Hey,
I have found this:
http://kb.fortinet.com/kb/viewContent.do?externalId=FD30096
which pretty much covers what needed to be done.
WCCP suppose to be a layer 2 interception which TPROXY is the closest
thing for that.
TPROXY use the same src IP of the client for outgoing traffic based on a
client connection.
You can try to configure the fortigate device and maybe try to open a
ticket for the FORTI guys in case you dont get it right.
WCCP works with most catalyst devices I have tried.
There are other ways to intercept traffic and it's only up to the level
of your skills and knowledge.
It seems like the fortigate is the right place to integrate squid
interception to me.
I noticed that you didn't configured all squid needed directives to
support auto WCCP service registration.
Try to do it manually on the fortigate and see the results.
Best regards,
Eliezer
On 1/4/2013 1:22 AM, Roman Gelfand wrote:
Thanks for your help. Please, see attached configuration files and
topology picture.
I am not using cisco device. I configured fortigate 50b firewall
wccp service using gre tunnel. In this case, I am using straight
transparent proxy. I have never used tproxy.
I do have catalyst router which supports wccp2. Should I use that
instead of the fortigate?
How does using tproxy instead of transparent proxy improves wccp routing?
Thanks again
On Wed, Jan 2, 2013 at 4:39 AM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:
Based on what you configured you cisco router? what did you configured on
your cisco router?
What cisco device are you using?
did you had the chance to look at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
please try to share more information on the infrastructure and the whole
squid.conf removing only confrontational INFO.
Did you had the chance to use TPROXY before?
Did you tried to sniff with tcpdump?
Eliezer
On 1/2/2013 3:38 AM, Roman Gelfand wrote:
I use wccp/gre tunnel. Port 80
requests work but 443 don't. I am not sure if this is right, but even
though data was received on wccp, no data was transmitted back over
wccp. In other words, squid server response was routed back, through
eth0 interface, rather than go through wccp0 interface. Is this
expected behavior? If not, what do I do to make
response go over wccp?
my iptable config look like this
iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to
192.168.5.81:3228
iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 443 -j DNAT --to
192.168.5.81:3229
and squid.conf
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp priority=240 ports=80,443
--
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngtech@xxxxxxxxxxxx
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
