Re: [squid-users] Can squid choose the WAN connection that matches the clients routing mark?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 12 Oct 2013 14:59:31 +1300

On 12/10/2013 10:55 a.m., Dean Volt wrote:
> I have a network that serves internet to 60 clients, all go through a
> mikrotik rb which routes traffic according to MARK_ROUTING rule in
> mangle.
> So, Group1 goes thru WAN1, and Group2 goes thru WAN2 etc.
>
> Now i want to setup a squid proxy to optimize browsing, but if i mark
> routing of the squid ip to Group1, then ALL the traffic will go to
> Group1 only.
> Now do i have to have a squid server for each WAN connection?
No.

> Or is there a way to have all the clients go via the proxy, and the
> proxy chooses the WAN connection that matches the clients routing mark?

You can emit TOS/Diffserv values from Squid back to the router using
tcp_outgoing_tos which tell the router which group each particular
connection is part of.

Things to be aware of:
* HTTP persistence - any given TCP connection PROBABLY contains multiple
request transactions.
* HTTP multiplexing - any client->Squid request MAY go out any
Squid->Internet connection. Squid ensure that the destination server and
port are identical. But any two clients trying to reach the same server
may share a connection.
* TOS is applied per-request - an existing connection MAY be labeled 0x1
when it is setup and change to 0x2 halfway, then switch back to 0x1.
Your routing setup needs to be capable of handling that. Many ISP, yours
probably included, prohibit TCP connections switching. It operates this
way because TOS is designed more for dynamic QoS speed limitations over
a connection lifetime than routing it around.

I highly recommend using squid-3.3 or later releases for this. With the
newer releases you can set tcp_outgoing_address based on the incoming
client details and Squid will ensure the persistent connection matches
both src and dst on the outgoing connection. Which avoids all the above
complications.

Amos
Received on Sat Oct 12 2013 - 01:59:41 MDT

This archive was generated by hypermail 2.2.0 : Sat Oct 12 2013 - 12:00:05 MDT