[squid-users] Squid not accelerating properly from Oluseyi Akinboboye on 2014-03-07 (squid-users)

From: Oluseyi Akinboboye <seyiakinboboye_at_gmail.com>
Date: Fri, 7 Mar 2014 18:59:21 +0100

I have been long searching for a solution and finally this morning I got it to work. My setup is as follows:

Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink switch

I have added a squid with its input from the Wan directly and then I have put the squid directly to the mikrotik.

I did the following configurations:

Wan:

Wan -> mikrotik 172.16.10.1/24
Wan -> squid 172.16.11.1/24

Mikrotik

Ether1
172.16.10.2/24 Via setup CLI

Ether2 (Hotspot)
10.5.50.1/24

Ether3 to squid
192.168.50.2 Via setup CLI

Squid

Ether1 from Wan
172.16.11.2

Ether2 from mikrotik
192.168.50.1:3128

The squid is configured transparently.

The CLI commands used are as follows:

#Mark All HTTP Port 80 Traffic, so that you can use these Marked Packets in Route section.

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) routing-mark=http scope=30 target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) scope=30 target-scope=10

/ip firewall mangle add chain=postrouting tos=48 action=mark-packet new-packet-mark=proxy-hit passthrough=no

/ip firewall mangle add chain=postrouting action=mark-packet new-packet-mark=proxy-hit passthrough=no

/queue tree add name="pmark" parent=global-out packet-mark=proxy-hit \ limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

/ip firewall filter

add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=input\
comment="Block all access to the winbox - except to support list
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established\
disabled=no
add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support
add action=drop chain=input comment="Drop anything else!
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp

ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=10.5.50.5 to-ports=8080

ip firewall nat add action=dst-nat dst-port=80 protocol=tcp src-address=10.5.50.0/24 to-addresses=10.5.50.5 to-ports=8080 chain=dstnat

ip firewall nat add chain=dstnat src-address=10.5.50.0/24 in-interface=ether1 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080

ip firewall nat add chain=dstnat src-address=10.5.50.5 dst-port=80 protocol=tcp action=accept

ip firewall nat add chain=dstnat src-address=10.5.50.0/24 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080

When i run the tail command in the squid i get a lot of activity within the cache; for example

1394214401.152 103 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
1394214401.216 0 192.168.50.2 TCP_IMS_HIT/304 285 GET http://www.fifa.com/imgml/worldcup/dots_03.png - HIER_NONE/- image/png
1394214401.255 96 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
1394214401.363 101 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
1394214401.473 102 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
1394214401.502 982 192.168.50.2 TCP_MISS_ABORTED/000 0 POST http://dlarray-europ-secsrv021.gdatasecurity.de/query - HIER_DIRECT/92.51.171.68 -

Also when i run a NetStat grep the result i get seems okay:

squid:/home/netsnap # netstat -a | grep 443 -h
tcp 1 0 squid.squidoz:44358 a92-122-210-13:www-http CLOSE_WAIT
tcp 0 1 squid.squidoz:35443 ns236400.ovh.n:www-http SYN_SENT
tcp 1 0 squidoz:ndl-aas 192.168.50.2:34439 CLOSE_WAIT
tcp 1 0 squidoz:ndl-aas 192.168.50.2:34443 CLOSE_WAIT
tcp 1 0 squidoz:ndl-aas 192.168.50.2:34436 CLOSE_WAIT
tcp 1 0 squid.squidoz:44350 a92-122-210-13:www-http CLOSE_WAIT
tcp 1 0 squidoz:ndl-aas 192.168.50.2:34438 CLOSE_WAIT

Now the browsing is not really faster just that pages like yahoo.com, gmail.com & such that you have to sign in to open pretty fast but other pages crawl to say the least and if at at they open it just shows text and links without pictures especially for siites like bbc.co.uk etc and most times it brings this error essage out:

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: http://www.speedtest.net/user-settings.php

Verbinding na 93.184.219.82 het misluk

Die stelsel het die volgende teruggestuur: (110) Connection timed out

Die afgeleë gasheer of netwerk is dalk af. Probeer die navraag gerus weer.

Die kasbediener se administrateur is webmaster.

Gegenereer op Fri, 07 Mar 2014 15:29:27 GMT deur squid.squidoz (squid/3.2.11)

I am not sure what exactly it is i am doing wrong! I am not even sure at this point if it is mikrotik or squid that is giving me the problem.

I would appreciate any help that I can get to make this happen.

Thanks in advance.
Received on Fri Mar 07 2014 - 17:59:33 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 08 2014 - 12:00:05 MST