Amos, Henrik, "http_access allow to_ipv6 !to_ipv6" did work, squid now seems to work as required and can access both single (IPv4 or IPv6) and dual-stack (IPv4 and IPv6) destinations. I´m going to play with the configuration within the next days and post a summary of my findings, this may be evolved by the community into a guideline for early IPv6 adaptors of squid (although, as you already have written, some more discussion seems to be necessary). Thanks for your help so far! Stefan -----Ursprüngliche Nachricht----- Von: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Gesendet: Freitag, 30. Oktober 2009 01:34 An: Moser, Stefan (SIDB) Cc: squid-users@xxxxxxxxxxxxxxx Betreff: Re: Problem with IPv6 config when destination is dual-stacked (but everything works when destination is IPv4 or IPv6 only) Moser, Stefan (SIDB) wrote: > Hi, > > we are testing with squid, latest beta, in a dual-stack > configuration: > > squid is running on SLES 11. Server has 1 interface card only, > configured with an IPv4 and IPv6 address, both running on standard > 3128 port. Server has true, native IPv4 and IPv6 internet > connectivity (no IPv6 tunnel broker, etc.). I have applied "IPv6 > magic ACLs" as described in > http://www.squid-cache.org/Doc/config/tcp_outgoing_address. Client > (latest Internet Explorer and Firefox) talks to squid via IPv4 and > IPv6 transport (that means, I enter an IPv4- or IPv6- address in > browser´s connection settings). > > > Now, what DOES work, is the following: > > 1. IPv4 transport from browser to squid, squid can access an IPv4 > only internet site (site has an A record only in DNS) 2. IPv4 > transport from browser to squid, squid accesses an IPv6 only internet > site (site has an AAAA record only in DNS) 3. IPv6 transport from > browser to squid, squid accesses an IPv4 only internet site (site has > an A record only in DNS) 4. IPv6 transport from browser to squid, > squid accesses an IPv6 only internet site (site has an AAAA record > only in DNS) > > So far, so good, this IPv4 / IPv6 bridging obviously works. > > Now, what does NOT work, is: > > 1. IPv4 transport from browser to squid, squid CANNOT access an > IPv4/IPv6 internet site (that means, a site that has both A and AAAA > in DNS and that is reachable via IPv6 and IPv4) 2. IPv6 transport > from browser to squid, squid CANNOT access an IPv4/IPv6 internet site > (that means, a site that has both A and AAAA in DNS and that is > reachable via IPv6 and IPv4) > > The cache log says (true IPv4 address removed for privacy reasons): > > 2009/10/28 15:59:46| commBind: Cannot bind socket FD 10 to <IPv4 > address from my providers range>: (22) Invalid argument 2009/10/28 > 15:59:46| WARNING: Reset of FD 10 for <IPv4 address from my providers > range>:failed to bind: (22) Invalid argument > > > Has everybody encountered the same problem? Yes. The magic is not complete and has a point of failure. FWIW, crossover works perfectly for me without tcp_outgoing_addr. tcp_outgoing_addr is a "fast" category access control and cannot do the dst lookup on its own. The destination IP address needs to be forced by something earlier (http_access) for the magic to work. I'm working on a few ways to fix this. But for now try adding "http_access allow to_ipv6 !to_ipv6" to your config. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14
