[squid-users] squid on debian, amongst other clients (cisco router)

From: Sławomir Kozłowski <kozlowski_at_torli.pl>
Date: Fri, 14 Aug 2009 21:30:39 +0200

Hi,
I have one little problem with squid. I use squid now as configured
manually, but can't force it to work in transparent mode.
My whole config is:
1. network

{internet} -> router cisco 2821 (with 2 vlans) -> switch -> client is
on vlan 201, squid is on vlan 2

2. cisco config: FastEthernet0/0 is external interface with direct
connection to the Internet, with external IP address (77.77.77.12 is
fake), FastEthernet0/1.201 is vlan interface with all clients,
FastEthernet0/1.2 is vlan interface with squid machine in it

ip wccp web-cache
ip cef

interface FastEthernet0/0
 ip address 77.77.77.12 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto

interface FastEthernet0/1.2
 encapsulation dot1Q 201
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 no snmp trap link-status

interface FastEthernet0/1.201
 encapsulation dot1Q 201
 ip address 192.168.201.1 255.255.255.0
 ip wccp web-cache redirect out
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 no snmp trap link-status

3. network config on machine with squid

iface eth0 inet static
        address 192.168.2.243
        netmask 255.255.255.0
        network 192.168.2.0
        broadcast 192.168.2.255
        gateway 192.168.2.1

4. squid config

wccp2_router 77.77.77.12
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
access_log /var/log/squid3/access.log
http_port 3128 transparent
acl blocksites url_regex "/etc/squid3/blocked-sites.acl"
http_access deny blocksites

5. iptables config

$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -F -t mangle
$iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --$

6. tunnel config

/sbin/ip tunnel add wccp0 mode gre remote 77.77.77.12 local
192.168.2.243 dev eth0;
/sbin/ifconfig wccp0 192.168.2.243 netmask 255.255.255.255 up
/sbin/sysctl -w net.ipv4.conf.wccp0.rp_filter=0 ;
/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ;

Now, the problem. If I configure manually proxy on client all is
working fine. When I remove the proxy configuration from the browser,
then I cannot access any webpage.
I did some debug, and when I run tccpdump for wccp0 interface, and try
to access some webpage on client (squid in transparent mode) then I
see that some packets on the wccp0 interface, but no page is loading.
Also on cisco router, when I run: sh ip wccp web-cache i get:

Global WCCP information:
    Router information:
        Router Identifier: 192.168.201.1
        Protocol Version: 2.0

    Service Identifier: web-cache
        Number of Cache Engines: 1
        Number of routers: 1
        Total Packets Redirected: 2089
        Process: 116
        Fast: 0
        CEF: 1973
        Redirect access-list: -none-
        Total Packets Denied Redirect: 0
        Total Packets Unassigned: 139
        Group access-list: -none-
        Total Messages Denied to Group: 0
        Total Authentication failures: 0
        Total Bypassed Packets Received: 0

and when I run: sh ip wccp web-cache detail i get:
WCCP Cache-Engine information:
        Web Cache ID: 192.168.2.243
        Protocol Version: 2.0
        State: Usable
        Initial Hash Info: 00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment: 256 (100.00%)
        Packets Redirected: 5
        Connect Time: 05:42:44
        Bypassed Packets
          Process: 0
          Fast: 0
          CEF: 0

So, please help me set this up as transparent proxy.
Thanks in advance,
Slawek
Received on Fri Aug 14 2009 - 19:30:48 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 15 2009 - 12:00:02 MDT