Re: [squid-users] Cisco/Linux/WCCP - Different Interface from Daniel Rose on 2008-02-10 (squid-users)

From: Daniel Rose <drose@dont-contact.us>
Date: Mon, 11 Feb 2008 09:12:33 +1100

Tuc at T-B-O-H wrote:
>> It still looks like, though, nothing is coming over the
>> wccp0 link. I do a tcpdump and get nothing.
>>
>> wccp0 Link encap:UNSPEC HWaddr D0-2D-F7-EC-00-00-00-00-00-00-00-00-00-00-00-00
>> inet addr:2.3.4.236 P-t-P:2.3.4.236 Mask:255.255.255.255
>> UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>>
> I was running a tcpdump looking for the gre data, and accidentally
> didn't specify the wccp0 interface, so it defaulted to my eth0 interface.
> It appears I'm getting the GRE packets over eth0, NOT wccp0! When I decode
> them, they are all SYN's to port 80 at various websites.
>
> I go back to wondering if the highest IP on the router, which is
> also the default route for the cache box, is causing it to ignore the tunnel
> and just send it locally..
>
> Thanks, Tuc

Others on the list my correct me, as I've only ever done this once. I don't know if my setup was "right" or not, but it did work.

I found that:

the client sends a SYN to the remote site, which is sent down the GRE tunnel by cisco.

sniffing eth0 should show the GRE packets.

sniffing wccp0 should show the contents of those packets, which should be syns to port 80 on various boxes.

your firewall (on the linux host) should accept these and redirect them to squid 3128, which knows how to handle them

squid reads the contents of the redirected packet and makes a regular TCP request to the site in question

squid makes a regular tcp response (SYN/ACK) to the client, spoofing it's from address to be that of the remote website

the client thinks it's talking directly to the site.

the site thinks it's talking directly to the proxy (well, it really is doing that)

the CISCO gear WILL DROP an incoming SYN/ACK on an interface different from the one the SYN was seen on.
This means that the squid proxy and the clients must be on the same interface of the firewall. If you try to make a dmz with the proxy, and use wccp on the firewall between the dmz and the clients, it won't work.

If any of this is wrong I'd love to know as well, as these are my working understandings of the system.

-- 
Daniel Rose
National Library of Australia

Received on Sun Feb 10 2008 - 15:12:43 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST