On 21/04/11 00:35, Daniel Shelton wrote:
One thing that always troubles me. The failure reports always seem
to mention an interface. Yet the wiki examples written by people
with working configs do not mention one.
Your rule appears to be matching packets, so I assume its okay.
Just something to be aware of.
With GRE you have to be extremely careful where the OS thinks the
packet is coming from. It seems to vary between kernel
implementations and versions whether the gre or eth NIC is the one
seen during NAT. What is the exact message displayed by Squid about
that port during startup or reconfigure?
Amos
I thank you for replying Amos. The part of confusion for me is
really on a basic level. There is a lack of topology information
available with Squid that I have noticed. For example, where does
the traffic come from? Where do the users reside? Which interface
does what? This is the most important information to know and it can
be learned very easy from a topology diagram. I haven't seen any.
I understand completely. Been thinking we should add diagrams to the
wiki for a while now. I'll have to remind our wiki admin about it.
Okay, for background. What is generally called "WCCP" is a mix of up to
4 protocols.
WCCP *protocol* is just a signal between Squid and the Router
consisting of two packets bouncing backward and forward on the eth
interface. Nicely called HERE_I_AM and I_SEE_YOU.
To avoid altering the TCP/IP protocol details of client packets it
uses a tunnel. Either GRE protocol or a Layer-2 (essentially a NAT of
the MAC address).
Squid connects out to the Internet via whatever path it has.
I'm not certain myself whether the packets *have* to go back to the
client over the GRE, but there is usually no need. If things work up
that point we usually don't have to care.
Anyhow, the question I have is does the proxy make the connection out
onto the Internet itself and therefore needs an Internet on the
public facing side, or does all of this traffic traverse the gre
tunnel?
Only client->router->Squid traffic traverses the GRE.
Squid->Internet traffic traverse regular networking paths. Whether they
bet via ethN to the same router or to elsewhere.
The topology with one NIC on Squid box is generally:
clients
\
router ----Eth(WCCP,HTTP)---- Squid
| \ <====GRE(HTTP)====> /
|
Internet
> The only mention I see about port 3129 is that it is "Ready
> to accept connections at 0.0.0.0:3129".
Hmm. Okay. Must be one of the versions pre-dating the update to say what
type of connections.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
