I am running a Cisco 2811 with 12.4(15)T3 Advanced Security IOS. The squid server is a custom built box with the following specs: Intel Core 2 Duo 2.2GHz 800MHz FSB 4GB RAM 250GB SATAII storage The squid server is intended to provided target caching of specific sites internally and servicing an 10/100 switched ethernet LAN with about 30 to 50 computers on it. Topologically the LAN is connected via a fractional T1, with the 2811 router serving as the gateway router which has a 4 port Etherswitch WIC installed. The LAN is plugged into FastEthernet 0/0.1 and the squid server is attached to one of the ports on the 4 port etherswitch card in the router. The LAN on FastEthernet 0/0.1 is a CIDR /23, and the subnet on the 4 port etherswitch card is a CIDR /24. Both subnets are in the same CIDR /16. I have confirmed so far that: 1) Redirection to 3128 from 80 from a client in the /23 is working fine. This was tested via pointing the browser settings to the squid server IP, but on port 80. This was done only after I did the same test on 3128. 2) I am seeing traffic come down the GRE tunnel to the squid server (via ifconfig on the squid server), and I am seeing the packets being redirected as noted on the router via 'sh ip wccp' 3) The squid server does not even see the stuff coming in when redirected via the router. When I shutoff iptables and run tcpdump, I see the traffic redirected from the router, but running tcpdump with iptables enabled does not show the traffic. I am doing the redirection via an 'ip wccp web-cache redirect in' interface statement on the FastEthernet0/0.1 interface, although appling the same rule to other interfaces and directions has not changed the outcome. I have come to find that many of the transparent squid proxy guides on the Internet are either out of date or simply missing steps. Doesn't iptables need an additional masqurade or mangle rule(s)? Because of what I have seen so far, I now think the problems is with iptables. -----Original Message----- From: Adrian Chadd [mailto:adrian@xxxxxxxxxxxxxxx] Sent: Friday, February 22, 2008 6:35 PM To: Ritter, Nicholas Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: problem with wccp v2 and cisco On Fri, Feb 22, 2008, Ritter, Nicholas wrote: > Adrian- > > Thanks for the info. > > Question is, if I am listening with squid on port 80, do I still need > to run iptables? I thought iptables was only needed to do redirect > from port 80 to 3128 if squid was not or could not be un on port 80. No. The traffic being redirected via WCCPv2 just rewrites the next hop in the forwarding path; making it go down a GRE tunnel or rewriting the destination MAC address. The packet arriving at your cache still has the original source/destination. iptables/etc is needed to redirect packets destined for ANYHOST:80 to LOCALHOST:3128 . > Does any happen to know which Cisco IOS versions work with WCCP v2 and > squid? I find people saying it is buggy and to start with a known > working version and work your way up to a needed release, but I can't > seem to confirm a known working version. Whats your hardware? Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
