Re: [squid-users] WCCP2+tproxy and Cisco LNS

From: Wayne Lee <linkconnect_at_googlemail.com>
Date: Sat, 14 Jul 2012 13:21:31 +0100

HI Eliezer

Thanks for your reply.

> SNIP>
>
> if you could be more accurate about the cables setup and logic and not just
> ip it can help understand things.

squid-----Switch----Cisco router
               |
               |
               |
         gateway

Cat 5 ethernet

>>
> the problem is that the traffic that comes from the internet suppose to get
> into the proxy machine but it's going to the client which is not listening
> to the same socket.
> wccp + tproxy dont play good together!!!
> if you will run tcpdump on the client machine you will see packets of
> sessions that started on the squid box arriving to it.
> you dont need to be with this 3 days.
> just buy a 1Gbit Ethernet card and put a small bridge between the cisco and
> the next hop.

I can add interfaces without problem as the squid box is a VM

When running tcpdump on the client machine I do not see any return
packets when using tproxy or DNAT methods.

When using the DNAT method and running tcpdump on the squid box I can
see the inbound request from the client and the return packets from
the webserver but nothing gets returned to the client

When using the tproxy method and running tcpdump on the squid box I
can see the inbound request from the client but that request is not
passed to squid and does not leave the squid box so no return packets
are seen on squid or the client.

> it depends.
> you can always do something with vlans and stuff to make one interface act
> like two.
> with tproxy the traffic that comes from the proxy is the same as the one
> that comes from the client.
> 10.10.254.254 comes in and 10.10.254.254 comes out.
> so the only options you have are:
> use some routing technique such as routing map with next hop.
> you can setup the cisco to send traffic to the squidbox using one ip that
> squid will use as gw for the clients network.
> and second ip to access the net and from the net.
> this way squid will be a "router" on the way.
> another option is the bridge thing with two networks cards.
> you can play with vlans and bridge two vlans but it's pretty nasty to do so.
>
> Regards,
> Eliezer

Which method is the best way to go, DNAT or tproxy and what else can I
do to debug the process?

The final goal once testing is complete is to have 5 LNS's using the
proxy, the proxy will be on a different subnet to the LNS's.

Thanks

Wayne
Received on Sat Jul 14 2012 - 12:21:40 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 15 2012 - 12:00:02 MDT