On 20/09/2013 5:35 a.m., psd17j-jacob wrote:
Hi Antony, Thanks for the reply. So what would be your suggestion in terms of creating a transparent proxy across multiple VLANs without bridging? All VLANs are public routable IPs except for two, one being the publicly available WiFi. The school encourages BYOD so sending out proxy settings via GP is not an option.
The proxy operates on top of the *routing* component of the kernel. As you can note from the ebtables rules you have to bump the traffic out of the bridge into routing systems for iptables rules to send to the proxy. You may as well setup the box as a normal router (with VLAN routing) if that is easier than to implement the bridging. With the correct ebtables rules shifting traffic to routing the presence or absence of bridging should be irrelevant to the proxy operation.
Once traffic enters the proxy the TCP connections are terminated. VLAN tags are gone, you have to translate them to either iptables MARK or TS/DSCP tags for relay through Squid and re-tag traffic leaving the proxy. Also note that at the TCP/IP and VLAN layers traffic leaving the proxy box has no relation to traffic entering the box. HTTP contains caching, validation, persistence and multiplexing features designed to optimize the TCP connection usage and response speed. You can have two requests entering the proxy on different VLAN connections and both leaving on the same upstream connection or just only one leaving it or one being translated to an IMS/INM request. You can also have traffic generated by the proxy itself entering the system. ==> Please outline what the purpose of the VLAN separation is. If you are able to treat the proxy outgoing traffic as just another user and switch its VLAN using only IP:port (and/or/TOS) destination details that woul be easiest to integrate with Squid.
Another thing adding complexity is your usage of DansGuardian. It is a basic filtering proxy, not a fully-featured proxy like Squid. So things like the iptables MARK and QoS TOS/DSCP values are not even passed through it for Squid to make use of. This is simpler to fix since Squid can do anything DG can (just differently) you can drop the DG component entirely and just use Squid access controls.
Amos
