I ran into this issue too, what I did for IM clients was run the dante socks server and had my lan clients configure to use the proxy server to connect. As for ssl, try marking every packet as it comes in and reroute it out over the same interface it came in on, that way the sessions will stay persistent over a single interface -charlie -----Original Message----- From: lartc-bounces@xxxxxxxxxxxxxxx [mailto:lartc-bounces@xxxxxxxxxxxxxxx] On Behalf Of Denny Zulfikar Sent: Friday, February 09, 2007 1:15 AM To: lartc@xxxxxxxxxxxxxxx Subject: trouble https multiple uplinks... how? hello, my name is Denny. I am new in this list. I am trying use multiple uplinks as describe in the lartc documentation (http://lartc.org/howto/lartc.rpdb.multiple-links.html) with squid transparent proxy in my gateway server. let me draw the configuration : /----------------- -----DSL1-----| \ |Transparent proxy |----Local network -----DSL2-----| / \----------------- IP DSL1 : 172.17.1.2/30 IP DSL2 : 172.18.1.2/30 IP eth1(DSL1) : 172.17.1.1/30 IP eth2(DSL2) : 172.18.1.1/30 Local network : 10.14.1.0/24 each DSL links rate is 384 kbps downlink and 128 kbps uplinks. my ip route setting : ------------ ip route add equalize scope global \ nexthop via 172.17.1.2 dev eth1 weight 1 \ nexthop via 172.18.1.2 dev eth2 weight 1 ------------ my iptables setting : ------------ # proxy redirect iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 # postrouting iptables -t nat -A POSTROUTING -j SNAT -o eth1 --to-source 172.17.1.1 iptables -t nat -A POSTROUTING -j SNAT -o eth2 --to-source 172.18.1.1 ------------ squid config : ------------ visible_hostname my_isp.net icp_port 0 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_mem 512 MB cache_replacement_policy heap GDSF memory_replacement_policy heap GDSF cache_dir ufs /cache 6000 14 256 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 10.14.1.0/255.255.255.0 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost http_access allow localnet http_access allow manager localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all cache_mgr cache-me cache_effective_user squid cache_effective_group squid logfile_rotate 0 log_icp_queries off buffered_logs on half_closed_clients off maximum_object_size 2048 KB ------------ All Configuration is works. I can browsing most website. But, I have another problem when implementing this multiple uplinks methods. 1. Messenger tools like YM will disconnect and try to reconnect every 3-5 minutes. it's always happens. 2. HTTPS for hotmail/msn is always error. "The connection was reset" always appear in mozilla firefox. but, it never happens with yahoo-mail and gmail (https). 3. MSN messenger never connect successfully. All these problem never happens when I used conventional routing with only one gateway. After search articles in internet, I am trying to mark each connection for MSN messenger via only one gateway. this is my solve using iptables : ---------- iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 0x10 iptables -t mangle -A PREROUTING -p tcp --dport 1863:1864 -j MARK --set-mark 0x10 iptables -t nat -A POSTROUTING -m mark --mark 0x10 -j SNAT -o eth1 --to-source 172.17.1.2 ---------- It works!! My MSN messenger is able to connect now. but always disconnect every 3-5 minutes. The same way I try to fix my YM problem. I trying to mark YM port and postrouting the traffic to eth1. but, it's not solve my problem. YM always connect/disconnect every 5 minutes. (problem number 1) Another problem, why MSN/Hotmail webmail always refuse my connection? (problem number 2) Maybe somebody have idea how to solve this problem? I feel will give up soon... :( thanks alot for your information and helps.. :) best regards, Denny Zulfikar _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
