[squid-users] ISP-style Transparent Proxy

From: Nick Bright <nick.bright_at_valnet.net>
Date: Wed, 07 Nov 2012 16:08:05 -0600


We're working to attempt to get a completely transparent proxy up and
running. By completely transparent I mean:

1) The web server should see the clients' actual IP (not the proxy)
2) The client should see the response coming back from the IP of the web

We're trying to implement this with WCCPv2 Interception on a
7204vxr/NPE-G1 with IOS 12.3.15a.

The configuration guide has been explicitly followed at:

The machine is running CentOS 6. I've tried with the stock kernel, and
with 3.6.5 installed from elrepo.org. selinux is disabled. Using the
non-tproxy port in squid by explicitly configuring the proxy,
successfully proxies & caches traffic (proxy server ip reported by web

Squid version is 3.1.10-9.el6_3 from CentOS6 repository.

All commands successfully complete, but the proxy isn't working.

I've observed that:

1) The Cisco router sees the web cache as reported by "sh ip wccp" (see
attached sh_ip_wccp.txt).
2) tcpdump -i tun0 reports packets arriving from the Cisco router.
3) tcpdump -i eth2 reports packets leaving the cache server bound for
the destination web server
4) The destination web server shows no hits in the access_log file
5) tcpdump on the web server shows packets arriving from the client IP
address on port 80.
6) tcpdump on the web server shows packets leaving bound for the client IP
7) The client browser times out, receiving an HTML error from Squid
reporting "Connection to <server ip> failed."
8) When the timeout occurs, the squid access log reports "TCP_MISS/504
4123 GET http://myip.valnet.net/ - DIRECT/ text/html"

I've attached numerous files containing statuses of various things that
need to be set, such as rp_filter sysctl values, output of "show ip
wccp", the squid.conf file, the cisco configuration, and the contents of

Any advice appreciated.


-  Nick Bright                                -
-  Vice President of Technology               -
-  Valnet -=- We Connect You -=-              -
-  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
-  Web http://www.valnet.net/                 -
- Are your files safe?                        -
- Valnet Vault - Secure Cloud Backup          -
- More information & 30 day free trial at     -
- http://www.valnet.net/services/valnet-vault -

Received on Wed Nov 07 2012 - 22:08:12 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 08 2012 - 12:00:03 MST