Think I finally figured it out... It was internal routing as I had expected. Remember, eth0 (inside), eth1(admin), eth2(inet)...
The issue was that i had two interfaces on the same network 192.168.1.x... (br0 and eth1) One being the bridge (br0) and the other being the Admin interface I was using (addr. via DHCP). Because the it was the first entry in the route table to the network, linux wasn't sending packets from squid into the bridge.
This works:
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.88
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.91
default via 192.168.1.254 dev eth1
default via 192.168.1.254 dev br0
This doesn't:
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.91
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.88
default via 192.168.1.254 dev br0
default via 192.168.1.254 dev eth1
My simple solution was to release the ip addr of eth1 (dhcp -r eth1) and then assign dhcp to br0 and then re-dhcp eth1.
Have to think about if I can craft a policy to do the right thing regardless of order without having to release eth1. Till then it works fine.
You might want to update the twiki
On Mar 16, 2011, at 4:25 AM, Amos Jeffries wrote:
> On 16/03/11 22:03, Jim Binder wrote:
>> Amos,
>>
>> Back at it again tonight -- So, when you did this (and I'm assuming you have -- maybe incorrectly ); ) how many nics did you have enabled.
>>
>
> I've only had login with one client machine briefly that was doing it. Worked perfectly. The rest, including coding has been completely done on theory with others doing the hands-on tests. Sorry :(
>
> The easy setups have 2 NICs to keep the client->Squid and Squid->Internet packets physically separated. The netfilter guys came up with some MAC-based rules that can work for one NIC on the Squid box when its hanging directly off a border router (which then needs 3 NICs).
>
>> Also, for grins, I just to ubuntu 11.04 with same config and tested with both 2.7Stable9 and 3.HEAD and still get it to work.
>>
>
> ? "still get it to work"? you missing the words "could not" there?
>
> I know 10.10 lacks libcap2 and has some funky customizations in the kernel which break it. Those probs were supposed to be fixed in 11.04 though.
>
> Say what exact version of libcap-2.* do you have compiled into Squid?
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.11
> Beta testers wanted for 3.2.0.5
James S. Binder
Vice President, Engineering
jbinder_at_cyphort.com
408.761.1403 (cell)
This information contained in this e-mail message and any attachments thereto, is intended only for the personal and confidential use of the recipient(s) named above. This message may be under the terms of a Mutual Non-Disclosure Agreement communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify use immediately by e-mail and delete this original message.
Received on Sat Mar 19 2011 - 17:38:43 MDT
This archive was generated by hypermail 2.2.0 : Mon Mar 21 2011 - 12:00:01 MDT