Sławomir Kozłowski wrote:
> Hi,
> I have one little problem with squid. I use squid now as configured
> manually, but can't force it to work in transparent mode.
So first Q: __what version of squid__ ???
Debian has somewhere between 9 and a few hundred Squid versions
currently in-use depending on how recently you upgraded and which Debian
release you have.
"squid -v" should give some indication what version it is.
> My whole config is:
> 1. network
>
> {internet} -> router cisco 2821 (with 2 vlans) -> switch -> client is
> on vlan 201, squid is on vlan 2
>
> 2. cisco config: FastEthernet0/0 is external interface with direct
> connection to the Internet, with external IP address (77.77.77.12 is
> fake), FastEthernet0/1.201 is vlan interface with all clients,
> FastEthernet0/1.2 is vlan interface with squid machine in it
>
> ip wccp web-cache
> ip cef
>
> interface FastEthernet0/0
> ip address 77.77.77.12 255.255.255.224
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
>
> interface FastEthernet0/1.2
> encapsulation dot1Q 201
> ip address 192.168.2.1 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> no ip mroute-cache
> no snmp trap link-status
>
> interface FastEthernet0/1.201
> encapsulation dot1Q 201
> ip address 192.168.201.1 255.255.255.0
> ip wccp web-cache redirect out
> ip wccp web-cache redirect in
> ip nat inside
> ip virtual-reassembly
> no ip mroute-cache
> no snmp trap link-status
>
> 3. network config on machine with squid
>
> iface eth0 inet static
> address 192.168.2.243
> netmask 255.255.255.0
> network 192.168.2.0
> broadcast 192.168.2.255
> gateway 192.168.2.1
>
> 4. squid config
>
> wccp2_router 77.77.77.12
> wccp2_forwarding_method 1
> wccp2_return_method 1
> wccp2_service standard 0
> access_log /var/log/squid3/access.log
> http_port 3128 transparent
> acl blocksites url_regex "/etc/squid3/blocked-sites.acl"
> http_access deny blocksites
You life will be easier, and your log emptier if you place the
"transparent" option on a different port to which you get normal proxy
requests.
I recommend 3129 or such. Then firewall that port from any direct
contact with devices other than the router. (but do the firewall bit
later once you have WCCP working to be sure).
>
> 5. iptables config
>
> $iptables -F
> $iptables -X
> $iptables -F -t nat
> $iptables -F -t mangle
> $iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --$
You may also need a POSTROUTING -j MASQUERADE rule to unwind the reply
packets Squid->Client.
>
> 6. tunnel config
>
> /sbin/ip tunnel add wccp0 mode gre remote 77.77.77.12 local
> 192.168.2.243 dev eth0;
> /sbin/ifconfig wccp0 192.168.2.243 netmask 255.255.255.255 up
> /sbin/sysctl -w net.ipv4.conf.wccp0.rp_filter=0 ;
> /sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ;
>
> Now, the problem. If I configure manually proxy on client all is
> working fine. When I remove the proxy configuration from the browser,
> then I cannot access any webpage.
> I did some debug, and when I run tccpdump for wccp0 interface, and try
> to access some webpage on client (squid in transparent mode) then I
> see that some packets on the wccp0 interface, but no page is loading.
> Also on cisco router, when I run: sh ip wccp web-cache i get:
>
> Global WCCP information:
> Router information:
> Router Identifier: 192.168.201.1
> Protocol Version: 2.0
>
> Service Identifier: web-cache
> Number of Cache Engines: 1
> Number of routers: 1
> Total Packets Redirected: 2089
> Process: 116
> Fast: 0
> CEF: 1973
> Redirect access-list: -none-
> Total Packets Denied Redirect: 0
> Total Packets Unassigned: 139
> Group access-list: -none-
> Total Messages Denied to Group: 0
> Total Authentication failures: 0
> Total Bypassed Packets Received: 0
>
> and when I run: sh ip wccp web-cache detail i get:
> WCCP Cache-Engine information:
> Web Cache ID: 192.168.2.243
> Protocol Version: 2.0
> State: Usable
> Initial Hash Info: 00000000000000000000000000000000
> 00000000000000000000000000000000
> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> Hash Allotment: 256 (100.00%)
> Packets Redirected: 5
> Connect Time: 05:42:44
> Bypassed Packets
> Process: 0
> Fast: 0
> CEF: 0
>
> So, please help me set this up as transparent proxy.
> Thanks in advance,
> Slawek
In 4. squid config you specify:
> wccp2_router 77.77.77.12
In 6. tunnel config you specify:
gre remote 77.77.77.12
yet WCCP indicates:
Router Identifier: 192.168.201.1
I think your gre tunnel is probably going to the wrong IP.
To check, try adding a gre tunnel from the Squid box to all of the
router IPs and seeing which one gets traffic.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13Received on Sat Aug 15 2009 - 02:40:49 MDT
This archive was generated by hypermail 2.2.0 : Sat Aug 15 2009 - 12:00:03 MDT