I have Squid which is later stable version on lenny (newest debian release). Here's full output according to my version: Squid Cache: Version 3.0.STABLE8 configure options: '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB' '--enable-digest-auth-helpers=ldap,password' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--with-filedescriptors=65536' '--with-default-user=proxy' '--enable-epoll' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CC=cc' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=' 'CPPFLAGS=' 'CXX=g++' 'CXXFLAGS=-g -O2 -g -Wall -O2' 'FFLAGS=-g -O2' W dniu 15 sierpnia 2009 04:40 użytkownik Amos Jeffries <squid3@xxxxxxxxxxxxx> napisał: > Sławomir Kozłowski wrote: >> >> Hi, >> I have one little problem with squid. I use squid now as configured >> manually, but can't force it to work in transparent mode. > > So first Q: __what version of squid__ ??? > > Debian has somewhere between 9 and a few hundred Squid versions currently > in-use depending on how recently you upgraded and which Debian release you > have. > > "squid -v" should give some indication what version it is. > > >> My whole config is: >> 1. network >> >> {internet} -> router cisco 2821 (with 2 vlans) -> switch -> client is >> on vlan 201, squid is on vlan 2 >> >> 2. cisco config: FastEthernet0/0 is external interface with direct >> connection to the Internet, with external IP address (77.77.77.12 is >> fake), FastEthernet0/1.201 is vlan interface with all clients, >> FastEthernet0/1.2 is vlan interface with squid machine in it >> >> ip wccp web-cache >> ip cef >> >> interface FastEthernet0/0 >> ip address 77.77.77.12 255.255.255.224 >> ip nat outside >> ip virtual-reassembly >> duplex auto >> speed auto >> >> interface FastEthernet0/1.2 >> encapsulation dot1Q 201 >> ip address 192.168.2.1 255.255.255.0 >> ip nat inside >> ip virtual-reassembly >> no ip mroute-cache >> no snmp trap link-status >> >> interface FastEthernet0/1.201 >> encapsulation dot1Q 201 >> ip address 192.168.201.1 255.255.255.0 >> ip wccp web-cache redirect out >> ip wccp web-cache redirect in >> ip nat inside >> ip virtual-reassembly >> no ip mroute-cache >> no snmp trap link-status >> >> 3. network config on machine with squid >> >> iface eth0 inet static >> address 192.168.2.243 >> netmask 255.255.255.0 >> network 192.168.2.0 >> broadcast 192.168.2.255 >> gateway 192.168.2.1 >> >> 4. squid config >> >> wccp2_router 77.77.77.12 >> wccp2_forwarding_method 1 >> wccp2_return_method 1 >> wccp2_service standard 0 >> access_log /var/log/squid3/access.log >> http_port 3128 transparent >> acl blocksites url_regex "/etc/squid3/blocked-sites.acl" >> http_access deny blocksites > > You life will be easier, and your log emptier if you place the "transparent" > option on a different port to which you get normal proxy requests. > I recommend 3129 or such. Then firewall that port from any direct contact > with devices other than the router. (but do the firewall bit later once you > have WCCP working to be sure). > >> >> 5. iptables config >> >> $iptables -F >> $iptables -X >> $iptables -F -t nat >> $iptables -F -t mangle >> $iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j >> REDIRECT --$ > > You may also need a POSTROUTING -j MASQUERADE rule to unwind the reply > packets Squid->Client. > >> >> 6. tunnel config >> >> /sbin/ip tunnel add wccp0 mode gre remote 77.77.77.12 local >> 192.168.2.243 dev eth0; >> /sbin/ifconfig wccp0 192.168.2.243 netmask 255.255.255.255 up >> /sbin/sysctl -w net.ipv4.conf.wccp0.rp_filter=0 ; >> /sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ; >> >> Now, the problem. If I configure manually proxy on client all is >> working fine. When I remove the proxy configuration from the browser, >> then I cannot access any webpage. >> I did some debug, and when I run tccpdump for wccp0 interface, and try >> to access some webpage on client (squid in transparent mode) then I >> see that some packets on the wccp0 interface, but no page is loading. >> Also on cisco router, when I run: sh ip wccp web-cache i get: >> >> Global WCCP information: >> Router information: >> Router Identifier: 192.168.201.1 >> Protocol Version: 2.0 >> >> Service Identifier: web-cache >> Number of Cache Engines: 1 >> Number of routers: 1 >> Total Packets Redirected: 2089 >> Process: 116 >> Fast: 0 >> CEF: 1973 >> Redirect access-list: -none- >> Total Packets Denied Redirect: 0 >> Total Packets Unassigned: 139 >> Group access-list: -none- >> Total Messages Denied to Group: 0 >> Total Authentication failures: 0 >> Total Bypassed Packets Received: 0 >> >> and when I run: sh ip wccp web-cache detail i get: >> WCCP Cache-Engine information: >> Web Cache ID: 192.168.2.243 >> Protocol Version: 2.0 >> State: Usable >> Initial Hash Info: 00000000000000000000000000000000 >> 00000000000000000000000000000000 >> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> Hash Allotment: 256 (100.00%) >> Packets Redirected: 5 >> Connect Time: 05:42:44 >> Bypassed Packets >> Process: 0 >> Fast: 0 >> CEF: 0 >> >> So, please help me set this up as transparent proxy. >> Thanks in advance, >> Slawek > > In 4. squid config you specify: > >> wccp2_router 77.77.77.12 > > In 6. tunnel config you specify: > gre remote 77.77.77.12 > > yet WCCP indicates: > Router Identifier: 192.168.201.1 > > I think your gre tunnel is probably going to the wrong IP. > To check, try adding a gre tunnel from the Squid box to all of the router > IPs and seeing which one gets traffic. > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 > Current Beta Squid 3.1.0.13 > -- http://www.torli.pl/ email: kozlowski@xxxxxxxx, tel.: 605-529-500 - zarządzane serwisy www - analiza ruchu stron www - analiza treści - technologie Google -