Re: [squid-users] squid and wccp

On Mon, 28 Apr 2008, Wennie V. Lagmay wrote:

> A. squid -v
>
> Squid Cache: Version 2.6.STABLE19
> configure options: '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/spool/squid' '--sysconfdir=/etc/squid' '--enable-snmp' '--enable-kill-parent-hack' '--enable-delay-pools' '--enable-storeio=aufs,diskd,null' '--enable-removal-policies=heap,lru' '--enable-arp-acl' '--enable-large-files' '--enable-ssl' '--enable-linux-netfilter' '--with-maxfd=16384'
>
>
> B. ip wccp version 2
> ip wccp web-cache
> !
> interface fastethernet 1/0
> description internet connection
> ip address 192.168.255.6 255.255.255.252
> !
> interface fastethernet 3/0
> description LAN
> ip address xx.xx.184.177
> ip wccp web-cache redirect out

either change this line to "ip wccp web-cache redirect in" or
put it in fa1/0.

> !
> ip route 0.0.0.0 0.0.0.0 192.158.255.5
>
> C. root@cproxy ~]# tcpdump -i wccp0
> tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
>
> :note that 778 is my ssh port, also there is no log being shown in the access.log
>
> tcpdump
> IP 192.168.255.6 > xx.xx.184.178: GREv0, length 56: gre-proto-0x883e
> STP 802.1d, Config, Flags [none], bridge-id xxxxxxxxxx, length 43

you should not be seeing the gre packets on wccp0 interface. gre should
already be decrypted in this interface.

>
> D. ifconfig
>
> wccp0 Link encap:UNSPEC HWaddr 4F-62-B8-B2-00-00-00-00-00-00-00-00-00-00-00-00
> inet addr:xx.xx.184.178 P-t-P:xx.xx.184.178 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> :note packets received and send
>
>

Here's how I've done it.

1. Squid box:

1.1 compile options for squid:

Squid Cache: Version 2.6.STABLE19
configure options: '--enable-snmp' '--prefix=/usr/local/squid'
'--enable-async-io' '--enable-storeio=ufs,aufs,coss,null'
'--enable-removal-policies=lru,heap' '--enable-wccp' '--enable-wccpv2'
'--disable-ident-lookup' '--enable-linux-netfilter' '--enable-epoll'
'--disable-select' '--disable-poll' '--enable-follow-x-forwarded-for'
'--with-maxfd=16384' 'CFLAGS=-march=nocona -O2 -pipe -fomit-frame-pointer
-DNUMTHREADS=150 -funroll-loops -ffast-math -fno-exceptions'

1.2 squid config:

http_port <squid port> transparent
wccp2_router xxx.xxx.xxx.233

1.3 OS:

CentOS 4.5 64-bit kernel version 2.6.23.9 compiled with ip_gre builtin.

1.4 interface:

create gre0 interface:
[root@squid ~]# cat /etc/sysconfig/network-scripts/ifcfg-gre0
DEVICE=gre0
BOOTPROTO=static
BROADCAST=192.168.172.3
IPADDR=192.168.172.2 << use any unused ip for this interface, doesn't matter
NETMASK=255.255.255.252
NETWORK=192.168.172.0
ONBOOT=yes
TYPE=Ethernet

ifconfig:

eth0 Link encap:Ethernet HWaddr 00:14:5E:41:FA:A6
          inet addr:xxx.xxx.xxx.234 Bcast:xxx.xxx.xxx.239 Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:8780435181 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9211494941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:4768621410009 (4.3 TiB) TX bytes:6971021118272 (6.3 TiB)
          Base address:0x2000 Memory:d0120000-d0140000

gre0 Link encap:UNSPEC HWaddr 00-00-00-00-FF-F8-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.172.2 Mask:255.255.255.252
          UP RUNNING NOARP MTU:1476 Metric:1
          RX packets:4849085060 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:4269 dropped:0 overruns:0 carrier:0
          collisions:4269 txqueuelen:0
          RX bytes:735923364221 (685.3 GiB) TX bytes:0 (0.0 b)

tcpdump on eth0:
[root@squid ~]# tcpdump -nn -i eth0 |grep gre-proto
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:23:58.708759 IP xxx.xxx.xxx.226 > xxx.xxx.xxx.234: gre-proto-0x883e
10:23:58.710273 IP xxx.xxx.xxx.226 > xxx.xxx.xxx.234: gre-proto-0x883e

tcpdump on gre0:
[root@squid ~]# tcpdump -nn -i gre0
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gre0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
10:26:18.896768 IP xxx.yyy.zzz.16.1999 > 208.122.6.235.80: . ack 3193965999 win 65535 <nop,nop,sack sack 1 {1461:5841} >
10:26:18.897020 IP xxx.yyy.zzz.123.4098 > 209.216.46.132.80: . ack 586983296 win 17424
10:26:18.897790 IP xxx.yyy.zzz.209.62383 > 203.84.204.69.80: . ack 1194719072 win 65114
10:26:18.897799 IP xxx.yyy.zzz.209.62383 > 203.84.204.69.80: F 0:0(0) ack 1 win 65114

1.5 iptables:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter

/sbin/iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp -s <lan network>
--dport 80 -j REDIRECT --to-port <squid port>
/sbin/iptables -A INPUT -i gre0 -p tcp -s <lan network> --dport <squid port> -j ACCEPT

2. Router:

2.1 Router version:

7204VXR npe 300 IOS version 12.2(46a)

2.2 Config

ip wccp version 2
ip wccp web-cache redirect-list SQUID-BYPASS-NEW

interface FastEthernet0/0.128
  description Connection to internet
  bandwidth 24000
  encapsulation dot1Q 128
  ip address xxx.xxx.xxx.201 255.255.255.252
  ip access-group PORT_BLOCK in
  ip access-group PORT_BLOCK out
  ip wccp web-cache redirect out
  no cdp enable

Router#sh ip wccp web-cache detail
WCCP Cache-Engine information:
         Web Cache ID: xxx.xxx.xxx.234
         Protocol Version: 2.0
         State: Usable
         Initial Hash Info: 00000000000000000000000000000000
                                00000000000000000000000000000000
         Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
         Hash Allotment: 256 (100.00%)
         Packets Redirected: 1166385116
         Connect Time: 3w3d

Router#sh ip wccp web-cache
Global WCCP information:
     Router information:
         Router Identifier: xxx.xxx.xxx.226
         Protocol Version: 2.0

     Service Identifier: web-cache
         Number of Cache Engines: 1
         Number of routers: 1
         Total Packets Redirected: 553854367
         Redirect access-list: SQUID-BYPASS-NEW
         Total Packets Denied Redirect: 1050502969
         Total Packets Unassigned: 126368
         Group access-list: -none-
         Total Messages Denied to Group: 0
         Total Authentication failures: 0

### That's it... working great for us.

>
>
>
>
> ----- Original Message -----
> From: "Manoj_Rajkarnikar" <manoj@vianet.com.np>
> To: "Wennie V. Lagmay" <wlagmay@yanbulink.net>
> Cc: "squid-users" <squid-users@squid-cache.org>
> Sent: Monday, April 28, 2008 2:22:34 PM (GMT+0300) Asia/Kuwait
> Subject: Re: [squid-users] squid and wccp
>
> On Mon, 28 Apr 2008, Wennie V. Lagmay wrote:
>
>> I am trying to configure squid wccp and cisco router but with no luck.
>> This is what I have done. Please check my procedure and confoguration:
>>
>> for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178
>> 1. I configure squid with options enable-linux-netfilter
>
> please provide output of "squid -v"
>

--