Ah ! Le 03/01/2017 à 13:53, Eliezer Croitoru a écrit : > Hey, > > There is also another option. > You can open a tunnel (IPIP, GRE, OTHER) between the proxy and the router to make it possible to directly route traffic to the proxy. That would actually solve a lot of my problems. > > If you need some help with it let me know. > > Eliezer > > ---- > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: eliezer@xxxxxxxxxxxx > > > -----Original Message----- > From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Hoggins! > Sent: Tuesday, January 3, 2017 12:54 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Intercept mode failing > > Hello, > > (answering to both Amos and Antony here, you got the same questioning ;) ) > > Le 03/01/2017 à 11:45, Amos Jeffries a écrit : >> On 2017-01-03 23:13, Hoggins! wrote: >>> Okay, I get that. >>> >>> Le 03/01/2017 à 10:33, Antony Stone a écrit : >>>> No - you must do the NAT (or REDIRECT) rule *on the Squid server*. >>> Well, my Squid server is not on the same network as my clients, so I >>> need something else than just a REDIRECT on the Squid itself. >> That does not matter when the DNAT or REDIRECT is done on the Squid >> machine. > OK, I'll have a deeper look into that, indeed I'm not familiar with what REDIRECT *exactly* does. > >>>> If you need to use policy routing to get the packets to the Squid >>>> machine in the first place, that's okay, but this *must* be packet >>>> routing, not address translation >>> Policy routing was my first choice, but there is one important detail >>> in my setup : between my gateway (192.168.22.10) and my Squid >>> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a >>> link-local route to 192.168.55.3 so I can't add the default route to >>> it inside a routing table (I get "Network is unreachable", which is >>> expected). >>> >>> So I guess I'm stuck. >> >> So how did the packets get to the Squid machine after your DNAT ? >> >> The route does not have to be link-local. Any type of route will do so >> long as all the routers handling the packets know which way to pass >> them, and the dst-IP address is not changed. > Well, xfrm routing is a lot different than "classic" routing, I learnt it the hard way. DNAT *will* work whereas policy routing won't if I don't explicitly declare all my subnets in my IPSec tunnel configuration. Got a big discussion about that on StrongSwan's mailing-list, and I believe this sums it up pretty nicely : > http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png > > Anyway, yes, if I try to add a route by : > ip route add default via <IP ADDRESS> table 123 > > <IP ADDRESS> *has* to be directly reachable. Or it has to be in the routing table somehow. But the routing table handling the tunnelled packets is not managed by iproute2. > > So as I can't do otherwise, I'm going to experiment a bit more with the REDIRECT + DNAT between the gateway and the Squid server. > > Thanks for your help ! > >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > > >
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users