> The NAT operation *MUST*, absolutely *MUST*, be performed on the Squid box and nowhere else on the path between Squid and clients. I am buying a new router that has enough ROM and RAM to support openwrt + squid, for the security reasons and also because my ARM-based server does not have a proper 'iptables' available. Thanks for that emphasis. I re-read the original post and saw that you also point out that the dd-wrt wiki page is wrong. It was very confusing for me as not only the wiki-page, but several blog pages posted how-to's that attested aforementioned setup worked. One post were less than a year old! >The configuration for OpenWRT device is in fact a completely different setup There is section called 'When Squid is in a DMZ between the router and Internet' which is exactly what 'Ethan H' was trying to achieve. And you responded. >>The kernel routing layer does the routing based on the firewall markings It Is the reason why OpenWRT works but not DD-WRT? Due to the difference in the kernel routing layer? Or does the same rule apply and NAT operation *Must* be performed for OpenWRT as well? On Wed, May 1, 2013 at 6:40 PM, Amos Jeffries-2 [via Squid Web Proxy Cache] <ml-node+s1019090n4659755h42@xxxxxxxxxxxxx> wrote: > On 2/05/2013 10:23 a.m., prometheus wrote: >> Were you able to get this to work? I am having the same problem. > > The problem is that DNAT whenever used *erases* critical information > which Squid-3.2+ require. The NAT operation *MUST*, absolutely *MUST*, > be performed on the Squid box and nowhere else on the path between Squid > and clients. > > Please go back and re-read the "outline" section on > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat for > details on DNAT configuration. > > The configuration for OpenWRT device is in fact a completely different > setup, which is one of the cases detailed in > http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute. > > Amos > > > ________________________________ > If you reply to this email, your message will be added to the discussion > below: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Interception-Proxy-3-3-tp4659288p4659755.html > To unsubscribe from Squid Interception Proxy (3.3), click here. > NAML
