Search squid archive

Re: [squid-users] Re: Re: Re: Re: WCCP + squid 2.5-STABLE7 + linux 2.6.10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

At 02:14 p.m. 25/02/2005, Jesse Guardiani wrote:
Henrik Nordstrom wrote:

> On Thu, 24 Feb 2005, Jesse Guardiani wrote:
>
>> I don't think it is anymore. It seems like the packets are just
>> dissappearing after they hit my iptables rule. I tried placing OUTPUT and
>> POSTROUTING LOG rules around the NAT table, and their hit counters
>> increment if I hit the cache directly from a web browser, but if I hit it
>> transparently the packet just dissappears after the REDIRECT to port
>> 3128.
>
> Try using DNAT instead of REDIRECT.

I thought you might say that, so I tried it with DNAT earlier in the day.
I tried destination addresses 192.168.10.2 (my ip alias on eth0:22) and
192.168.1.2 (my "real" eth0 ip). Neither worked. Here's an example of the
latter:

# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 425 packets, 61769 bytes)
pkts bytes target prot opt in out source destination
43 2580 DNAT tcp -- gre1 any anywhere anywhere tcp dpt:www to:192.168.1.2:3128


Do you see anything wrong with the above?

I'm starting to think that something is wrong with linux's gre WCCP
decapsulation. That's why I keep asking if anyone actually has
this working on my kernel and my squid. But I guess, judging from
the silence, that nobody has it working yet.

Is there a better alternative to WCCP? I'm particularly interested
in the fail-over feature. I'd hate for my user's internet access
to go down just because my squid server rebooted.


No need. I can confirm it does work, but it does need to be set up in a specific way.

I have been using 2.6 series right the way through, now running 2.6.11-rc5, and switched to using the gre tunnel method when it became supported by the Linux kernel. ip_wccp is good, but it is not in the kernel and it's a lot easier to just use a GRE tunnel built into the kernel instead.
If you wish to use ip_wccp, I suggest you start by getting this config below to work properly first, and then change to ip_wccp and then take down the GRE interface, start from a position of it working before you start experimenting ;) The router config and squid config would be the same, the iptables config is slightly different though.



Router config: --------------

* My router is running 12.3(11)T3. BE CAREFUL, some versions of IOS do NOT work without also turning off CEF and/or fast switching, although most recent ones do work OK. Stick to a stable (non T or branch) release if you can, such as latest 12.2 or 12.3.

interface Ethernet0
  ip address 192.168.0.1 255.255.255.0
  ip wccp web-cache redirect in

interface Loopback0
 ip address 172.16.1.5 255.255.255.252
end

(Note the loopback IP range matches that on the GRE tunnel on my linux box)


Linux box core config: -----------------

/etc/sysconfig/network-scripts/ifcfg-gre0

DEVICE=gre0
BOOTPROTO=static
IPADDR=172.16.1.6
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no


iptables config: ----------------

iptables -A PREROUTING -s 192.168.0.0/255.255.0.0 -d ! 192.168.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.0.3:3128

This makes sure that traffic from 192.168.0.0/255.255.0.0 destined for 192.168.0.0/255.255.0.0 is not redirected to the cache.


Squid config: -------------

wccp_router 192.168.0.1
wccp_version 4
wccp_outgoing_address 192.168.0.3   <<---- I have two IP addresses on this box


I'm not sure if it is optimal or not, but it works with every squid version I have ever tried. If I remember correctly, some of these instructions came from a page by Joe Cooper @ Swelltech, but I can't put my hands on it right now.


Hope this helps.

reuben




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux