Sławomir Kozłowski wrote:
Hi,
I have one little problem with squid. I use squid now as configured
manually, but can't force it to work in transparent mode.
So first Q: __what version of squid__ ???
Debian has somewhere between 9 and a few hundred Squid versions
currently in-use depending on how recently you upgraded and which Debian
release you have.
"squid -v" should give some indication what version it is.
My whole config is:
1. network
{internet} -> router cisco 2821 (with 2 vlans) -> switch -> client is
on vlan 201, squid is on vlan 2
2. cisco config: FastEthernet0/0 is external interface with direct
connection to the Internet, with external IP address (77.77.77.12 is
fake), FastEthernet0/1.201 is vlan interface with all clients,
FastEthernet0/1.2 is vlan interface with squid machine in it
ip wccp web-cache
ip cef
interface FastEthernet0/0
ip address 77.77.77.12 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1.2
encapsulation dot1Q 201
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
interface FastEthernet0/1.201
encapsulation dot1Q 201
ip address 192.168.201.1 255.255.255.0
ip wccp web-cache redirect out
ip wccp web-cache redirect in
ip nat inside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
3. network config on machine with squid
iface eth0 inet static
address 192.168.2.243
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1
4. squid config
wccp2_router 77.77.77.12
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
access_log /var/log/squid3/access.log
http_port 3128 transparent
acl blocksites url_regex "/etc/squid3/blocked-sites.acl"
http_access deny blocksites
You life will be easier, and your log emptier if you place the
"transparent" option on a different port to which you get normal proxy
requests.
I recommend 3129 or such. Then firewall that port from any direct
contact with devices other than the router. (but do the firewall bit
later once you have WCCP working to be sure).
5. iptables config
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -F -t mangle
$iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --$
You may also need a POSTROUTING -j MASQUERADE rule to unwind the reply
packets Squid->Client.
6. tunnel config
/sbin/ip tunnel add wccp0 mode gre remote 77.77.77.12 local
192.168.2.243 dev eth0;
/sbin/ifconfig wccp0 192.168.2.243 netmask 255.255.255.255 up
/sbin/sysctl -w net.ipv4.conf.wccp0.rp_filter=0 ;
/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ;
Now, the problem. If I configure manually proxy on client all is
working fine. When I remove the proxy configuration from the browser,
then I cannot access any webpage.
I did some debug, and when I run tccpdump for wccp0 interface, and try
to access some webpage on client (squid in transparent mode) then I
see that some packets on the wccp0 interface, but no page is loading.
Also on cisco router, when I run: sh ip wccp web-cache i get:
Global WCCP information:
Router information:
Router Identifier: 192.168.201.1
Protocol Version: 2.0
Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 2089
Process: 116
Fast: 0
CEF: 1973
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 139
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
and when I run: sh ip wccp web-cache detail i get:
WCCP Cache-Engine information:
Web Cache ID: 192.168.2.243
Protocol Version: 2.0
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets Redirected: 5
Connect Time: 05:42:44
Bypassed Packets
Process: 0
Fast: 0
CEF: 0
So, please help me set this up as transparent proxy.
Thanks in advance,
Slawek
In 4. squid config you specify:
> wccp2_router 77.77.77.12
In 6. tunnel config you specify:
gre remote 77.77.77.12
yet WCCP indicates:
Router Identifier: 192.168.201.1
I think your gre tunnel is probably going to the wrong IP.
To check, try adding a gre tunnel from the Squid box to all of the
router IPs and seeing which one gets traffic.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13
