On 17/09/11 09:36, Saurabh Agarwal wrote:
> Hi,
>
> Can any of you guys suggest what must be done with the routes in the
> following case :
>
> 221.222.211.1
> (router /gateway) --> switch --> tproxy + bridge --> super natting AAA
> device --> end users
> | |--> unused
> |--> unused
> I am using the same config. for TPROXY and Bridge as mentioned above.
>
> Now the problem arises when we are setting the routes for subnets in the
> super natting device as the device does SNAT from the pool of 255, 32, 64
> global IPs but these IPs are on different subnets then the squid server and
> also there is an universal gateway for the whole network which has its own
> subnet (/30).
>
> The squid server also has its own subenet (/29) (a big IP pool has been
> divided into many small IP pools).
>
> I try to set following rules for each subnet
> ip route add x.y.z.a/24 dev br0 table 200 proto kernel scope link
> ip route add default via 221.222.211.1 dev br0 table 200
> ip rule add from x.y.z.a/24 lookup 200
> ip rule add to x.y.z.a/24 lookup 200
>
> But I am not able to route the data properly.
Some questions that might help get closer to an idea of teh answer:
* are packers visible on br0 after they have been DROPped off the
bridge into TPROXY routing?
* does "add local 0.0.0.0/0" instead of from/to versions work better?
The config we got from the kernel authors does not mention from/to.
Background info:
Squid with TPROXY operates similar to a regular bridge. Even when
operating on a router. The proxy is not visible at the TCP-level, all
that happens is that the IP-level source port changes as it passes
through Squid outbound and destination port on return traffic.
The Squid server will only make use of its assigned IP subnet for
background traffic like DNS lookups.
So... as you can see the NAT and other systems outside the Squid box
should have little relevance. Including their IP ranges. As long as they
ensure the packets symmetrically pass through the Squid box/bridge it
"just works".
That said, the routing table on the Squid box is relevant for all
outgoing packets. So rules to route the global destination out your WAN
interface and local destinations out your LAN interface are needed.
Nothging special.
TPROXY debugging usually comes down to double-checking the config rules
and tracing every possible trace point along the intended packet
pathways that they are showing up correctly and find the particular step
where they disappear.
HTH
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12Received on Sat Sep 17 2011 - 08:54:06 MDT
This archive was generated by hypermail 2.2.0 : Sat Sep 17 2011 - 12:00:02 MDT