Re: [squid-users] FreeBSD 5.1, Cisco 837 & WCCP Redirects

On Sun, Jan 25, 2004 at 11:46:34PM +0200, Roman Synyuk said:
> Hello.
>
> You need to configure forwarding incoming packets from GRE interface
> to squid process:
>
> # ipfw add fwd 127.0.0.1,3128 ip from any to any via gre0 in
> # ipfw add permit ip from any to any

I tried this, however I'm still not seeing it work, and now I have more
questions!

IPFW:

I am now counting any packets on my GRE rule:

01300 0 0 fwd 127.0.0.1,3128 ip from any to any via gre0 in

I'm also not entirely sure at which level of my firewall rules I should be
inserting this rule. I've tried just before "allow ip from me to any" and
I've tried right at the very start but still, no packets are counted.

CISCO 837:

Which interface am I actually supposed to be running the WCCP redirect on?
I'm starting to think it should be on my Ethernet0 interface, as this is
where the GRE tunnel ends. It sorta makes better sense. Adding the
wccp-redirect lines to it doesn't make any difference though -- users can
still get out without anything going back to the proxy.

If users are getting through, does this mean the wccp redirect is failing
at the router end?

Thanks for any pointers.

> > Hello!
> >
> > I'm trying to set up a transparent proxy, but I'm running in to some
> > difficulty. Here is my set up:
> >
> > * Cisco 837 running Cisco IOS 12.3
> > * FreeBSD 5.1
> > * squid-2.5.4_6 with WCCP compiled in
> > * (also running apache-2.0.48_1, running on port 80)
> >
> > I have so far taken the following steps:
> >
> > In squid.conf:
> > --------------
> >
> > ## WCCP Redirection (Transparent Proxy)
> > ## ------------------------------------
> > httpd_accel_host virtual
> > httpd_accel_port 3128
> > httpd_accel_with_proxy on
> > httpd_accel_uses_host_header on
> > wccp_router 10.0.0.254
> > wccp_version 3
> >
> > On the Cisco 837:
> > -----------------
> >
> > ip wccp version 1
> > ip wccp web-cache redirect-list 2
> > !
> > interface BVI1
> > description --- Bridging Interface ---
> > ip address 150.101.x.x 255.255.255.248
> > ip wccp web-cache redirect in
> > ip nat outside
> > end
> > !
> > access-list 2 permit 10.0.0.0 0.0.0.255
> >
> > On FreeBSD 5.1:
> > ---------------
> >
> > <compiled 'device gre' into kernel>
> >
> > configured device with:
> >
> > # ifconfig gre0 create
> > # ifconfig gre0 10.0.0.3 10.0.0.254 netmask 255.255.255.255 up
> > # ifconfig gre0 tunnel 10.0.0.3 10.0.0.254
> > # route delete 10.0.0.254
> >
> > ifconfig:
> >
> > gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476
> > tunnel inet 10.0.0.3 --> 10.0.0.254
> > inet6 fe80::240:5ff:fe03:3fb1%gre0 prefixlen 64 scopeid 0x5
> > inet 10.0.0.3 --> 255.255.255.0 netmask 0xff000000
> >
> > Once all this is done and Squid starts I get the following messages on my
> > 837:
> >
> > router#deb ip wccp event
> > router#deb ip wccp packet
> > *Mar 1 19:57:04.715: WCCP-PKT: Sending I_See_You packet to 10.0.0.3 w/ rcvd_id 000000C2
> > *Mar 1 19:57:14.739: WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, change # 0000000B
> > *Mar 1 19:57:14.739: %WCCP-5-CACHEFOUND: Web Cache 10.0.0.3 acquired
> > *Mar 1 19:57:14.739: WCCP-PKT: Received valid Here_I_Am packet from 10.0.0.3 w/rcvd_id 000000C2
> > *Mar 1 19:57:14.739: WCCP-PKT: Sending I_See_You packet to 10.0.0.3 w/ rcvd_id 000000C3
> > *Mar 1 19:57:25.759: WCCP-PKT: Received valid Here_I_Am packet from 10.0.0.3 w/rcvd_id 000000C3
> > *Mar 1 19:57:25.759: WCCP-PKT: Sending I_See_You packet to 10.0.0.3 w/ rcvd_id 000000C4
> >
> > So they're talking WCCP, however users can still browse the web and it
> > seems to me as though the router isn't forwarding the traffic:
> >
> > router#sh ip wccp web-cache detail
> > WCCP Cache-Engine information:
> > Web Cache ID: 0.0.0.0
> > Protocol Version: 0.3
> > State: Usable
> > Initial Hash Info: 00000000000000000000000000000000
> > 00000000000000000000000000000000
> > Assigned Hash Info: 00000000000000000000000000000000
> > 00000000000000000000000000000000
> > Hash Allotment: 0 (0.00%)
> > Packets Redirected: 0
> > Connect Time: 00:03:35
> >
> > I am not sure if interface BVI1 is supposed to be redirect in or redirect
> > out, but so far having either has shown the same results.
> >
> > Squid logs are not showing anything.
> >
> > Is my understanding correct if I say that my 837 intercepts traffic on port
> > 80 and then, using the GRE tunnel, redirects it to my FreeBSD box still on
> > port 80, where squid handles it like a normal request? If this is the
> > case, am I supposed to set up some kind of firewall rule that captures
> > traffic in port 80 and remaps it to port 3128? If I do this, how can I
> > have apache and squid running together?
> >
> > This is sort of what I have worked out after reading the setup steps for
> > all sorts of linux/freebsd configurations, but I'm not so sure it's what I
> > need to do. To test this I changed the listening port of squid to 80, and
> > still saw no entries in my access.log tending me to believe that the
> > wccp-redirect just ain't workin'.
> >
> > Can anyone shed any light?
> >
> >
> > Cheers,
> >
> > --
> > Adam Smith : adam@internode.com.au
> > Internode : http://www.internode.on.net
> > Phone : (08) 8228 2999
> >

-- 
Adam Smith	: adam@internode.com.au
Internode	: http://www.internode.on.net
Phone		: (08) 8228 2999