Yes, I did it in my ipfw rules. I also created 2 gre interfaces for testing
reasons, because the router identifier and the squid gateway are not the
same.I also can see packets between the router and the server through gre
protocol, but the squid server always show TCP_DENIED/400 1816 GET
error:invalid-request - NONE/- text/html.
I also have installed FreeBSD 6.2-RELEASE and I use wccp v1.
In my router ACL I deny my national traffic and permit any to any in my last
sentence.
00048 0 0 deny tcp from any to x.x.142.199 dst-port 3128
00049 0 0 allow gre from x.x.0.129 to x.x.142.199
00050 37687 20281343 allow tcp from x.x.142.199 to any out
00051 233 11168 allow tcp from any 80 to any out
00052 152 10796 allow gre from x.x.142.193 to x.x.142.199
00052 0 0 allow gre from x.x.142.199 to x.x.142.193
00054 0 0 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in
recv gre1
00054 152 6968 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in
recv gre0
00055 253 17177 allow udp from x.x.142.199 to any dst-port 53
00056 0 0 allow tcp from x.x.142.199 to any dst-port 53
00057 13322 17236149 allow tcp from any 80 to x.x.142.199 in
00067 8420 745002 allow tcp from any to any established
00068 16 932 allow ip from any to any via lo0
00071 549 44800 allow ip from x.x.142.199 to x.x.142.192/28
00072 809 102132 allow ip from x.x.142.192/28 to x.x.142.199
00081 0 0 allow ip from x.x.0.129 to x.x.142.199
00082 26 2080 allow ip from x.x.142.199 to x.x.0.129
My gre-tunnels creation:
ifconfig gre0 create
ifconfig gre0 x.x.142.199 x.x.142.193 netmask 255.255.255.255 up
ifconfig gre0 tunnel x.x.142.199 x.x.142.193
route delete x.x.142.193
ifconfig gre1 create
ifconfig gre1 x.x.142.199 x.x.0.129 netmask 255.255.255.255 up
ifconfig gre1 tunnel x.x.142.199 x.x.0.129
route delete x.x.0.129
Thanks In advance
Humberto
-----Mensaje original-----
De: Tom Penndorf [mailto:tpenndorf_at_seibert-media.net]
Enviado el: Thursday, July 09, 2009 1:19 PM
Para: Humberto Rodríguez
CC: squid-users_at_squid-cache.org
Asunto: Re: [squid-users] Problems with WCCP
Hello,
Am 09.07.2009 um 19:06 schrieb Humberto Rodríguez:
>
> Hello:
>
> I have SQUID 2.6.STABLE3 with wccp and a Cisco 3745 router with IOS
> Version 12.3(8)T8. I can see packets between the router and the the
> squid server, I can browse Internet through 3128 port, but I can't
> browse Internet through wccp protocol.
> The router always show me what following:
>
> Global WCCP information:
> Router information:
> Router Identifier: x.x.x.129
> Protocol Version: 1.0
>
> Service Identifier: web-cache
> Number of Cache Engines: 1
> Number of routers: 1
> Total Packets Redirected: 4696
> Redirect access-list: cache
> Total Packets Denied Redirect: 53336
> Total Packets Unassigned: 0
> Group access-list: -none-
> Total Messages Denied to Group: 0
> Total Authentication failures: 0
> 3745-HLG#sh ip wccp web-cache de
> 3745-HLG#sh ip wccp web-cache detail
> WCCP Cache-Engine information:
> Web Cache ID: 0.0.0.0
> Protocol Version: 0.4
> State: Usable
> Initial Hash Info: 00000000000000000000000000000000
> 00000000000000000000000000000000
> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> Hash Allotment: 256 (100.00%)
> Packets Redirected: 0
> Connect Time: 00:11:01
>
> 3745-HLG#sh ip wccp web-cache view
> WCCP Routers Informed of:
> -none-
>
> WCCP Cache Engines Visible:
> x.x.x.199
>
> WCCP Cache Engines NOT Visible:
> -none-
>
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4228 (20090709) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
did you setup an gre-tunnel between Router and Caching-Machine? Is the port
80 forwarded to 3128?
Set it up on the squid machine like described in this article:
http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2
I think the router setup is ok, but also see this article:
http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoIOSv12Wccp
Tom
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4229 (20090709) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Received on Fri Jul 10 2009 - 14:31:03 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 10 2009 - 12:00:02 MDT