Search squid archive

Re: Squid not accelerating properly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Lets start with the title...

Your Squid is being used as an interception proxy. Not an accelerator /
reverse-proxy. Getting the terms right will greatly improve your ability
to search for relevant information.


On 8/03/2014 6:59 a.m., Oluseyi Akinboboye wrote:
> I have been long searching for a solution and finally this morning I got it to work. My setup is as follows:
> 
> Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink switch
> 
> 
> I have added a squid with its input from the Wan directly and then I have put the squid directly to the mikrotik. 
> 

So to translate your diagram and description:

 WAN -> Squid -> Router -> LAN

is that correct?

I am assuming from the description that Squid is running on the ClearOS
machine.


> I did the following configurations:
> 
> 
> Wan:
> 
> Wan -> mikrotik 172.16.10.1/24
> Wan -> squid 172.16.11.1/24
> 

Huh?
 if I'm reading that right you have two distinct routes that packets
from the WAN -> LAN may take. Only one of which goes through Squid.
  Be very VERY careful with the packet flows when doing this.


> 
> Mikrotik
> 
> 
> Ether1
> 172.16.10.2/24 Via setup CLI
> 
> 
> Ether2 (Hotspot)
> 10.5.50.1/24
> 
> 
> Ether3 to squid
> 192.168.50.2 Via setup CLI
> 
> 
> Squid
> 
> 
> Ether1 from Wan
> 172.16.11.2
> 
> 
> Ether2 from mikrotik
> 192.168.50.1:3128
> 

I dont understand how that relates to the actual packet flows sorry. Too
many undefined details like:
 - how all the "EtherN" are plugged together
 - what the terminal command line interface (CLI) has to do with routing,
 - which part(s) of your network each of those IP ranges identifies

> 
> The squid is configured transparently.
> 

How? there are 8 transparent interception configurations for Squid. And
a great many more ways to mis-configure it.



> The CLI commands used are as follows:

Are these on the Mikrotik or ClearOS?

> 
> 
> #Mark All HTTP Port 80 Traffic, so that you can use these Marked Packets in Route section.
> 
> /ip firewall nat
> add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp
> 
> /ip firewall mangle
> add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp
> 
> /ip route
> add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) routing-mark=http scope=30 target-scope=10
> 
> add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) scope=30 target-scope=10
> 
> 
> /ip firewall mangle add chain=postrouting tos=48 action=mark-packet new-packet-mark=proxy-hit passthrough=no
> 
> 
> /ip firewall mangle add chain=postrouting action=mark-packet new-packet-mark=proxy-hit passthrough=no
> 
> /queue tree add name="pmark" parent=global-out packet-mark=proxy-hit \ limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
> 
> 
> 
> /ip firewall filter
> 
> add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
> comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
> add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
> add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\
> disabled=no protocol=tcp psd=21,3s,3,1
> add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner

You might want to ensure Squid cannot be caught and listed as a SYN-flooder.
 Squid will potentially open many hundreds of connections per second if
lots of clients are using it. Without the proxy that would be spread
over many client IPs and not hit flooding limits.


> add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
> add action=drop chain=input\
> comment="Block all access to the winbox - except to support list
> add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
> add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
> add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\
> connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
> add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
> add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
> add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
> add action=accept chain=input comment="Accept to established connections" connection-state=established\
> disabled=no
> add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no
> add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support
> add action=drop chain=input comment="Drop anything else! 
> add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
> add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
> add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp
> add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp
> add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
> add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp

ICMP is not optional. There are very specific message types like *echo*
that can cause annoying effects in IPv4. But having a default drop
action for other message types is a bad idea.

Also, it is a good idea to put the ICMP control *after* the control
allowing established connections and related packets through. Since the
most desirable ICMP messages are usually the ones related to some
established connection.


> add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp
> 
> 
> 
> 
> ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=10.5.50.5 to-ports=8080 
> 
> 
> ip firewall nat add action=dst-nat dst-port=80 protocol=tcp src-address=10.5.50.0/24 to-addresses=10.5.50.5 to-ports=8080 chain=dstnat

 -> this rule seems useless. The top chain=dstnat rule already changed
*all* the TCP port 80 packets.

> 
> ip firewall nat add chain=dstnat src-address=10.5.50.0/24 in-interface=ether1 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080
> 

 -> this rule seems useless. The top chain=dstnat rule already changed
*all* the TCP port 80 packets.


> ip firewall nat add chain=dstnat src-address=10.5.50.5 dst-port=80 protocol=tcp action=accept
> 

 -> this rule seems useless. The top chain=dstnat rule already changed
*all* the TCP port 80 packets into port 8080 packets.


> ip firewall nat add chain=dstnat src-address=10.5.50.0/24 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080

 -> this rule seems useless. The top chain=dstnat rule already changed
*all* the TCP port 80 packets.



> 
> When i run the tail command in the squid i get a lot of activity within the cache; for example
> 
> 1394214401.152    103 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
> 1394214401.216      0 192.168.50.2 TCP_IMS_HIT/304 285 GET http://www.fifa.com/imgml/worldcup/dots_03.png - HIER_NONE/- image/png
> 1394214401.255     96 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
> 1394214401.363    101 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
> 1394214401.473    102 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 -
> 1394214401.502    982 192.168.50.2 TCP_MISS_ABORTED/000 0 POST http://dlarray-europ-secsrv021.gdatasecurity.de/query - HIER_DIRECT/92.51.171.68 -
> 
> Also when i run a NetStat grep the result i get seems okay:
> 
> squid:/home/netsnap # netstat -a | grep 443 -h
> tcp        1      0 squid.squidoz:44358     a92-122-210-13:www-http CLOSE_WAIT  
> tcp        0      1 squid.squidoz:35443     ns236400.ovh.n:www-http SYN_SENT    
> tcp        1      0 squidoz:ndl-aas         192.168.50.2:34439      CLOSE_WAIT  
> tcp        1      0 squidoz:ndl-aas         192.168.50.2:34443      CLOSE_WAIT  
> tcp        1      0 squidoz:ndl-aas         192.168.50.2:34436      CLOSE_WAIT  
> tcp        1      0 squid.squidoz:44350     a92-122-210-13:www-http CLOSE_WAIT  
> tcp        1      0 squidoz:ndl-aas         192.168.50.2:34438      CLOSE_WAIT 
> 
> 
> Now the browsing is not really faster just that pages like yahoo.com, gmail.com & such that you have to sign in to open pretty fast but other pages crawl to say the least and if at at they open it just shows text and links without pictures especially for siites like bbc.co.uk etc and most times it brings this error essage out:
> 
> ERROR
> 
> The requested URL could not be retrieved
> 
> Die volgende fout is teëgekom tydens verkryging van die URL: http://www.speedtest.net/user-settings.php
> 
> Verbinding na 93.184.219.82 het misluk
> 
> Die stelsel het die volgende teruggestuur: (110) Connection timed out

 ===>>  "Connection timed out"

Squid hitting problems at the TCP data transfer stage.
The DNS lookup stage has worked okay. The TCP setup stage (SYN/SYN-ACK)
*seems* to have worked okay as well.

> 
> I am not sure what exactly it is i am doing wrong! I am not even sure at this point if it is mikrotik or squid that is giving me the problem.


I am suspecting one of these things happen:

1) TCP is setup through the Mikrotik. Which loops it back at Squid.
 - forwarding loop by the router.

2) TCP setup to WAN server but response data packets hit an MTU size,
ECN or window scaling issue.

3) TCP setup works fine, but response data packets get routed or
firewalled differently somewhere.



Squid box. The ClearOS settings themselves probably.

* check the default gateway it is configured with is the WAN interface.

* check that Squid outgoing IP address on connections uses the IP from
NIC connected to the WAN.

* check that the WAN connections from the Squid box are not routed via
the Mikrotik in any way.


Also, it may help simplify if the primary NIC was the one plugged into
the WAN. It is usually the NIC chosen by default for route and IP
address assignment. Plugging it in that way avoids having to explicitly
setup routing rules to override the OS algorithms.


Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux