Hi *,
I am nearly lost... we are trying to implement transparent proxy sqith squid,
but didn't succeed yet.
Network layout:
---------------
client machine Transfer network
192.168.235.xxx <--Router--> 193.174.abc.0/24 <--Cisco--> Internet
norm.routing ^ pol.routing
|
squid machine
193.174.abc.sss
The client system is connected to a private IP network, which in turn is
(internally only...) routed normally on the router depicted on the left hand
side. The Cisco (a 7200 running IOS 12.1(7a)E1) does policy routing
for the private IP network, here is a part of the configuration:
interface FastEthernet0/0
ip policy route-map Tcache
ip access-list extended to-cache
permit tcp 192.168.235.0 0.0.0.255 any eq www
route-map Tcache permit 10
match ip address to-cache
set ip next-hop 193.174.abc.sss
The squid machine is an old Sparc, running Solaris 2.8 (with current patches).
There is installed IP-Filter 3.4.19 and Squid 2.4-200107012300.
IP-Filter configuration is:
rdr le0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
Squid-config has set to:
http_port 3128
http_access allow all
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Everything looks pretty much like in the FAQ...
Observations:
-------------
1. Test with "ipnat" only (without squid), using an IP NAT mapping
map le0 192.168.235.0/24 -> 193.174.abc.sss/32
This works well: The client system reaches WWW-sites on the Internet,
so the basic NAT and policy routing works.
2. Using squid as manually configured proxy on the client (now
without any ip filter...) works as expected.
3. Now the transparent setup. I've checked with a hardware Ethernet analyser
placed between the squid machine and the transfer network: The policy
based routed HTTP-request (GET...) reaches the squid machine as
expected. The squid machine translates the request AND fetches the data
from the WWW server on the Internet. It terminates the TCP connection to
the external WWW server. It caches the retrieved data.
BUT it does NOT deliver the data down to the client. No MTU path discovery
or ICMP traffic is seen on the link. Yes: ip_forwarding is turned on
("ndd /dev/ip ip_forwarding" is "1").
I am out of ideas... If someone has a hint, please enlighten me...
I will sent a summary of possible solutions (after checking them :-) to
the list.
ThanX!
Stephan
-- Stephan Wasserroth (Systems- and Network-Manager) Head of Technical Department GMD-Fokus | Kaiserin-Augusta-Allee 31 | D-10589 Berlin e-mail: wasserroth@fokus.gmd.de FAX: +49 30 3463-8253 PGP-Key fingerprint: B3 83 35 C1 84 32 AA C5 11 A9 30 AB 59 19 60 47Received on Fri Jul 06 2001 - 09:45:08 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:02 MST