Hello, (answering to both Amos and Antony here, you got the same questioning ;) ) Le 03/01/2017 à 11:45, Amos Jeffries a écrit : > On 2017-01-03 23:13, Hoggins! wrote: >> Okay, I get that. >> >> Le 03/01/2017 à 10:33, Antony Stone a écrit : >>> No - you must do the NAT (or REDIRECT) rule *on the Squid server*. >> >> Well, my Squid server is not on the same network as my clients, so I >> need something else than just a REDIRECT on the Squid itself. > > That does not matter when the DNAT or REDIRECT is done on the Squid > machine. OK, I'll have a deeper look into that, indeed I'm not familiar with what REDIRECT *exactly* does. > >> >>> >>> If you need to use policy routing to get the packets to the Squid >>> machine in >>> the first place, that's okay, but this *must* be packet routing, not >>> address >>> translation >> >> Policy routing was my first choice, but there is one important detail in >> my setup : between my gateway (192.168.22.10) and my Squid >> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a >> link-local route to 192.168.55.3 so I can't add the default route to it >> inside a routing table (I get "Network is unreachable", which is >> expected). >> >> So I guess I'm stuck. > > > So how did the packets get to the Squid machine after your DNAT ? > > The route does not have to be link-local. Any type of route will do so > long as all the routers handling the packets know which way to pass > them, and the dst-IP address is not changed. Well, xfrm routing is a lot different than "classic" routing, I learnt it the hard way. DNAT *will* work whereas policy routing won't if I don't explicitly declare all my subnets in my IPSec tunnel configuration. Got a big discussion about that on StrongSwan's mailing-list, and I believe this sums it up pretty nicely : http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png Anyway, yes, if I try to add a route by : ip route add default via <IP ADDRESS> table 123 <IP ADDRESS> *has* to be directly reachable. Or it has to be in the routing table somehow. But the routing table handling the tunnelled packets is not managed by iproute2. So as I can't do otherwise, I'm going to experiment a bit more with the REDIRECT + DNAT between the gateway and the Squid server. Thanks for your help ! > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users >
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
