There's only a small number of things you have to do to setup WCCPv2. * configure/compile squid with the relevant transparent interception option. For you its --enable-linux-netfilter IIRC. * enable ip forwarding in linux * create gre * point GRE endpoint at your router's WCCPv2 routerid - use a loopback interface on the Cisco for now, that'll make it much, much more predictable as the wccpv2 routerid is then always loopback id * for ease of testing, make sure no iptables rules exist, then add: iptables -A PREROUTING -i <gre interface> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 Adrian On Sat, Feb 23, 2008, Ritter, Nicholas wrote: > I am running a Cisco 2811 with 12.4(15)T3 Advanced Security IOS. > > The squid server is a custom built box with the following specs: > > Intel Core 2 Duo 2.2GHz > 800MHz FSB > 4GB RAM > 250GB SATAII storage > > The squid server is intended to provided target caching of specific > sites internally and servicing an 10/100 switched ethernet LAN with > about 30 to 50 computers on it. Topologically the LAN is connected via a > fractional T1, with the 2811 router serving as the gateway router which > has a 4 port Etherswitch WIC installed. The LAN is plugged into > FastEthernet 0/0.1 and the squid server is attached to one of the ports > on the 4 port etherswitch card in the router. The LAN on FastEthernet > 0/0.1 is a CIDR /23, and the subnet on the 4 port etherswitch card is a > CIDR /24. Both subnets are in the same CIDR /16. > > I have confirmed so far that: > > 1) Redirection to 3128 from 80 from a client in the /23 is working fine. > This was tested via pointing the browser settings to the squid server > IP, but on port 80. This was done only after I did the same test on > 3128. > > 2) I am seeing traffic come down the GRE tunnel to the squid server (via > ifconfig on the squid server), and I am seeing the packets being > redirected as noted on the router via 'sh ip wccp' > > 3) The squid server does not even see the stuff coming in when > redirected via the router. When I shutoff iptables and run tcpdump, I > see the traffic redirected from the router, but running tcpdump with > iptables enabled does not show the traffic. > > I am doing the redirection via an 'ip wccp web-cache redirect in' > interface statement on the FastEthernet0/0.1 interface, although appling > the same rule to other interfaces and directions has not changed the > outcome. > > I have come to find that many of the transparent squid proxy guides on > the Internet are either out of date or simply missing steps. > > Doesn't iptables need an additional masqurade or mangle rule(s)? Because > of what I have seen so far, I now think the problems is with iptables. > > > -----Original Message----- > From: Adrian Chadd [mailto:adrian@xxxxxxxxxxxxxxx] > Sent: Friday, February 22, 2008 6:35 PM > To: Ritter, Nicholas > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: Re: problem with wccp v2 and cisco > > On Fri, Feb 22, 2008, Ritter, Nicholas wrote: > > Adrian- > > > > Thanks for the info. > > > > Question is, if I am listening with squid on port 80, do I still need > > to run iptables? I thought iptables was only needed to do redirect > > from port 80 to 3128 if squid was not or could not be un on port 80. > > No. The traffic being redirected via WCCPv2 just rewrites the next hop > in the forwarding path; making it go down a GRE tunnel or rewriting the > destination MAC address. > > The packet arriving at your cache still has the original > source/destination. > iptables/etc is needed to redirect packets destined for ANYHOST:80 to > LOCALHOST:3128 . > > > Does any happen to know which Cisco IOS versions work with WCCP v2 and > > > squid? I find people saying it is buggy and to start with a known > > working version and work your way up to a needed release, but I can't > > seem to confirm a known working version. > > Whats your hardware? > > > > > Adrian > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid > Support - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
