Re: [squid-users] Dual homed squid under XP problems

From: Amos Jeffries <>
Date: Thu, 25 Aug 2011 02:02:05 +1200

On 25/08/11 00:26, knapper wrote:
> ----- Original Message -----
> From: "Amos Jeffries"
>> FWIW; nothing you talk about below has anything to do with
> being
>> dual-homed (connected to _three_ networks, two being
> Internet links).
> Thanks.
>> What you are describing is a perfectly normal router setup
> with Squid on
>> the router, which happens to run Windows XP. Well in this
> case XP is NOT the router.
> That is handled by a separate router firewall.

So you have two routers. The squid box and the primary one.

Physical wiring:

Anyways, my point being this is normal standard config. :)

>>> XP PRO with 2 nics. I need to set squid up to serve as a
>>> proxy server on one nic, and the other nic is the network
>>> interface.
>>> Nic A:
>>> is the Dell server box and it points to 0.1
>>> for the internet gateway.
>>> I can browse the internet just fine without squid.
>>> Nic B is is the second nic in the Dell
> box,
>>> and this is hooked to a WAP for the laptops in the small
>>> school.
>>> (not sure where to point it's gateway, but I don't think
>>> pointing it to 0.195 is going
>>> to work).
>>> I want to configure squid to listen on the 9.x network,
> and
>> http_port
>>> relay, and cache the traffic out the 0.x network. This
> way
>> acl localnet src
>> http_access allow localnet
> I'm confused here. http access needs to be limited to the
> 9.x network I think.

Oops, yes you are right there.

> The local network will be the 9.x network, which are the
> schools laptops. They communicate
> over the wireless router (a D-Link) which is attached to a
> NIC, that has the address
> Ideally, the other nic will just attach to a DSL
> modem/gateway, and maybe the teachers laptop.
> The one wrinkle in that, is the possibility of having to use
> a Cellular "dongle" because DSL is not available at the
> school. Essentially, that is a USB device that acts as a
> modem, and installs as any
> other network card. In that case, the "dongle" will be
> attached to the box that squid wants to run on, and I'll
> have to configur squid to use *it's* ip address.

That would be up to the OS. All Squid does is open connections. Possibly
with tcp_outgoing_address to force a particular IP address.

> o.k. some questions here, what is the tcp_outgoing_address
> config line for?
> I was trying to use it to force traffic out.

The "source" IP address on Squid->Internet TCP connections. Should be
completely optional.
  You could use it as an extra safety precaution to avoid firewall
issues with the strict firewall rules I assume you will be adding. It
can to prevent things like the OS unexpectedly giving Squid a TCP
connection " -> *.*.*.* " for Internet requests.
  You can set the firewall with certainty that IP X will be used by
squid outbound.

> The squid service is currently just hanging.
>> Ah students. That scenario is one I'm quite familiar with.
> PreK - 8th
>> When working with squid in school situations you will
> usually need to
>> set it up as a captive portal proxy to prevent a lot of
> trivial
>> bypassing.
> This is why I want the actual access to the internet to be
> on the 0.x network, and only allow the students access to it
> THROUGH the cache side of squid.

Of course.

I should mention, you won't be able to use any of the transparent
interception tricks due to Windows not having NAT support.

>> Look into blocking port 80 and other aliases of it getting
> to
>> the Internet. Adding WPAD protocol to the network and a
> PAC file doing
>> auto-configuration of browsers to use the proxy.
> I'm lost on this one, will have to go look these up.

>> The squid langpack bundles ship customizable error pages
>> that can be displayed in a captive-portal setup to
> instruct the users to
>> configure their browser properly for portals.
>> At which point you don't need NetNany for HTTP. Squid
> provides a full
>> array of URL and request controls. It passes traffic to
> other software
>> (via HTTP or in 3.1+ via ICAP/eCAP) for the complex jobs
> of handling
>> page content filtering.
>> NP: NetNanny is not one of those other software AFAIK.
> NetNanny is designed to run on one machine, and intercept
> browser traffic from that machine and
> filter it.
> I need to fake it into thinking it is protecting just one
> machine the "server", so it would be getting the
> requests out to 0.1 since it would be running with that as
> it's gateway. It is a pretty comprehensive
> filtering package.
> I believe that by running squid on one side, using it to
> cache content, and then pass content to the 0.1 side, that
> NetNanny will work on the 0.1 side, block any proxy
> bypasses, but happily send data
> back to the squid side.

Interesting. Might work. Depends on exactly what that anti-proxy
functionality they were talking about does.

> here is the config file that I tried to use. (I stripped all
> the comments out of this
> copy that I'm sending)
> Can you take a quick look and tell me what I need to change,
> and what I can delete.
<snip, ignoring okay bits>
> #
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where
> browsing
> # should be allowed
> acl localnet src # RFC1918 possible internal
> network
> acl localnet src # RFC1918 possible internal
> network
> acl localnet src # RFC1918 possible internal
> network

Those bits. Like they say, are examples. Replace the localnet lines
above with the one for

<snip, ignoring okay bits>
> # http_access deny all

weird, but could cause you confusion later. can erase that commented out

> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

There is "http_access allow localnet" missing right here.

> http_access deny all
> icp_access allow localnet
> icp_access deny all
> htcp_access allow localnet

ICP and HTCP are for proxy-to-proxy communications.
If you don't need it right now set them to just "deny all" and make sure
the matching icp_port/htcp_port are set to 0. Can be easily setup later.

> # Squid normally listens to port 3128
> #http_port 3128
> http_port no-connection-auth transparent
> http_port no-connection-auth transparent
> http_port no-connection-auth transparent

This "transparent" could be part of the cause of your hang.

  ** Windows does not provide NAT.

Best you can do is use GPO policy and/or the WPAD protocol to do
"transparent configuration"/auto-configuration on the network.
The squid part of that is a regular proxy port like "http_port 3128".

> #internal nic 1
> #acl normal_service_net src

NP: definitely not /8. Parts outside of the 192.168.*.*/16 are allocated
to real organizations elsewhere.

> #second nic to internet appliance
> tcp_outgoing_address

This would be another part of the hang.

** Set to an IP on the Squid box facing the Internet. Or erase.

Otherwise it looks okay.


Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for
Received on Wed Aug 24 2011 - 14:03:38 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 24 2011 - 12:00:10 MDT