
> > I was talking to mr. Quinton Dolan (q@fan.net.au), (since I browsed the
> > list archive and have seen he has responded to the similar kind of post).
> > and he suggested that either it could be a problem of different MTU.(but I
> > checked all the MTU has the same value 1500 bytes). or the problem with
> > masquerade on Linux machine, i.g. it could mess up packets or something.
> > Well, I did an additional investigation, and tried to browse net from the
> > box, directly connected to the same LAN with Sun_box and got almost the
> > same picture. It downloads some first files fine, but fetches
> > the half or even less of other files.
> >
> >
> >
> > I use squid-2 which is configured,compiled and installed exactly as it
> > mentioned in FAQ. (with --enable-ipf-transparent, and all acceletator
> > options turned in conf file).
> >
> > I would appreciate if anyone would share ideas what could cause this.
> >
> > Thanks beforehand.
> >
> > Fyodor
> >
> >
> >
> >
> >
>
> Chuck Pitre 128 Larch Street, Suite 301
> Technical Consultant P3E 5J8 Sudbury Ontario
> ViaNet Internet Solutions tel: 705-675-0400
> ICQ UIN 22147453
>
> "That vulnerability is completely theoretical."
> -- Microsoft
>
>
Received on Fri Nov 27 1998 - 16:41:02 MST