[squid-users] Re: Squid3.1 TProxy weirdness

From: Felipe W Damasio <felipewd_at_gmail.com>
Date: Wed, 6 Jan 2010 17:05:22 -0200

  Hi again,

2010/1/6 Felipe W Damasio <felipewd_at_gmail.com>:
>   I'm new to this list, but checked the archives a lot before asking this.
>   I'm trying to get squid-3.1 up and running with TProxy 4.1 on an ISP network.
>   My setup is working correctly when only a few users are connected to
> the users VLAN. The users can browse and TProxy works.
>   But when I plug in the router with all the users (around 60000),
> squid doesn't respond anymore.

  Just so you guys know, I'm compiling squid with:

./configure --enable-async-io --enable-icmp --enable-useragent-log
--enable-snmp --enable-cache-digests --enable-follow-x-forwarded-for
--enable-storeio=aufs --enable-removal-policies=heap,lru
--enable-epoll --enable-http-violations --with-maxfd=1000000
--enable-linux-netfilter

  Besides following exactly what the TProxy wiki told me, the only
other thing I had to do in order to get TProxy to work was these:

echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter

   But again, it works when a few clients are connected, when the CMTS
(cable modem router) kicks in, everything goes to hell. Oh, and even
the clients that were already working stop working. Nothing gets
through!

   I tried to log the iptables rules to see if it really sees the
traffic, and got a lot of:

Jan 6 11:24:58 hyper kernel: iptables IN=eth0 OUT=
MAC=00:ea:01:02:7b:a2:00:21:a0:ce:9d:24:08:00 SRC=189.58.247.199
DST=64.233.163.103 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=13252 DF
PROTO=TCP SPT=1388 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1

Jan 6 11:24:58 hyper kernel: iptables IN=eth0 OUT=
MAC=00:ea:01:02:7b:a2:00:21:a0:ce:9d:24:08:00 SRC=189.58.246.108
DST=65.54.48.74 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=17259 DF PROTO=TCP
SPT=42895 DPT=80 WINDOW=216 RES=0x00 ACK FIN URGP=0 MARK=0x1

   This could/should be a squid problem, then, right?

   Or is there a proc entry somewhere that could be screwing with me?

   I can post the /proc entries if it would help you guys to help me :-)

  Thanks,

Felipe Damasio
Received on Wed Jan 06 2010 - 19:05:32 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 07 2010 - 12:00:02 MST