Hi all, I'm new to this list, but checked the archives a lot before asking this. I'm trying to get squid-3.1 up and running with TProxy 4.1 on an ISP network. My setup is working correctly when only a few users are connected to the users VLAN. The users can browse and TProxy works. But when I plug in the router with all the users (around 60000), squid doesn't respond anymore. I first suspected the problem was iptables/ebtables rules not routing the packets to squid, but iptables -v -t mangle -L shows: Chain PREROUTING (policy ACCEPT 144K packets, 50M bytes) pkts bytes target prot opt in out source destination 85 6232 DIVERT tcp -- any any anywhere anywhere socket 5568 1581K TPROXY tcp -- eth0 any anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:3128 mark 0x1/0x1 And about 2 seconds later: Chain PREROUTING (policy ACCEPT 208K packets, 62M bytes) pkts bytes target prot opt in out source destination 92 6692 DIVERT tcp -- any any anywhere anywhere socket 7690 2210K TPROXY tcp -- eth0 any anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:3128 mark 0x1/0x1 So the requests are going through iptables, right? I added debug_options ALL,1 ALL,0 and 33,4, so I could see if comm_accept returned OK or not. But cache.log doesn't show anything. Just so you guys know, eth0 is the client-facing interface and eth1 is the internet-facing interface. I'm using a 2.6.29.6 vanilla kernel, with these proc options: echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind echo 1 > /proc/sys/net/ipv4/tcp_low_latency echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects Also, I'm using these rules that I got on the squid wiki TProxy tutorial: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128 ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i Is there any tests I can do or any other info I can provide? Ebtables version is "ebtables v2.0.9-1 (June 2009)". And iptables is "iptables v1.4.3.2". What kills me is that if I plug in a single user on the client interface everything works...also if I put a single user on the VLAN of the client interface everything works too...no idea why it doesn't work when all users are plugged in. Thanks in advance! Felipe Damasio
