I do apologize for that oversight in terminology!
my proxy server is not working well as is said earlier!
I would appreciate it if you could help me out here.
>Lets start with the title...
>
>Your Squid is being used as an interception proxy. Not an accelerator /
>reverse-proxy. Getting the terms right will greatly improve your ability
>to search for relevant information.
>
>
>On 8/03/2014 6:59 a.m., Oluseyi Akinboboye wrote:
>> I have been long searching for a solution and finally this morning I got it to work. My setup is as follows:
>>
>> Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink switch
>>
>>
>> I have added a squid with its input from the Wan directly and then I have put the squid directly to the mikrotik.
>>
>
>So to translate your diagram and description:
>
> WAN -> Squid -> Router -> LAN
>
>is that correct?
>
>I am assuming from the description that Squid is running on the ClearOS
>machine.
>
>
>> I did the following configurations:
>>
>>
>> Wan:
>>
>> Wan -> mikrotik 172.16.10.1/24
>> Wan -> squid 172.16.11.1/24
>>
>
>Huh?
> if I'm reading that right you have two distinct routes that packets
>from the WAN -> LAN may take. Only one of which goes through Squid.
> Be very VERY careful with the packet flows when doing this.
>
>
>>
>> Mikrotik
>>
>>
>> Ether1
>> 172.16.10.2/24 Via setup CLI
>>
>>
>> Ether2 (Hotspot)
>> 10.5.50.1/24
>>
>>
>> Ether3 to squid
>> 192.168.50.2 Via setup CLI
>>
>>
>> Squid
>>
>>
>> Ether1 from Wan
>> 172.16.11.2
>>
>>
>> Ether2 from mikrotik
>> 192.168.50.1:3128
>>
>
>I dont understand how that relates to the actual packet flows sorry. Too
>many undefined details like:
> - how all the "EtherN" are plugged together
> - what the terminal command line interface (CLI) has to do with routing,
> - which part(s) of your network each of those IP ranges identifies
>
>>
>> The squid is configured transparently.
>>
>
>How? there are 8 transparent interception configurations for Squid. And
>a great many more ways to mis-configure it.
>
>
>
>> The CLI commands used are as follows:
>
>Are these on the Mikrotik or ClearOS?
>
>>
>>
>> #Mark All HTTP Port 80 Traffic, so that you can use these Marked Packets in Route section.
>>
>> /ip firewall nat
>> add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp
>>
>> /ip firewall mangle
>> add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp
>>
>> /ip route
>> add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) routing-mark=http scope=30 target-scope=10
>>
>> add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) scope=30 target-scope=10
>>
>>
>> /ip firewall mangle add chain=postrouting tos=48 action=mark-packet new-packet-mark=proxy-hit passthrough=no
>>
>>
>> /ip firewall mangle add chain=postrouting action=mark-packet new-packet-mark=proxy-hit passthrough=no
>>
>> /queue tree add name="pmark" parent=global-out packet-mark=proxy-hit \ limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
>>
>>
>>
>> /ip firewall filter
>>
>> add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
>> comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
>> add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
>> add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\
>> disabled=no protocol=tcp psd=21,3s,3,1
>> add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner
>
>You might want to ensure Squid cannot be caught and listed as a SYN-flooder.
> Squid will potentially open many hundreds of connections per second if
>lots of clients are using it. Without the proxy that would be spread
>over many client IPs and not hit flooding limits.
>
>
>> add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
>> add action=drop chain=input\
>> comment="Block all access to the winbox - except to support list
>> add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
>> add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
>> add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\
>> connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
>> add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
>> add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
>> add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
>> add action=accept chain=input comment="Accept to established connections" connection-state=established\
>> disabled=no
>> add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no
>> add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support
>> add action=drop chain=input comment="Drop anything else!
>> add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
>> add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
>> add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp
>> add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp
>> add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
>> add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
>
>ICMP is not optional. There are very specific message types like *echo*
>that can cause annoying effects in IPv4. But having a default drop
>action for other message types is a bad idea.
>
>Also, it is a good idea to put the ICMP control *after* the control
>allowing established connections and related packets through. Since the
>most desirable ICMP messages are usually the ones related to some
>established connection.
>
>
>> add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp
>>
>>
>>
>>
>> ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=10.5.50.5 to-ports=8080
>>
>>
>> ip firewall nat add action=dst-nat dst-port=80 protocol=tcp src-address=10.5.50.0/24 to-addresses=10.5.50.5 to-ports=8080 chain=dstnat
>
> -> this rule seems useless. The top chain=dstnat rule already changed
>*all* the TCP port 80 packets.
>
>>
>> ip firewall nat add chain=dstnat src-address=10.5.50.0/24 in-interface=ether1 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080
>>
>
> -> this rule seems useless. The top chain=dstnat rule already changed
>*all* the TCP port 80 packets.
>
>
>> ip firewall nat add chain=dstnat src-address=10.5.50.5 dst-port=80 protocol=tcp action=accept
>>
>
> -> this rule seems useless. The top chain=dstnat rule already changed
>*all* the TCP port 80 packets into port 8080 packets.
>
>
>> ip firewall nat add chain=dstnat src-address=10.5.50.0/24 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080
>
> -> this rule seems useless. The top chain=dstnat rule already changed
>*all* the TCP port 80 packets.
>
>
>
>>
>> When i run the tail command in the squid i get a lot of activity within the cache; for example
>>
>> 1394214401.152 103 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
>> 1394214401.216 0 192.168.50.2 TCP_IMS_HIT/304 285 GET http://www.fifa.com/imgml/worldcup/dots_03.png - HIER_NONE/- image/png
>> 1394214401.255 96 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
>> 1394214401.363 101 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
>> 1394214401.473 102 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
>> 1394214401.502 982 192.168.50.2 TCP_MISS_ABORTED/000 0 POST http://dlarray-europ-secsrv021.gdatasecurity.de/query - HIER_DIRECT/92.51.171.68 -
>>
>> Also when i run a NetStat grep the result i get seems okay:
>>
>> squid:/home/netsnap # netstat -a | grep 443 -h
>> tcp 1 0 squid.squidoz:44358 a92-122-210-13:www-http CLOSE_WAIT
>> tcp 0 1 squid.squidoz:35443 ns236400.ovh.n:www-http SYN_SENT
>> tcp 1 0 squidoz:ndl-aas 192.168.50.2:34439 CLOSE_WAIT
>> tcp 1 0 squidoz:ndl-aas 192.168.50.2:34443 CLOSE_WAIT
>> tcp 1 0 squidoz:ndl-aas 192.168.50.2:34436 CLOSE_WAIT
>> tcp 1 0 squid.squidoz:44350 a92-122-210-13:www-http CLOSE_WAIT
>> tcp 1 0 squidoz:ndl-aas 192.168.50.2:34438 CLOSE_WAIT
>>
>>
>> Now the browsing is not really faster just that pages like yahoo.com, gmail.com & such that you have to sign in to open pretty fast but other pages crawl to say the least and if at at they open it just shows text and links without pictures especially for siites like bbc.co.uk etc and most times it brings this error essage out:
>>
>> ERROR
>>
>> The requested URL could not be retrieved
>>
>> Die volgende fout is teëgekom tydens verkryging van die URL: http://www.speedtest.net/user-settings.php
>>
>> Verbinding na 93.184.219.82 het misluk
>>
>> Die stelsel het die volgende teruggestuur: (110) Connection timed out
>
> ===>> "Connection timed out"
>
>Squid hitting problems at the TCP data transfer stage.
>The DNS lookup stage has worked okay. The TCP setup stage (SYN/SYN-ACK)
>*seems* to have worked okay as well.
>
>>
>> I am not sure what exactly it is i am doing wrong! I am not even sure at this point if it is mikrotik or squid that is giving me the problem.
>
>
>I am suspecting one of these things happen:
>
>1) TCP is setup through the Mikrotik. Which loops it back at Squid.
> - forwarding loop by the router.
>
>2) TCP setup to WAN server but response data packets hit an MTU size,
>ECN or window scaling issue.
>
>3) TCP setup works fine, but response data packets get routed or
>firewalled differently somewhere.
>
>
>
>Squid box. The ClearOS settings themselves probably.
>
>* check the default gateway it is configured with is the WAN interface.
>
>* check that Squid outgoing IP address on connections uses the IP from
>NIC connected to the WAN.
>
>* check that the WAN connections from the Squid box are not routed via
>the Mikrotik in any way.
>
>
>Also, it may help simplify if the primary NIC was the one plugged into
>the WAN. It is usually the NIC chosen by default for route and IP
>address assignment. Plugging it in that way avoids having to explicitly
>setup routing rules to override the OS algorithms.
>
>
>Amos
Received on Sat Mar 08 2014 - 11:00:44 MST
This archive was generated by hypermail 2.2.0 : Sat Mar 08 2014 - 12:00:05 MST
