I have the following scenario: We have a number of Verizon Aps configured to run associated devices through a GRE tunnel between Verizon and our network, using a 10.99.0.0/16 subnet which is NATed to a public address. Policy based routing sends all port 80 and 443 traffic originating from 10.99.0.0/16 to qlproxy IP (10.10.1.85) (squid proxy). IPtables on qlproxy box port-forwards all 80 and 443 traffic to 3126 & 3127. Qlproxy (4.0) has appropriate transparent and ssl_bump rules to process incoming traffic. Squid logs show the request for web pages is made via the policy based routing (Mikrotik Firewall/Router), but nothing is returned to the requesting device. It just simply times out after a long wait. However, if I configure a tunnelled device to use port 3128 in the proxy settings of the browser, or if a tunnelled device requests the proxy url via port 80, web requests start working, as expected for the configured device , as well as for all devices that are hitting the proxy transparently from the tunnel. This will work as long as some form of traffic from the tunnelled devices is generated. If things are left dormant for 3-5 minutes traffic will stop working again, until a device requests the proxy url via port 80. As a workaround to minimize complaints I created a cron job, using wget of the proxy url, which runs every couple minutes. As long as the wget command runs, Internet works fine for all tunnelled devices. On a side note, policy routing of local 10.10.0.0/16 devices works just fine running through the proxy transparently, without interruptions, even when the tunnelled devices cease working. Internet works fine if we send tunnelled traffic through and NAT the same as the 10.10.0.0/16 network, bypassing the proxy Squid config: icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service_failure_limit -1 icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf" acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf" adaptation_access qlproxy1 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_etypes adaptation_access qlproxy1 allow all adaptation_access qlproxy2 allow all acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all include "/opt/qlproxy/etc/squid/squid.acl" http_port 3126 transparent https_port 3127 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB forward_max_tries 25 cache_mem 1024 MB maximum_object_size_in_memory 1024 KB coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 shutdown_lifetime 3 seconds visible_hostname qlproxy always_direct allow all icap_enable on icap_service_failure_limit -1 icap_preview_enable on icap_persistent_connections on adaptation_send_client_ip on adaptation_send_username on icap_service qlproxy1 reqmod_precache icap://127.0.0.1:1344/reqmod bypass=0 icap_service qlproxy2 respmod_precache icap://127.0.0.1:1344/respmod bypass=0 acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf" acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf" adaptation_access qlproxy1 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_etypes acl icap_bypass_to_localnet dst 10.0.0.0/8 acl icap_bypass_to_localnet dst 172.16.0.0/12 acl icap_bypass_to_localnet dst 192.168.0.0/16 adaptation_access qlproxy1 deny icap_bypass_to_localnet adaptation_access qlproxy2 deny icap_bypass_to_localnet adaptation_access qlproxy1 allow all adaptation_access qlproxy2 allow all dns_v4_first on -- Raymond Norton LCTN 952.955.7766 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
