Re: [squid-users] Cisco/Linux/WCCP - Different Interface

From: <ketencis@dont-contact.us>
Date: Sun, 10 Feb 2008 02:38:59 +0200

Hi Tuc,

Your configuration is ok but the gre tunnel destination and wccp2_router IP is
wrong. Because of it's working mechanism the destination ip address of
your gre
tunnel should be the greatest IP address which is assigned to any of your
interfaces on your router. "HERE I AM" by Squid and "I SEE YOU" reply
by router
are packets those are send every 10 seconds to confirm that Squid is
alive. So
the changes that you should do;

ip tunnel add wccp0 mode gre remote 4.5.6.7 local 2.3.4.236 dev eth0
wccp2_router 2.3.4.233

It was hard to find out this gre trick for me because i could not find any
absolute information about destination IP of gre tunnel. They say "router_ip"
for destination.

Iptables command that I use is as below;

iptables -t nat -A PREROUTING -i wccp0 -d 0/0 -p tcp --dport 80 -j DNAT
--to-destination 2.3.4.236:3128
I am not sure about your iptables command but mine is working.

Good Luck,

Sinmaz Ketenci
Istanbul Technical University

Quoting "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net>:

> Hi,
>
> Trying to follow :
>
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
>
> Cisco is a 2851 :
> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M),
> Version 12.4(12), RELEASE SOFTWARE (fc1)
>
> Linux is Centos 4:
> Linux ports.example.com 2.6.9-42.0.10.EL #1 Tue Feb 27 09:24:42 EST
> 2007 i686 i686 i386 GNU/Linux
>
> Squid is squid-2.6.STABLE18
>
> One tweak to the docs I did find I needed for
> Cisco was "ip wccp web-cache" needed to be set for it to
> run.
>
> The configuration is that I have a serial port doing NAT to the
> net, which is where EVERYTHING passes, so thats where I put the ip wccp
> statements on the router. That interface IP is 1.2.3.58 . I have
> a Gig 0/0, IP 2.3.4.233 . Off that gig is the squid at 2.3.4.236. I
> have a Gig0/1 IP 4.5.6.7, and 99% of the users hang off there.
>
> I used the following on Linux. The iptables command
> seems to never have heard of the "--redirect-to" command, so hopefully
> this is correct :
>
> modprobe ip_gre
> ip tunnel del wccp0
> ip tunnel add wccp0 mode gre remote 1.2.3.58 local 2.3.4.236 dev eth0
> ip addr add 2.3.4.236/32 dev wccp0
> ip link set wccp0 up
> echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter
> iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to 3128
>
> It didn't seem to work, so I shut down all IP tables
> via the Centos GUI (BIG mistake, it wiped out my settings and now
> I need to reconstruct it. :-/ ) ANYWAY... AFTER that I checked,
> and a "sho ip wccp we v" on the router showed my
> 2.3.4.236 as visible, and a "sho ip wccp web det"
> showed it, but with a State of "NOT Usable". I turned up
> some debug, and I see maybe whats happening, but dont' know
> how to resolve..
>
> When I wirehark the packets on 2048, I see the "Here I am"
> from Squid to the router fine, but the router responds with
> "I see you" from 2.3.4.233, the IP of the interface closest to
> the squid, but NOT the IP of the Internet connection.
>
> How do I handle this? Do I need to change wccp2_router to
> 2.3.4.233 instead of really what it should be, 1.2.3.58?
>
> Also, is the iptables command correct?
>
> Thanks, Tuc
>

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Received on Sat Feb 09 2008 - 17:39:30 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST