On 14/07/2015 8:34 a.m., John Pearson wrote: > Thanks Yuri for the response, I understand. I do have Shorewall configured > and I understand the security implications. My Router is also the Wireless > AP, so I want to try out this setup without having to buy another Wireless > AP. > > I don't mind it being complex, do you have any suggestions on getting > Internet <---> Squid <---> Router (NAT) working ? > You wont ever get that happening. The NAT intercept step between clients and Squid must happen on the Squid device directly so Squid has access to the kernel NAT mappings. This is not optional. The best way if you are able to do it is to turn the Router into a plain AP point. And the Squid device into router + NAT device. Its easy enough to setup the Squid device with outgoing NAT rules same as the router would have used. You can even do DHCP there as well if you like. The alternative is to go with the Squid device wired into the router so traffic flow is: clients -> Router (no NAT!) -> Squid -> Router (NAT) -> Internet "Router" can be one device if you have sufficient control over the ebtables and iptables rules to split the pre-Squid and post-Squid packet flows But that has two big problems when only one router device is used: 1) Most consumer grade wifi+modem+router devices and even some commercial grade ones dont support the level of iptables config needed. 2) With one router device the router<->Squid NIC cards bandwidth capacity is halved, since all traffic travels over it twice. Likewise the router CPU cyces for networking are halved. In both configs setup the clients with the Squid device static IP as their gateway as Yuri said. The router just happens to be the path they use to reach the Squid gateway device. The first config Squid uses Internet uplink directly as its gateway, and performs NAT MASQUERADE for outgoing traffic. The second config the Squid device uses the Router as its gateway (same as the clients would normally have done). Packets go to the Internet via there. Amos > Thanks! > > On Mon, Jul 13, 2015 at 1:33 PM, John Pearson <johnpearson555@xxxxxxxxx> > wrote: > >> Thanks Yuri for the response, I understand. I do have Shorewall configured >> and I understand the security implications. My Router is also the Wireless >> AP, so I want to try out this setup without having to buy another Wireless >> AP. >> >> I don't mind it being complex, do you have any suggestions on getting >> Internet <---> Squid <---> Router (NAT) working ? >> >> Thanks! >> >> On Mon, Jul 13, 2015 at 1:26 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote: >> >>> > Ah, > > forgot about: > > Your squid in scheme I wrote will have static gray IP. And this IP must > be excluded from DHCP pool on router. > > 14.07.15 2:15, John Pearson пишет: >>>>> Hi Everyone, >>>>> >>>>> My setup is: Internet <--> Squid-eth0 <--> Squid-eth1 <--> Router <--> >>>>> Devices >>>>> >>>>> Currently the Router is doing NAT and DHCP for the devices connected to > it. >>>>> Squid is in transparent mode. I set up a bridge ( br0). I set up the >>>>> ebtables and iptables. It works but I want to figure out a way without >>>>> having to configure Squid server or Router with hardcoded addresses. >>>>> >>>>> I have it working with either setup: >>>>> 1. Remove the bridge ( br0) and setup the Squid server eth1 as a static > IP >>>>> address and set Squid server IP address as gateway in Router settings. >>>>> 2. Since Squid server is in bridge mode, I can hard code IP address in a >>>>> Squid ACL as all traffic appears to come this IP address from the > router. >>>>> >>>>> I want a way to do this without any setup, basically to take a Squid box >>>>> and place it before a Router. Is there a way to do this ? >>>>> >>>>> A few ideas that might be wrong: >>>>> 1. In bridge mode, http_access allow CURRENTIPADDRESS ( > CURRENTIPADDRESS >>>>> is the dynamic IP address provided the ISP ) Is there a way to obtain > this >>>>> in the squid.conf file ? >>>>> 2. Setup a DHCP server alongside Squid server and have Squid(DHCP) <--> >>>>> Router(DHCP, NAT) and have same dhcp address given to the Router in >>>>> squid.conf as http_access allow localnet >>>>> >>>>> Thanks in advance! >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> squid-users mailing list >>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>> http://lists.squid-cache.org/listinfo/squid-users > >>> >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> >> > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
