Hi Amos, At first big thanks. By putting "forwarded_for transparent" and "via off", the host info at www.whatismyip.com removed and also no email view problem at hotmail or live.com. All this configuration working perfectly with Squid as router. But problem not solved with Router using Wccp2. At Linux box, I can see gre_ip module loaded. Module Size Used by ip_gre 10986 0 sit 8531 0 tunnel4 2005 1 sit xt_TPROXY 1722 0 nf_tproxy_core 1791 1 xt_TPROXY,[permanent] ...... iptables configuration as follows: ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev lo table 100 ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ............... /etc/squid.conf wccp2_router 203.x.x.x wccp2_forwarding_method gre wccp2_return_method gre wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 ============================================================================== Please find the following router configuration for WCCP Global wccp command for router: ! ip wccp 80 ip wccp 90 ! Interfacing facing towards customers ! interface GigabitEthernet6/9 ip address x.x.x.x 255.255.255.248 secondary ip address x.x.x.23 255.255.255.0 ip access-group 125 in ip access-group 173 out no ip redirects no ip unreachables no ip proxy-arp ip wccp 80 redirect in ip wccp 90 redirect out ip route-cache flow no ip mroute-cache ! interface connected to proxy ! interface GigabitEthernet6/7 ip address 203.x.x.x 255.255.255.252 ip access-group 125 in ip access-group 173 out no ip redirects no ip unreachables no ip proxy-arp ip wccp redirect exclude in ip route-cache flow no ip mroute-cache no cdp enable After above configuration, sh ip wccp results as follows: Citechco#sh ip wccp Global WCCP information: Router information: Router Identifier: 203.x.x.x Protocol Version: 2.0 Service Identifier: 80 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 9175 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Service Identifier: 90 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 1354 Redirect access-list: -none- Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 myco# Any clue where is the problem? TIA, Azhar On Mon, Apr 18, 2011 at 9:37 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On Sun, 17 Apr 2011 23:21:44 +0600, AZHAR CHOWDHURY wrote: >> >> Hi Amos, >> OK, it was my fault that I posted before run in real network with >> WCCP. We are running Squid+tproxy under Policy Based routing without >> any major trouble (pls see below of problem are we facing). >> This week we will move squid from PBR to Wccp. The mentioned example >> based on vlan dot1q, let me dig with cisco and will raise if face any >> problem. >> >> 1. If we run squid with default conf file, we got cache host name in >> "www.whatismyip.com", to avoid that we added following in squid.conf >> file: >> forwarded_for off > > I think "forwarded_for" should be enough. > > Possibly also "via off". Though that is not usually required for hotmail > (may have changed, the last good analysis was a year or so ago). > > <snip> >> >> Now, there is no cache/squid host name in "whatismyip.com", but in >> hotmail/live.com's email service inbox no message open, it's shown >> a error that another ip accessing the same page. > > Does it say which one? Are you absolutely certain that TPROXY is working? > (this error will appear when WCCP is active but TPROXY fails). > >> I guess we need to add another "request_header_access" rule, any clue on >> it. >> Is "http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html" the final >> list of all HEADER LIST? > > Hotmail with WCCP pretty much requires TPROXY to be working. > > Alternatively if your client machine is a Windows box using IPv6 to talk to > Squid-3.1. Windows will by default choose to use "privacy" IPs which rotate > through time-based cryptographic hashes embeded in the IP address. As often > as every 15 minutes, not retaining one for more than 90 minutes at a > stretch. That will show up in the X-Forwarded-For. > Setting "forwarded_for transparent" will prevent the proxy IP being > inserted. > Setting "forwarded_for delete" will erase the header entirely and prevent > the "privacy" address from breaking the hotmail-end checks. > > > Other things to check: > * Check that "balance_on_multiple_ip" is turned OFF in squid.conf. In 3.1 > this is the default, but you may have an older config from when it was > default to being in the file and set on. > What that does is make Squid send each request to a different remote server > hosting the website. Hotmail require all traffic to arrive at consistent > receiving servers. They appear not to care of HTTPS and HTTP go to different > ones, but it has to be consistently going to the same place. > >> >> 2. What is safe filedescriptors value I should use? >> > > Depends on you and your OS. Anything below 16 million appears safe on Linux. > > Amos > >