Re: [squid-users] bridge + tproxy

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Mon, 07 Oct 2013 15:46:25 +0300

Hey Alfredo,

The question you are asking is related to the MAC address level of the
bridge..
The bride flood the ports with the data..
Since the traffic comes to the port of the Proxy machine it gets the MAC
level by demand..
There is no real need for the proxy machine to ask for arp unless there
is a use of vlan.s which in this specific case the switch acts in the
routing level and there is a proxy-arp that does all the work that is
needed.
How would someone send an IP packet without mac address? IPX? we are
talking about TCP+IP which the switch does all the mac address level
stuff and the proxy just uses this data.
if the client wont answer to the ARP requests this client should be banned.
The same goes if a two clients use the same MAC address...
one of them should be banned on the port level.
as an example I have 48 ports of 1GBps per port and two clients send a
packet with the same MAC address.. one of the ports should block this
MAC address by default.
a PROXY should not be working on the MAC level in a very large network.
In order to do that you should divide your network logically so that a
suited switching machine would do the MAC level filtering and sniffing
leaving the server the heavy lifting part of TPROXY and other IP level
stuff.

If you can describe the LAN part which is the main issue here I can try
to understand and maybe get the situation in hands and maybe find a good
solution to the problem.

Eliezer

On 10/06/2013 02:20 PM, Amos Jeffries wrote:
> On 4/10/2013 11:16 p.m., Alfredo Rezinovsky wrote:
>> I have a squid in tproxy mode running in a bridge.
>> Let name LAN side the one connected to the clients and WAN side the
>> one connected to the gateway.
>> I'm using Ubuntu server LTS with a 3.5.0 kernel
>>
>> The LAN network has various sub-networks, handled with many different
>> IPs in the gateway.
>>
>> When a client starts a connection to an external server, port 80, the
>> proxy intercepts it, process, and answers, allways using the client IP
>> for the outgoing packets and the external server ip for the packets
>> sent to the client.
>>
>> The proxy still needs is own IP for 3 reasons:
>>
>> * Ask DNS queries to a local DNS server (still can't force squid to
>> use the original destination IP without asking DNS, or to use the
>> TPROXY client ip for the DNS query)
>> * Ask ARP to the clients
>> * Remote access to the proxy for administration.
>
> * serving error page embeded objects to clients.
>
>>
>> Some clients that are in strict mode, refuses to answer ARP when the
>> proxy asking IP is not in the same IP network.
>>
>> There's a way to let linux learn ARP in passive mode when no one
>> answers ARP?
>>
>
> You will have to ask the networking people for Linux that question.
>
> Amos
Received on Mon Oct 07 2013 - 12:46:39 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 07 2013 - 12:00:08 MDT