Re: [squid-users] Transparent Mode and WCCP

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Fri, 04 Jan 2013 06:37:02 +0200

Hey,

I have found this:
http://kb.fortinet.com/kb/viewContent.do?externalId=FD30096

which pretty much covers what needed to be done.

WCCP suppose to be a layer 2 interception which TPROXY is the closest
thing for that.

TPROXY use the same src IP of the client for outgoing traffic based on a
client connection.

You can try to configure the fortigate device and maybe try to open a
ticket for the FORTI guys in case you dont get it right.

WCCP works with most catalyst devices I have tried.
There are other ways to intercept traffic and it's only up to the level
of your skills and knowledge.

It seems like the fortigate is the right place to integrate squid
interception to me.

I noticed that you didn't configured all squid needed directives to
support auto WCCP service registration.

Try to do it manually on the fortigate and see the results.

Best regards,
Eliezer

On 1/4/2013 1:22 AM, Roman Gelfand wrote:
> Thanks for your help. Please, see attached configuration files and
> topology picture.
>
> I am not using cisco device. I configured fortigate 50b firewall
> wccp service using gre tunnel. In this case, I am using straight
> transparent proxy. I have never used tproxy.
>
> I do have catalyst router which supports wccp2. Should I use that
> instead of the fortigate?
>
> How does using tproxy instead of transparent proxy improves wccp routing?
>
> Thanks again
>
>
> On Wed, Jan 2, 2013 at 4:39 AM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
>> Based on what you configured you cisco router? what did you configured on
>> your cisco router?
>> What cisco device are you using?
>>
>> did you had the chance to look at:
>> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
>>
>> please try to share more information on the infrastructure and the whole
>> squid.conf removing only confrontational INFO.
>>
>> Did you had the chance to use TPROXY before?
>> Did you tried to sniff with tcpdump?
>>
>> Eliezer
>>
>>
>> On 1/2/2013 3:38 AM, Roman Gelfand wrote:
>>>
>>> I use wccp/gre tunnel. Port 80
>>> requests work but 443 don't. I am not sure if this is right, but even
>>> though data was received on wccp, no data was transmitted back over
>>> wccp. In other words, squid server response was routed back, through
>>> eth0 interface, rather than go through wccp0 interface. Is this
>>> expected behavior? If not, what do I do to make
>>> response go over wccp?
>>>
>>> my iptable config look like this
>>>
>>> iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to
>>> 192.168.5.81:3228
>>> iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 443 -j DNAT --to
>>> 192.168.5.81:3229
>>>
>>> and squid.conf
>>>
>>> wccp2_service dynamic 90
>>> wccp2_service_info 90 protocol=tcp priority=240 ports=80,443
>>>
>>

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngtech_at_sip2sip.info
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
Received on Fri Jan 04 2013 - 04:37:21 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 04 2013 - 12:00:03 MST