Hi,
It looks like I got myself into trouble masking IPs to the list.
4.5.6.7 may be the highest in my example, but not on the router. In
reality the masked of 1.2.3.233 is the highest, so I guess I stick with :
ip tunnel add wccp0 mode gre remote 2.3.4.233 local 2.3.4.236 dev eth0
wccp2_router 2.3.4.233
Doing that got me good news and bad news.
Good news : The router/squid now seem to exchange "HIA"/"ISY"
packets fine, and the router deems it usable.
Bad news : For about the first 2 minutes of operating a call
to a website that prints my IP leaves it with the outside NAT address
on the router. After that, it just stops contacting the sites period.
My cache isn't a NAT'd IP, it shouldn't be subject to NAT when
it hits the world.
It still looks like, though, nothing is coming over the
wccp0 link. I do a tcpdump and get nothing.
wccp0 Link encap:UNSPEC HWaddr D0-2D-F7-EC-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:2.3.4.236 P-t-P:2.3.4.236 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Though the router claims to have sent it :
WCCP Client information:
WCCP Client ID: 2.3.4.236
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 115
Connect Time: 00:01:29
Bypassed Packets
Process: 0
Fast: 0
CEF: 0
I've looked at what Adrian sent me, ConfigExamples, but
neither situation seems to be what it is here. In "NatAndWccp2"
I have 3 interfaces. A serial to the world which is "ip nat outside"
and has my "ip wccp web-cache redirect out". A Gig thats
"ip nat inside" with a primary IP of the 2.3.4.233, and 3 RFC1918
IPs as secondary (All need to be redirected). Another Gig thats
"ip nat inside" with a primary IP of another RFC1918 that needs
to be redirected. I did change my wccp.up script to be more
like his though :
modprobe ip_gre
ip tunnel del wccp0
iptables -t nat -F PREROUTING
ip tunnel add wccp0 mode gre remote 2.3.4.233 local 2.3.4.236 dev eth0
ip addr add 2.3.4.236/32 dev wccp0
ip link set wccp0 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
iptables -t nat -A PREROUTING -i wccp0 -d 0/0 -p tcp --dport 80 -j DNAT --to-destination 2.3.4.236:3128
But I don't think things are coming over the GRE still. Could
this be because the cache is in the same subnet as the highest IP on
the router?
Thanks, Tuc
>
> Hi Tuc,
>
> Your configuration is ok but the gre tunnel destination and wccp2_router IP is
> wrong. Because of it's working mechanism the destination ip address of
> your gre
> tunnel should be the greatest IP address which is assigned to any of your
> interfaces on your router. "HERE I AM" by Squid and "I SEE YOU" reply
> by router
> are packets those are send every 10 seconds to confirm that Squid is
> alive. So
> the changes that you should do;
>
> ip tunnel add wccp0 mode gre remote 4.5.6.7 local 2.3.4.236 dev eth0
> wccp2_router 2.3.4.233
>
> It was hard to find out this gre trick for me because i could not find any
> absolute information about destination IP of gre tunnel. They say "router_ip"
> for destination.
>
> Iptables command that I use is as below;
>
> iptables -t nat -A PREROUTING -i wccp0 -d 0/0 -p tcp --dport 80 -j DNAT
> --to-destination 2.3.4.236:3128
> I am not sure about your iptables command but mine is working.
>
> Good Luck,
>
> Sinmaz Ketenci
> Istanbul Technical University
>
>
>
> Quoting "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net>:
>
> > Hi,
> >
> > Trying to follow :
> >
> > http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
> >
> > Cisco is a 2851 :
> > Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M),
> > Version 12.4(12), RELEASE SOFTWARE (fc1)
> >
> > Linux is Centos 4:
> > Linux ports.example.com 2.6.9-42.0.10.EL #1 Tue Feb 27 09:24:42 EST
> > 2007 i686 i686 i386 GNU/Linux
> >
> > Squid is squid-2.6.STABLE18
> >
> > One tweak to the docs I did find I needed for
> > Cisco was "ip wccp web-cache" needed to be set for it to
> > run.
> >
> > The configuration is that I have a serial port doing NAT to the
> > net, which is where EVERYTHING passes, so thats where I put the ip wccp
> > statements on the router. That interface IP is 1.2.3.58 . I have
> > a Gig 0/0, IP 2.3.4.233 . Off that gig is the squid at 2.3.4.236. I
> > have a Gig0/1 IP 4.5.6.7, and 99% of the users hang off there.
> >
> > I used the following on Linux. The iptables command
> > seems to never have heard of the "--redirect-to" command, so hopefully
> > this is correct :
> >
> > modprobe ip_gre
> > ip tunnel del wccp0
> > ip tunnel add wccp0 mode gre remote 1.2.3.58 local 2.3.4.236 dev eth0
> > ip addr add 2.3.4.236/32 dev wccp0
> > ip link set wccp0 up
> > echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter
> > iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to 3128
> >
> > It didn't seem to work, so I shut down all IP tables
> > via the Centos GUI (BIG mistake, it wiped out my settings and now
> > I need to reconstruct it. :-/ ) ANYWAY... AFTER that I checked,
> > and a "sho ip wccp we v" on the router showed my
> > 2.3.4.236 as visible, and a "sho ip wccp web det"
> > showed it, but with a State of "NOT Usable". I turned up
> > some debug, and I see maybe whats happening, but dont' know
> > how to resolve..
> >
> > When I wirehark the packets on 2048, I see the "Here I am"
> > from Squid to the router fine, but the router responds with
> > "I see you" from 2.3.4.233, the IP of the interface closest to
> > the squid, but NOT the IP of the Internet connection.
> >
> > How do I handle this? Do I need to change wccp2_router to
> > 2.3.4.233 instead of really what it should be, 1.2.3.58?
> >
> > Also, is the iptables command correct?
> >
> > Thanks, Tuc
> >
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
Received on Sun Feb 10 2008 - 10:43:08 MST
This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST