On 20/09/2013 5:35 a.m., psd17j-jacob wrote:
> Hi Antony,
>
> Thanks for the reply. So what would be your suggestion in terms of creating
> a transparent proxy across multiple VLANs without bridging? All VLANs are
> public routable IPs except for two, one being the publicly available WiFi.
> The school encourages BYOD so sending out proxy settings via GP is not an
> option.
The proxy operates on top of the *routing* component of the kernel. As
you can note from the ebtables rules you have to bump the traffic out of
the bridge into routing systems for iptables rules to send to the proxy.
You may as well setup the box as a normal router (with VLAN routing) if
that is easier than to implement the bridging. With the correct ebtables
rules shifting traffic to routing the presence or absence of bridging
should be irrelevant to the proxy operation.
Once traffic enters the proxy the TCP connections are terminated. VLAN
tags are gone, you have to translate them to either iptables MARK or
TS/DSCP tags for relay through Squid and re-tag traffic leaving the
proxy. Also note that at the TCP/IP and VLAN layers traffic leaving the
proxy box has no relation to traffic entering the box. HTTP contains
caching, validation, persistence and multiplexing features designed to
optimize the TCP connection usage and response speed. You can have two
requests entering the proxy on different VLAN connections and both
leaving on the same upstream connection or just only one leaving it or
one being translated to an IMS/INM request. You can also have traffic
generated by the proxy itself entering the system.
==> Please outline what the purpose of the VLAN separation is. If you
are able to treat the proxy outgoing traffic as just another user and
switch its VLAN using only IP:port (and/or/TOS) destination details that
woul be easiest to integrate with Squid.
Another thing adding complexity is your usage of DansGuardian. It is a
basic filtering proxy, not a fully-featured proxy like Squid. So things
like the iptables MARK and QoS TOS/DSCP values are not even passed
through it for Squid to make use of. This is simpler to fix since Squid
can do anything DG can (just differently) you can drop the DG component
entirely and just use Squid access controls.
Amos
Received on Fri Sep 20 2013 - 03:44:57 MDT
This archive was generated by hypermail 2.2.0 : Sat Sep 21 2013 - 12:00:05 MDT