Re: [squid-users] Cisco/Linux/WCCP - Different Interface

Hi again,

Quoting "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net>:

> Hi,
>
> It looks like I got myself into trouble masking IPs to the list.
> 4.5.6.7 may be the highest in my example, but not on the router. In
> reality the masked of 1.2.3.233 is the highest, so I guess I stick with :
>
> ip tunnel add wccp0 mode gre remote 2.3.4.233 local 2.3.4.236 dev eth0
> wccp2_router 2.3.4.233

Please keep in mind that the destination IP of your GRE tunnel can be a
lookback
interface address of your router. You can find the correct IP with "show ip
wccp" command.

Router#sh ip wccp
Global WCCP information:
     Router information:
         Router Identifier: a.b.c.d --> The
destination GRE IP
         Protocol Version: 2.0

> Doing that got me good news and bad news.
>
> Good news : The router/squid now seem to exchange "HIA"/"ISY"
> packets fine, and the router deems it usable.
>
> Bad news : For about the first 2 minutes of operating a call
> to a website that prints my IP leaves it with the outside NAT address
> on the router. After that, it just stops contacting the sites period.
>
> My cache isn't a NAT'd IP, it shouldn't be subject to NAT when
> it hits the world.
> It still looks like, though, nothing is coming over the
> wccp0 link. I do a tcpdump and get nothing.
>
> wccp0 Link encap:UNSPEC HWaddr
> D0-2D-F7-EC-00-00-00-00-00-00-00-00-00-00-00-00
> inet addr:2.3.4.236 P-t-P:2.3.4.236 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> Though the router claims to have sent it :
>
> WCCP Client information:
> WCCP Client ID: 2.3.4.236
> Protocol Version: 2.0
> State: Usable
> Initial Hash Info: 00000000000000000000000000000000
> 00000000000000000000000000000000
> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> Hash Allotment: 256 (100.00%)
> Packets s/w Redirected: 115
> Connect Time: 00:01:29
> Bypassed Packets
> Process: 0
> Fast: 0
> CEF: 0

That is right, router redirects packets through GRE tunnel. It seems you are
facing problems with your GRE configuration. You must have RX packets through
wccp0 interface, TX packet 0 is okay. Maybe your security setting denies GRE
packets. You can add the following lines to your script.

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT

First is the destination port of redirected packet, second is the GRE
protocol.

> I've looked at what Adrian sent me, ConfigExamples, but
> neither situation seems to be what it is here. In "NatAndWccp2"
> I have 3 interfaces. A serial to the world which is "ip nat outside"
> and has my "ip wccp web-cache redirect out". A Gig thats
> "ip nat inside" with a primary IP of the 2.3.4.233, and 3 RFC1918
> IPs as secondary (All need to be redirected). Another Gig thats
> "ip nat inside" with a primary IP of another RFC1918 that needs
> to be redirected. I did change my wccp.up script to be more
> like his though :

You do not have to use "ip wccp web-cache redirect out" on your internet
interface unless you want to redirect all your web traffic. Instead, you can
use "ip wccp web cache redirect in" on your other interfaces. Also you can use
an access-list to manage redirection.

> modprobe ip_gre
> ip tunnel del wccp0
> iptables -t nat -F PREROUTING
> ip tunnel add wccp0 mode gre remote 2.3.4.233 local 2.3.4.236 dev eth0
> ip addr add 2.3.4.236/32 dev wccp0
> ip link set wccp0 up
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
> iptables -t nat -A PREROUTING -i wccp0 -d 0/0 -p tcp --dport 80 -j
> DNAT --to-destination 2.3.4.236:3128

I don't know if they are enabled on your system but you must also add lines
below;

modprobe ip_conntrack
modprobe iptable_nat

> But I don't think things are coming over the GRE still. Could
> this be because the cache is in the same subnet as the highest IP on
> the router?
>
> Thanks, Tuc
>>
>> Hi Tuc,
>>
>> Your configuration is ok but the gre tunnel destination and
>> wccp2_router IP is
>> wrong. Because of it's working mechanism the destination ip address of
>> your gre
>> tunnel should be the greatest IP address which is assigned to any of your
>> interfaces on your router. "HERE I AM" by Squid and "I SEE YOU" reply
>> by router
>> are packets those are send every 10 seconds to confirm that Squid is
>> alive. So
>> the changes that you should do;
>>
>> ip tunnel add wccp0 mode gre remote 4.5.6.7 local 2.3.4.236 dev eth0
>> wccp2_router 2.3.4.233
>>
>> It was hard to find out this gre trick for me because i could not find any
>> absolute information about destination IP of gre tunnel. They say
>> "router_ip"
>> for destination.
>>
>> Iptables command that I use is as below;
>>
>> iptables -t nat -A PREROUTING -i wccp0 -d 0/0 -p tcp --dport 80 -j DNAT
>> --to-destination 2.3.4.236:3128
>> I am not sure about your iptables command but mine is working.
>>
>> Good Luck,
>>
>> Sinmaz Ketenci
>> Istanbul Technical University
>>
>>
>>
>> Quoting "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net>:
>>
>> > Hi,
>> >
>> > Trying to follow :
>> >
>> > http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
>> >
>> > Cisco is a 2851 :
>> > Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M),
>> > Version 12.4(12), RELEASE SOFTWARE (fc1)
>> >
>> > Linux is Centos 4:
>> > Linux ports.example.com 2.6.9-42.0.10.EL #1 Tue Feb 27 09:24:42 EST
>> > 2007 i686 i686 i386 GNU/Linux
>> >
>> > Squid is squid-2.6.STABLE18
>> >
>> > One tweak to the docs I did find I needed for
>> > Cisco was "ip wccp web-cache" needed to be set for it to
>> > run.
>> >
>> > The configuration is that I have a serial port doing NAT to the
>> > net, which is where EVERYTHING passes, so thats where I put the ip wccp
>> > statements on the router. That interface IP is 1.2.3.58 . I have
>> > a Gig 0/0, IP 2.3.4.233 . Off that gig is the squid at 2.3.4.236. I
>> > have a Gig0/1 IP 4.5.6.7, and 99% of the users hang off there.
>> >
>> > I used the following on Linux. The iptables command
>> > seems to never have heard of the "--redirect-to" command, so hopefully
>> > this is correct :
>> >
>> > modprobe ip_gre
>> > ip tunnel del wccp0
>> > ip tunnel add wccp0 mode gre remote 1.2.3.58 local 2.3.4.236 dev eth0
>> > ip addr add 2.3.4.236/32 dev wccp0
>> > ip link set wccp0 up
>> > echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter
>> > iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to 3128
>> >
>> > It didn't seem to work, so I shut down all IP tables
>> > via the Centos GUI (BIG mistake, it wiped out my settings and now
>> > I need to reconstruct it. :-/ ) ANYWAY... AFTER that I checked,
>> > and a "sho ip wccp we v" on the router showed my
>> > 2.3.4.236 as visible, and a "sho ip wccp web det"
>> > showed it, but with a State of "NOT Usable". I turned up
>> > some debug, and I see maybe whats happening, but dont' know
>> > how to resolve..
>> >
>> > When I wirehark the packets on 2048, I see the "Here I am"
>> > from Squid to the router fine, but the router responds with
>> > "I see you" from 2.3.4.233, the IP of the interface closest to
>> > the squid, but NOT the IP of the Internet connection.
>> >
>> > How do I handle this? Do I need to change wccp2_router to
>> > 2.3.4.233 instead of really what it should be, 1.2.3.58?
>> >
>> > Also, is the iptables command correct?
>> >
>> > Thanks, Tuc
>> >
>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>
>

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Received on Sun Feb 10 2008 - 16:41:42 MST