[squid-users] Logging of 'indirect' requests, e.g. involving NAT or VPN

Fri Jun 26 10:02:06 UTC 2015

On Friday 26 Jun 2015 at 10:42, Henry S. Thompson wrote:

> Antony Stone writes:
> > 
> > It's entirely plausible (I'd even say common) for VPN clients to get
> > 192.168.... addresses; also if there's a NATting router in the path
> > and Squid is logging its address, that could easily be 192.168....
> 
> Thanks for your input, but I'm still confused.  My (perhaps naive)
> understanding was that a VPN host or NATting router assigns local
> subnet range IPs (e.g. 192.168... or 10.10...) to its clients, but
> presents their traffic to the world, including any proxy, as if from
> themselves, encapsulated using their own public, static, 'real' IP.
> So I don't see how, for example "a NATting router['s] ... address"
> could ever be 192.168...

Imagine the following setup:

Organisation has a bunch of servers (maybe at their office in a server room, 
maybe in a data centre, doesn't matter which), some of which have public IPs, 
but all of which have private IPs on an internal subnet (for system management 
purposes, aside from anything else).  One of these servers is the squid proxy.  
Another server is the VPN endpoint for remote client machines.

Remote client connects to public IP of the VPN server, gets assigned a 
192.168.x.y address.  Remote client is configured to use the Squid proxy 
server.  When it does so, its request (from 192.168.x.y) is routed from the 
VPN endpoint to the Squid server (they can talk directly to each other because 
they're both on the same subnet, no NAT involved) and the Squid server then 
sends the request out to the Internet to fetch a web page.

The client IP logged by the Squid server in this scenario is 192.168.x.y

Alternatively, imagine the organisation has several office locations 
interconnected using MPLS or some similar private connectivity (ie: not over 
the Internet, or tunneled if it is over the Internet - the end result either 
way being that each office has a 192.168.a.0/24 subnet for its clients).

One of the offices has a Squid server and a connection to the Internet; 
connections from clients at the other offices go over the private links to 
this office, via Squid, to the Internet.

Again, in this setup Squid will see the true IP address of the clients, ie: 
192.168.a.b because that's the only address the clients have, and with direct 
interconnects there's no need for NATting to a public IP along the way.

I repeat my recommendation - pick one of the 192.168.m.n addresses you're 
seeing in the log files and ask whoever looks after this network which machine 
has that address (or at least, what that subnet range is used for) - I think 
it's going to turn out to be one of:

a) a real client in something like the second scenario above
b) a VPN client in the first scenario above
c) an internal router in a variation of the second scenario above

Regards,

Antony.

-- 
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

                                                   Please reply to the list;
                                                         please *don't* CC me.