[squid-users] Re: transparent (intercepting?) without wccp, options?

From: Ezequiel Birman <stormwatch_at_espiga4.com.ar>
Date: Wed, 04 Jul 2012 00:54:26 -0300

>>>>> "Eliezer" == Eliezer Croitoru <eliezer_at_ngtech.co.il> writes:

> On 7/3/2012 5:05 AM, Ezequiel Birman wrote:
>>>>>>> "Eliezer" == Eliezer Croitoru <eliezer_at_ngtech.co.il> writes:
>> > hey there Ezequiel, the Cisco RV042 is a nice product but..
>> 100 > users on this device might not be the problem. i think
>> that the > main problem is the wan connections them-self. if
>> it's a cable > line with 6 and 3 Mbps bandwidth is the problem
>> and not routing. > 100 users means that each user gets about 9
>> Kbps if will be > divided equally. in the case that most of your
>> bandwidth usage is > http the squid can help you. i would first
>> make a basic analysis > of the network traffic and make sure what
>> is consuming the speed. > instead of doing some tricks and
>> replacing the RV02 i would start > with linux bridge between the
>> switch and the RV042.
>> I think you are right, and since upload speeds are even slower
>> that must be the culprit.
>> > you can use this box to analyze the network traffic and with
>> just > 2 nics. also you can block p2p using ipp2p iptables
>> module and > use squid+trpoxy to serv cache content.
>> > i have used this setup with ubuntu before and it made the
>> effect!. > today ubuntu 12.04 LTS will give you everything you
>> need. if you > want you can add snmp and other tools for
>> graphing and other > stuff..
>> > with squid as bridge you do not need to bother yourself with
>> the > wan settings\load balancing and setting the linux box as
>> dhcp or > routing stuff. what i would recommend for you in this
>> kind of > setup is to make the squid box as dns server(cache and
>> forward > dns).
>> From what I gather, squid is capable of caching DNS right? or
>> will I need bind too?
> you need also bind because the clients will query the server and
> not squid.. squid has an internal dns cache.

No problem, I've used bind before. Sorry to ask this on squid-users but
did anyone try pdnsd (http://members.home.nl/p.a.rombouts/pdnsd/),
pdns-recursor, dnsmasq (not sure if it caches/recurses), djbdns, dnrd,
unbound, yadifa or others? I ask because maybe a full-blown DNS server
is not needed this time.

>> > using this setup you can test settings very easily on part of
>> the > clients or test computer.
>> > for network usage analysis you can use ntop, it also gives p2p
>> and > other protocols detection.
>> I am trying it right now, nice!
>> > so the setup i propose is not from your list:
>> > 5) wan1---+--------+ +------------+ | >
>> RV042 |---|squid\bridge|--switch-+--[lan clients] >
>> wan2---+--------+ +------------+
>> > - RV042 = LB and wan gatway. - squid = brdige + NTOP + p2p >
>> block\throttling + http cache
>> Thanks, I am giving it a try.
>> I'll start by following
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/DebianWithRedirectorAndReporting
> this is a good way to start but it wont be a transparent proxy but
> a "nat" proxy but it can be good for your needs as anyway you have
> nat in the RV042.

Are you sure? The only mention to nat in is in order to redirect port 80
to 3128 on squid box. This is the intro:

"This document (based on this article[1] with some updates and
additions) explains how to put into production a Bridge device running a
Squid interception web proxy on a Linux Debian 6 system. Since the proxy
is performing transparent interception, LAN users are able to surf the
web without having to set manually the proxy address in their browser.

This document also details how to set up a few useful features such as
web filtering (via Squirm) and usage monitoring (via SARG).

First of all, you need a Linux box with two network interfaces that
we'll set up as a bridge. We'll assume that eth0 is connected downstream
to the LAN, while eth1 provides upstream access to the Internet."

>> which seems similar to what i am trying to achive. If I am
>> mistaken, please let me know.
>> and also most of http://wiki.squid-cache.org/Features/Tproxy4
> tproxy will ggive you the benefit of some graphing tools with a
> more accurate vision on your clients requests.

> update me

> Regards, Eliezer
>> > things you should consider about pfsense and ClearOS: - they do
>> > have nice web interface but lack updated software. - they take
>> up > from your machine more then you need. - they leave you in
>> the big > cloud of "what to h### happen when i did apply???"
>> > about accessing the squid in this setup the box is behind nat
>> so > it's ok and if you will every decide that you want the squid
>> to > take over the RV042 LB and dhcp you can just use iptables to
>> block > access to squid port or bind squid only to local net port
>> and > of-course the basic way of acls to allow only local users
>> access.
>> > about content filtering: i prefer to use squidguard and not >
>> danshguardian. there always the option of using some icap server
>> > such as qlprpxy.

A quick google search tends to favor dansguardian. Why do you prefer
squidguard? Is it still being developed?

>> > about cache: i have composed a nice method to cache youtube and
>> > some other dynamic content video sites using icap and squid.
>> (now > working on embedding filtering in my icap server based on
>> public > blacklists.)
>> May be I'll try that after basic http :)
>> > it's a nice project you have there.
>> > i will be happy to talk with you about it.
>> > Regards, Eliezer
>> > -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for
>> > Nonprofit organizations eliezer <at> ngtech.co.il
>> Thanks for sharing your insights.

> -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for
> Nonprofit organizations eliezer <at> ngtech.co.il

[1] http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables

Ezequiel Birman
Received on Wed Jul 04 2012 - 03:47:07 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 04 2012 - 12:00:02 MDT