Hi Eliezer, thanks for you reply.
I'm marking and routing traffic to port 80 from my lan's 192.168.110.0/24 (Work!) and 192.168.115.0/24 (Fail!). The mark line in Mangle is:
add action="" chain=prerouting comment="TCP 80: Tr\E1fico HTTP de\
sde la red WIFI. Se marca la conexi\F3n para QoS y Policy Routing. Ser\E1 \
routeado hacia Proxy03" !connection-bytes !connection-limit \
connection-mark=no-mark !connection-nat-state !connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80 \
!fragment !hotspot !icmp-options !in-bridge-port in-interface=eth4-wifi \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-connection-mark=conn_proxy !nth !out-bridge-port \
!out-interface !p2p !packet-mark !packet-size passthrough=yes \
!per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table src-address=192.168.115.0/24 !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl
The packet mark and route lines:
add action="" chain=prerouting comment=\
"TCP 80: Se marca el paquete para Queue Tree (Up)" !connection-bytes \
!connection-limit connection-mark=conn_proxy !connection-nat-state \
!connection-rate !connection-state !connection-type !content disabled=no \
!dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
!dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-packet-mark=up_tcp_80_pkt !nth !out-bridge-port \
!out-interface !p2p !packet-mark !packet-size passthrough=yes \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss time=\
0s-1d,sun,mon,tue,wed,thu,fri,sat !ttl
add action="" chain=prerouting comment=\
"TCP 80: Se ejecuta el Policy Routing hacia Proxy03" !connection-bytes \
!connection-limit !connection-mark !connection-nat-state !connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address dst-address-list=!clientslist !dst-address-type !dst-limit \
!dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-routing-mark=route_toproxy03 !nth \
!out-bridge-port !out-interface !p2p packet-mark=up_tcp_80_pkt \
!packet-size passthrough=no !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !ttl
Thanks
On Thu, Jul 20, 2017 at 2:11 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:
Hey Pablo,
I am working as a tech support for MikroTik devices and the tcpdump dumps are leaving couple things unknown.
Can you share the MikroTik rules PBR rules you are using?
Are you using any kind of connection marking and tracking in the mix or just plain source based routing?
I am pretty sure that the issue is in the reverse path and not backwards.
If you can export your MikroTik configuration I might be able to try and help you find the right rules if these are wrong.
Also make sure that the squid box has reverse path filtering disabled using:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB# Set_Reverse_Path_Filter_ machine_globally_script
And also take a peek at:
http://wiki.squid-cache.org/ConfigExamples/ UbuntuTproxy4Wccp2#Linux_and_ Squid_Configuration
I planned to add into the wiki an article\tutorial how to setup squid with MikroTik since there are more than a dozen of articles\tutorials that just do not do it the right way.
Eliezer
* you can send me the configuration privately if these are sensitive
----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx
From: squid-users [mailto:squid-users-bounces@lists.squid-cache.org ] On Behalf Of Pablo Ruben Maldonado
Sent: Thursday, July 20, 2017 16:41
To: squid-users@lists.squid-cache.org
Subject: Re: Squid box for two networks
The packets are routing using a mark and later routing rules inside my principal router (Mikrotik). Attach images with examples of packets arriving to Squid box.
On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone <mailto:Antony.Stone@squid.open.source.it > wrote:
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:
> Hi, i add information missing in original post. Thanks for assistance:
>
> The Squid Box has setup for Intercept Mode. Iptables rules here:
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
How are you routing the packets from the firewall to Squid?
> The config paste in https://pastebin.com/Witg3cG1
>
> Thanks
>
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
>
> mailto:pablo.ruben.maldonado@gmail.com > wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > http://192.168.110.0/24 for several months. Now I want setup to another lan
> > http://192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?
Can you give us any examples of packets as seen by tcpdump on the Squid box:
a) from http://192.168.110.0/24
b) from http://192.168.115.0/24
Antony.
--
BASIC is to computer languages what Roman numerals are to arithmetic.
Please reply to the list;
please *don't* CC me.
_______________________________________________ mailto:squid-users@lists.
squid-users mailing list
squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
