Just to update: I investigated further with tcpdump and confirmed that
it's not a router identifier problem. The Gre packets from the router
are being received correctly and forwarded to the squid process
running on port 3128. However, since the packets are in the redirected
form, e.g.:
08:13:57.148898 IP 192.168.12.26.1720 >
radio1.us.music.vip.mud.yahoo.com.http: . ack 471163606 win 16800
(from tcpdump of the gre0 inteface)
Squid is somehow not responding to that (no return reply). I tested it
with direct access (non transparent) and it's working. I'm running it
through the command line, and I can see this :
2006/09/27 09:17:10| Accepting transparently proxied HTTP connections
at 0.0.0.0, port 3128, FD 11.
2006/09/27 09:17:10| Accepting ICP messages at 0.0.0.0, port 3130, FD 12.
2006/09/27 09:17:10| WCCP Disabled.
2006/09/27 09:17:10| Accepting WCCPv2 messages on port 2048, FD 13.
2006/09/27 09:17:10| Initialising all WCCPv2 lists
2006/09/27 09:17:10| Ready to serve requests.
2006/09/27 09:17:10| Done reading /usr/local/squid/var/cache swaplog
(1047 entries)
--snip --
Which seems to indicate that it should accept transparent http
connections to port 3128.
One thing I'm uncertain is on the Squid FAQ it says quote:
"For some operating systems, you need to have configured and built a
version of Squid which can recognize the hijacked connections and
discern the destination addresses. For Linux this works by configuring
Squid with the --enable-linux-netfilter option. For *BSD-based
systems, you probably have to configure squid with the
--enable-ipf-transparent option if you're using IP Filter, or
--enable-pf-transparent if you're using OpenBSD's PF. "
I'm using FreeBSD with ipfw so it's neither IP Filter or PF..are there
any particular options that I need to pass to the Squid compilation? I
tested both ipf-transparent and pf-transparent, but nothing works...
Please advice....
thanks,
woon
On 9/26/06, Wei Kian Woon <wkwoon@gmail.com> wrote:
> Hmm..perhaps I should have just stuck with linux instead of trying
> FreeBSD for this one. Can I know what version of Linux you managed to
> get it working on Adrian?
>
> I tried turning on the link2 flag for good measure:
> gre0: flags=f051<UP,POINTOPOINT,RUNNING,LINK0,LINK1,LINK2,MULTICAST> mtu 1476
> tunnel inet 192.168.1.8 --> 192.168.254.2
> inet6 fe80::xxxx%gre0 prefixlen 64 scopeid 0x4
> inet 192.166.1.8 --> 192.168.254.2 netmask 0xffffffff
>
> ipfw shows the packets are being forwarded to port 3128 which is the
> port squid is listening to:
> 00048 16942 1400049 allow gre from any to any
> 00049 1019 275497 allow tcp from 192.168.1.8 to any
> 00050 16934 924921 fwd 127.0.0.1,3128 tcp from any to any dst-port 80
> 06000 2371 1041172 allow ip from any to any
> 65535 4 437 deny ip from any to any
>
> I believe the problem is Squid receiving WCCP messages from
> 192.168.1.3 but gre packets from 192.168.254.3 (the highest ip on its
> interfaces). Any ways around this? I thought of NAT but that would add
> an extra overhead on the whole thing. Am I right in thinking that way
> or is there something else.
>
> Meanwhile, plan B: download Linux!
>
> woon
>
>
> On 9/25/06, Adrian Chadd <adrian@creative.net.au> wrote:
> > On Mon, Sep 25, 2006, Wei Kian Woon wrote:
> > > Hi all,
> > >
> > > First of all, hello. I'm new to Squid, but learning fast (i hope!)
> >
> > Welcome!
> >
> > > I'm trying to implement transparent proxying using Squid 2.6 stable4
> > > on FreeBSD 6.1, while the WCCP router is a Cisco 5500 running
> > > 12.2(28a) IOS. I managed to get the router to acquire successfully the
> > > Squid cache. There's some problem with the GRE portion however. When I
> > > do a tcpdump on the BSD server it show that the router is forwarding a
> > > lot of GREv0 packets to the server which is good, but the BSD server
> > > is not responding to it. The thing I observed was that the router
> > > associates with the BSD server originally through WCCP using the
> > > (fake) ip address of 192.168.1.3 , but when it sends the GRE packets
> > > with a source ip of 192.168.254.3, which is the highest ip address in
> > > the router (thus the router identifier is 192.168.254.3). I created
> > > the gre0 tunnel on the BSD with the commands:
> > >
> > > ifconfig gre0 create
> > > ifconfig gre0 192.168.1.8 192.168.254.3 netmask 255.255.255.255 up
> > > (192.168.1.8 is the server ip)
> > > ifconfig gre0 tunnel 192.168.1.8 192.168.254.4
> > > route delete 192.168.254.4
> > >
> > > I added the device gre option into the kernel config, together with
> > > the options IPFIREWALL and IPFIREWALL_FORWARD (ipfw tested to work),
> > > and recompiled the kernel. Problem is that there's no reply from the
> > > BSD server to the gre packets from the router. How can I fix this?
> > > There doesnt seem to be a way to change the router identifier on the
> > > cisco router (bar renumbering the router ip addresses!). Anyone have
> > > any ideas?
> >
> > I've managed to get Squid-2.6+WCCPv2 to work fine under Linux+iptables
> > but I've been completely unable to do it under FreeBSD+pf. I know
> > redirected requests are working fine, its just the GRE decapsulation
> > thats being weird. Just like you've noticed.
> >
> > Its nice to know someone else is having the same problem.
> >
> > Is anyone here successfully running WCCPv1 or WCCPv2 with FreeBSD 6.x?
> >
> >
> >
> >
> >
> > Adrian
> >
> >
>
Received on Wed Sep 27 2006 - 03:37:06 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:04 MDT