Search squid archive

Re: Intercept mode failing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ah !

Le 03/01/2017 à 13:53, Eliezer Croitoru a écrit :
> Hey,
>
> There is also another option.
> You can open a tunnel (IPIP, GRE, OTHER) between the proxy and the router to make it possible to directly route traffic to the proxy.

That would actually solve a lot of my problems.

>
> If you need some help with it let me know.
>
> Eliezer 
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer@xxxxxxxxxxxx
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Hoggins!
> Sent: Tuesday, January 3, 2017 12:54 PM
> To: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re:  Intercept mode failing
>
> Hello,
>
> (answering to both Amos and Antony here, you got the same questioning ;) )
>
> Le 03/01/2017 à 11:45, Amos Jeffries a écrit :
>> On 2017-01-03 23:13, Hoggins! wrote:
>>> Okay, I get that.
>>>
>>> Le 03/01/2017 à 10:33, Antony Stone a écrit :
>>>> No - you must do the NAT (or REDIRECT) rule *on the Squid server*.
>>> Well, my Squid server is not on the same network as my clients, so I 
>>> need something else than just a REDIRECT on the Squid itself.
>> That does not matter when the DNAT or REDIRECT is done on the Squid 
>> machine.
> OK, I'll have a deeper look into that, indeed I'm not familiar with what REDIRECT *exactly* does.
>
>>>> If you need to use policy routing to get the packets to the Squid 
>>>> machine in the first place, that's okay, but this *must* be packet 
>>>> routing, not address translation
>>> Policy routing was my first choice, but there is one important detail 
>>> in my setup : between my gateway (192.168.22.10) and my Squid 
>>> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a 
>>> link-local route to 192.168.55.3 so I can't add the default route to 
>>> it inside a routing table (I get "Network is unreachable", which is 
>>> expected).
>>>
>>> So I guess I'm stuck.
>>
>> So how did the packets get to the Squid machine after your DNAT ?
>>
>> The route does not have to be link-local. Any type of route will do so 
>> long as all the routers handling the packets know which way to pass 
>> them, and the dst-IP address is not changed.
> Well, xfrm routing is a lot different than "classic" routing, I learnt it the hard way. DNAT *will* work whereas policy routing won't if I don't explicitly declare all my subnets in my IPSec tunnel configuration. Got a big discussion about that on StrongSwan's mailing-list, and I believe this sums it up pretty nicely :
> http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png
>
> Anyway, yes, if I try to add a route by :
>     ip route add default via <IP ADDRESS> table 123
>
> <IP ADDRESS> *has* to be directly reachable. Or it has to be in the routing table somehow. But the routing table handling the tunnelled packets is not managed by iproute2.
>
> So as I can't do otherwise, I'm going to experiment a bit more with the REDIRECT + DNAT between the gateway and the Squid server.
>
> Thanks for your help !
>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux