[squid-users] Re: transparent (intercepting?) without wccp, options?

From: Ezequiel Birman <stormwatch_at_espiga4.com.ar>
Date: Mon, 02 Jul 2012 23:05:58 -0300

>>>>> "Eliezer" == Eliezer Croitoru <eliezer_at_ngtech.co.il> writes:

> hey there Ezequiel, the Cisco RV042 is a nice product but.. 100
> users on this device might not be the problem. i think that the
> main problem is the wan connections them-self. if it's a cable
> line with 6 and 3 Mbps bandwidth is the problem and not routing.
> 100 users means that each user gets about 9 Kbps if will be
> divided equally. in the case that most of your bandwidth usage is
> http the squid can help you. i would first make a basic analysis
> of the network traffic and make sure what is consuming the speed.
> instead of doing some tricks and replacing the RV02 i would start
> with linux bridge between the switch and the RV042.

I think you are right, and since upload speeds are even slower that must
be the culprit.

> you can use this box to analyze the network traffic and with just
> 2 nics. also you can block p2p using ipp2p iptables module and
> use squid+trpoxy to serv cache content.

> i have used this setup with ubuntu before and it made the effect!.
> today ubuntu 12.04 LTS will give you everything you need. if you
> want you can add snmp and other tools for graphing and other
> stuff..

> with squid as bridge you do not need to bother yourself with the
> wan settings\load balancing and setting the linux box as dhcp or
> routing stuff. what i would recommend for you in this kind of
> setup is to make the squid box as dns server(cache and forward
> dns).

From what I gather, squid is capable of caching DNS right? or will I
need bind too?

> using this setup you can test settings very easily on part of the
> clients or test computer.

> for network usage analysis you can use ntop, it also gives p2p and
> other protocols detection.

I am trying it right now, nice!

> so the setup i propose is not from your list:

> 5) wan1---+--------+ +------------+ |
> RV042 |---|squid\bridge|--switch-+--[lan clients]
> wan2---+--------+ +------------+

> - RV042 = LB and wan gatway. - squid = brdige + NTOP + p2p
> block\throttling + http cache

Thanks, I am giving it a try.

I'll start by following


which seems similar to what i am trying to achive. If I am mistaken,
please let me know.

and also most of

> things you should consider about pfsense and ClearOS: - they do
> have nice web interface but lack updated software. - they take up
> from your machine more then you need. - they leave you in the big
> cloud of "what to h### happen when i did apply???"

> about accessing the squid in this setup the box is behind nat so
> it's ok and if you will every decide that you want the squid to
> take over the RV042 LB and dhcp you can just use iptables to block
> access to squid port or bind squid only to local net port and
> of-course the basic way of acls to allow only local users access.

> about content filtering: i prefer to use squidguard and not
> danshguardian. there always the option of using some icap server
> such as qlprpxy.

> about cache: i have composed a nice method to cache youtube and
> some other dynamic content video sites using icap and squid. (now
> working on embedding filtering in my icap server based on public
> blacklists.)

May be I'll try that after basic http :)

> it's a nice project you have there.

> i will be happy to talk with you about it.

> Regards, Eliezer

> -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for
> Nonprofit organizations eliezer <at> ngtech.co.il

Thanks for sharing your insights.

Ezequiel Birman
Received on Tue Jul 03 2012 - 02:00:09 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 03 2012 - 12:00:02 MDT