Re: [squid-users] transparent (intercepting?) without wccp, options?

From: Eliezer Croitoru <>
Date: Sun, 01 Jul 2012 19:06:14 +0300

hey there Ezequiel,
the Cisco RV042 is a nice product but..
100 users on this device might not be the problem.
i think that the main problem is the wan connections them-self.
if it's a cable line with 6 and 3 Mbps bandwidth is the problem and not
100 users means that each user gets about 9 Kbps if will be divided equally.
in the case that most of your bandwidth usage is http the squid can help
i would first make a basic analysis of the network traffic and make sure
what is consuming the speed.
instead of doing some tricks and replacing the RV02 i would start with
linux bridge between the switch and the RV042.

you can use this box to analyze the network traffic and with just 2 nics.
also you can block p2p using ipp2p iptables module and use squid+trpoxy
to serv cache content.

i have used this setup with ubuntu before and it made the effect!.
today ubuntu 12.04 LTS will give you everything you need.
if you want you can add snmp and other tools for graphing and other stuff..

with squid as bridge you do not need to bother yourself with the wan
settings\load balancing and setting the linux box as dhcp or routing stuff.
what i would recommend for you in this kind of setup is to make the
squid box as dns server(cache and forward dns).

using this setup you can test settings very easily on part of the
clients or test computer.

for network usage analysis you can use ntop, it also gives p2p and other
protocols detection.

so the setup i propose is not from your list:

wan1---+--------+ +------------+
        | RV042 |---|squid\bridge|--switch-+--[lan clients]
wan2---+--------+ +------------+

- RV042 = LB and wan gatway.
- squid = brdige + NTOP + p2p block\throttling + http cache

things you should consider about pfsense and ClearOS:
- they do have nice web interface but lack updated software.
- they take up from your machine more then you need.
- they leave you in the big cloud of "what to h### happen when i did

about accessing the squid in this setup the box is behind nat so it's ok
and if you will every decide that you want the squid to take over the
RV042 LB and dhcp you can just use iptables to block access to squid
port or bind squid only to local net port and of-course the basic way of
acls to allow only local users access.

about content filtering:
i prefer to use squidguard and not danshguardian.
there always the option of using some icap server such as qlprpxy.

about cache:
i have composed a nice method to cache youtube and some other dynamic
content video sites using icap and squid.
(now working on embedding filtering in my icap server based on public

it's a nice project you have there.

i will be happy to talk with you about it.


Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at>
Received on Sun Jul 01 2012 - 16:06:22 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 03 2012 - 12:00:02 MDT