Re: [squid-users] Squid Subnet Problem

From: Jack Black <>
Date: Wed, 18 Jul 2012 15:16:38 -0600

I switched from WCCP to policy based routing, and networks directly
connected to the Cisco router started working perfectly. I did run
into a small problem with clients in subnets that were not directly
connected to the router, but I was able to find a satisfactory
solution for that as well, while I search for a more permanent one.

Honestly - I had no idea where to even begin when it came to
addressing this problem, or what to search for online - and now,
everything works great.

Thank you for the helpful advice Amos


On Sun, Jul 15, 2012 at 7:59 PM, Amos Jeffries <> wrote:
> On 16.07.2012 12:50, Jack Black wrote:
>> Hi.
>> I am a network technician, working for a small company that is based
>> in the middle of nowhere in a camp up North, and we provide internet
>> to nearly 1000 clients. The managers of the camp have asked us to
>> implement a system where users will be directed to a page that has
>> some important, camp related information (safety policies, upcoming
>> events, fire warnings, etc.). Using squid and the ext_session_acl
>> helper, along with our Cisco router's WCCP, and some very helpful
>> advice from Amos, I have created such a system, and have been testing
>> it for the past few hours. While the test has been fairly short so
>> far, and has not been under full load (at peak times), it seems to be
>> working perfectly. The only thing stopping it from working at full
>> capacity now is the fact that our network is divided into multiple
>> subnets, and according to some forum posts I have read, the squid
>> proxy server and the clients have to be on the same subnet when using
>> WCCP and a GRE tunnel. I have tried to use ACLs on the Cisco router to
>> direct clients from other subnets to the squid proxy, but as the posts
>> suggested, those clients fail to connect. An image depicting the setup
>> can be found here:
>> Does anyone know if it is even theoretically possibly to have the
>> squid proxy and the clients in different subnets in this case? What
>> would that require? Is that something that needs to be addressed
>> through squid, the cisco router, or the iptables rules on the squid
>> proxy's OS?
>> Tal
> The issue as you noted in earlier email is not Squid, nor anything on its
> machine. The ASA and in particular the use of WCCP and GRE it provides is
> directly causing it.
> To resolve your problems you are therefore required to drop WCCP and GRE.
> Moving instead to true policy routing to pass packets to the Squid machine.
> The routing topology in the ASA needs to move packets like so:
> if arriving from the client interface -> gateway via Squid
> if arriving from the Internet interface -> gateway via Squid
> else -> gateway per the packet destination IP.
> Amos
Received on Wed Jul 18 2012 - 21:16:50 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 19 2012 - 12:00:02 MDT