Re: [squid-users] WCCP2+tproxy and Cisco LNS

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Sat, 14 Jul 2012 12:43:15 +0300

On 7/13/2012 2:33 PM, Wayne Lee wrote:
> Hello List
>
> My first post here but have been using squid for a while.
>
> Trying to implement a transparent proxy for some of our DSL users.
> I've setup a test LNS on a Cisco 2821, the connections come in via the
> standard PPPoA and are sent via L2TP from the provider. Standard stuff
> which works. WCCPv2 is setup and working OK, I can see the packets
> arriving on the box. The trouble I'm having is that the packets are
> arriving on the squid box but don't seem to be diverted into squid
> daemon.
>
> Details
>
> LNS = Cisco 2821, (C2800NM-SPSERVICESK9-M), Version 12.4(3b). LNS is
> acting as a router on a stick (1 active interface)
>
> (IP's changed to protect the guilty. NAT is not used in this network)
>
> LNS IP = 172.16.254.253 /30
> LNS GW = 172.16.254.254 /30
> DSL user IP = 10.10.254.254 /32

SNIP>

if you could be more accurate about the cables setup and logic and not
just ip it can help understand things.

> Packet traces
>
> traffic from dsl connection directed via wccp to squid
>
> root_at_squid:~# !tcpdump
> tcpdump -niwccp0
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
> 12:19:54.287278 IP 10.10.254.254.46360 > 80.239.148.170.80: Flags [S],
> seq 975284290, win 13600, options [mss 1360,sackOK,TS val 2009935 ecr
> 0,nop,wscale 4], length 0
> 12:19:54.445694 IP 10.10.254.254.46361 > 80.239.148.170.80: Flags [S],
> seq 1791319806, win 13600, options [mss 1360,sackOK,TS val 2009975 ecr
> 0,nop,wscale 4], length 0
> 12:19:55.285531 IP 10.10.254.254.46360 > 80.239.148.170.80: Flags [S],
> seq 975284290, win 13600, options [mss 1360,sackOK,TS val 2010185 ecr
> 0,nop,wscale 4], length 0
> 12:19:55.445826 IP 10.10.254.254.46361 > 80.239.148.170.80: Flags [S],
> seq 1791319806, win 13600, options [mss 1360,sackOK,TS val 2010225 ecr
> 0,nop,wscale 4], length 0
>
the problem is that the traffic that comes from the internet suppose to
get into the proxy machine but it's going to the client which is not
listening to the same socket.
wccp + tproxy dont play good together!!!
if you will run tcpdump on the client machine you will see packets of
sessions that started on the squid box arriving to it.
you dont need to be with this 3 days.
just buy a 1Gbit Ethernet card and put a small bridge between the cisco
and the next hop.

>
> I have followed several guides on the wiki, tried different distro's,
> DNAT without Tproxy and now with Tproxy. Any pointers on where I'm
> going wrong will be helpful as I've been at this for 3 days now. If I
> set this up in a "normal" network with LAN, WAN and squid being the
> gateway device it works in non-transparent and transparent modes. This
> feels like a issue with the DSL connections being rejected by squid or
> iptables but I'm at a loss to explain where or how.
>
> When tested using the DNAT method the packets were routed via the
> squid box although still bypassed the squid daemon, the packets would
> return from the webserver but were then dropped. Using the Tproxy
> method shows the packets never getting to squid and not leaving the
> box to the webserver.
>
> Do I require multiple interfaces on the squid box and maybe use
> ebtables or is what I'm trying to achieve possible on 1 interface ?
>
it depends.
you can always do something with vlans and stuff to make one interface
act like two.
with tproxy the traffic that comes from the proxy is the same as the one
that comes from the client.
10.10.254.254 comes in and 10.10.254.254 comes out.
so the only options you have are:
use some routing technique such as routing map with next hop.
you can setup the cisco to send traffic to the squidbox using one ip
that squid will use as gw for the clients network.
and second ip to access the net and from the net.
this way squid will be a "router" on the way.
another option is the bridge thing with two networks cards.
you can play with vlans and bridge two vlans but it's pretty nasty to do so.

Regards,
Eliezer

>
> Thanks for reading
>
>
> Wayne
>

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
Received on Sat Jul 14 2012 - 09:43:32 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 14 2012 - 12:00:02 MDT