Hi all, I operate a squid box which has two http_port setups: http_port 3128 http_port 3129 TPROXY I have implemented TPROXY to replace my NAT setup on a CentOS 7 Squid 3.3 box. Currently the IPv4 connectivity is working great, the IPv6 connectivity is broken when going through TPROXY. All IPv6 connections timeout and from tests it appears there is a broken IPv6 setup. Using test-ipv6.com I get a broken/misconfiguration warning. IPv6 connections handled by the standard 3128 setup work OK, direct IPv6 connections outside of the proxy are also OK, TPROXY IPv6 is not working properly. I have looked at several TPROXY resources and cannot see where I have gone wrong or what might be causing the issue. I am using my DD-WRT routing with policy routing to pass the traffic to the Squid box which then uses further policy routing to push the traffic to the TPROXY binding on port 3129. DD-WRT firewall/routing rules: PROXY_IPV6="2001:470:xxxx:xx::x" CLIENTIFACE="br0" FWMARK=3 ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 -p tcp --dport 80 -j ACCEPT ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark $FWMARK ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT ip -f inet6 rule add fwmark $FWMARK table 2 ip -f inet6 route add default via $PROXY_IPV6 dev $CLIENTIFACE table 2 Squid box firewall and routing rules: ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local default dev eno1 table 100 ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -t mangle -N DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 The following sysctl values are set: net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eno1.rp_filter = 0 I have defined specific IPv4 and IPv6 addresses for the Squid traffic to go over, I had to exclude these with PREROUTING RULES as this broke connectivity on LAN clients which use the standard http_port setup of 3128. IPv6 connectivity for these clients is OK. iptables -t mangle -I PREROUTING -p tcp --dport 80 -s 192.168.x.x -j ACCEPT ip6tables -t mangle -I PREROUTING -p tcp --dport 80 -s 2001:470:xxxx:xx::x -j ACCEPT I don't know if I need additional values for any ipv6 config value. Nothing is mentioned in the TPROXY Squid wiki article. Any ideas on what I could be missing? Thanks, James _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
