On 8/11/22 2:19 PM, ngtech1ltd@xxxxxxxxx wrote:
Hey Grant,
Hi Eliezer,
The issue is very simple, if squid and the clients sits on the same subnet( not the same network segment) then squid will send the traffic back directly to the client.
So you're talking about -- what I call -- the TCP triangle problem, which can be worked around a number of different ways.
WCCP is not related to the network level of things and will not resolve this exact same issue in most similar use cases.
I question the veracity of that statement.Not the least of which is that WCCP uses GRE as an L2 transport between the router and Squid and that Squid sees the packets as the router saw them. What's more is that replies are sent back from Squid via the router through said GRE tunnel. -- This very much seems like network level, both layers 2 and 3, to me.
You should never SNAT traffic from local network to the proxy since you will cause some issue with this.
Please elaborate on what issues will be caused.The only issue that I'm aware of is the fact that traffic will appear to be from the router, not the original client. But, depending on how things are being used, the lack of real source IP may be perfectly fine. The only thing that I'm aware of where the lack of a real source IP is when you are doing things specific to source IP.
Said another way, I'm not aware of any problems with SNATing if none of your configuration is dependent on the source IP.
What you might want to do is to give the proxy a special subnet against the mikrotik and to use policy based routing to forward the clients traffic to the proxy.If you can plug the proxy to another port on the Mikrotik device and give it a special subnet it much more preferable.
Preference does not equate to viability.
I believe that WCCP is not an option for Mikrotik so unless you have a specific device that supports WCCP, don't bother thinking about it.
ACK
Also, in the same breath I can tell you that most commercial services that implement MITM have not been using and are not using WCCP.
In my opinion, what someone else is doing or not doing has extremely little influence on what I do or don't do.
There are much smarter ways these days then basic WCCP to make sure that the traffic will be passed to the right proxy.
Please elaborate on such ways, other than PBR.
Also just take a minute and think: what WCCP gives exactly that a Mikrotik admin cannot do?
For starters, my understanding is that WCCP can get the traffic to the proxy, in any subnet local or remote, without altering the source / destination IP address.
A Mikrotik can be automated in such a way that WCCP would be inferior to what Mikrotik can offer. (To my knowledge)
Please elaborate. I don't see what automation has to do with this discussion. -- Grant. . . . unix || die
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
