[squid-users] Squid box for two networks

Pablo Ruben Maldonado pablo.ruben.maldonado at gmail.com
Thu Jul 20 18:50:40 UTC 2017 

Hi Eliezer, thanks for you reply.

I'm marking and routing traffic to port 80 from my lan's 192.168.110.0/24
(Work!) and 192.168.115.0/24 (Fail!). The mark line in Mangle is:

add action=mark-connection chain=prerouting comment="TCP 80: Tr\E1fico HTTP
de\
    sde la red WIFI. Se marca la conexi\F3n para QoS y Policy Routing.
Ser\E1 \
    routeado hacia Proxy03" !connection-bytes !connection-limit \
    connection-mark=no-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80
\
    !fragment !hotspot !icmp-options !in-bridge-port in-interface=eth4-wifi
\
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-connection-mark=conn_proxy !nth
!out-bridge-port \
    !out-interface !p2p !packet-mark !packet-size passthrough=yes \
    !per-connection-classifier !port !priority protocol=tcp !psd !random \
    !routing-mark !routing-table src-address=192.168.115.0/24
!src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl

The packet mark and route lines:

add action=mark-packet chain=prerouting comment=\
    "TCP 80: Se marca el paquete para Queue Tree (Up)" !connection-bytes \
    !connection-limit connection-mark=conn_proxy !connection-nat-state \
    !connection-rate !connection-state !connection-type !content
disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port
!in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-packet-mark=up_tcp_80_pkt !nth
!out-bridge-port \
    !out-interface !p2p !packet-mark !packet-size passthrough=yes \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat !ttl
add action=mark-routing chain=prerouting comment=\
    "TCP 80: Se ejecuta el Policy Routing hacia Proxy03" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state
!connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address dst-address-list=!clientslist !dst-address-type !dst-limit
\
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port
!in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-routing-mark=route_toproxy03 !nth \
    !out-bridge-port !out-interface !p2p packet-mark=up_tcp_80_pkt \
    !packet-size passthrough=no !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port
!tcp-flags \
    !tcp-mss !time !ttl

Thanks

On Thu, Jul 20, 2017 at 2:11 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
wrote:

> Hey Pablo,
>
> I am working as a tech support for MikroTik devices and the tcpdump dumps
> are leaving couple things unknown.
> Can you share the MikroTik rules PBR rules you are using?
> Are you using any kind of connection marking and tracking in the mix or
> just plain source based routing?
> I am pretty sure that the issue is in the reverse path and not backwards.
> If you can export your MikroTik configuration I might be able to try and
> help you find the right rules if these are wrong.
> Also make sure that the squid box has reverse path filtering disabled
> using:
> http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#
> Set_Reverse_Path_Filter_machine_globally_script
>
> And also take a peek at:
> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_
> Squid_Configuration
>
> I planned to add into the wiki an article\tutorial how to setup squid with
> MikroTik since there are more than a dozen of articles\tutorials that just
> do not do it the right way.
>
> Eliezer
>
> * you can send me the configuration privately if these are sensitive
>
> ----
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Pablo Ruben Maldonado
> Sent: Thursday, July 20, 2017 16:41
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid box for two networks
>
> The packets are routing using a mark and later routing rules inside my
> principal router (Mikrotik). Attach images with examples of packets
> arriving to Squid box.
>
> On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone <mailto:Antony.Stone at squid.
> open.source.it> wrote:
> On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:
>
> > Hi, i add information missing in original post. Thanks for assistance:
> >
> > The Squid Box has setup for Intercept Mode. Iptables rules here:
> >
> > -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> > -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
>
> How are you routing the packets from the firewall to Squid?
>
> > The config paste in https://pastebin.com/Witg3cG1
> >
> > Thanks
> >
> > On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
> >
> > mailto:pablo.ruben.maldonado at gmail.com> wrote:
> > > Hello, I have a squid box 3.5 working without problems for the lan
> > > http://192.168.110.0/24 for several months. Now I want setup to
> another lan
> > > http://192.168.115.0/24 but I cannot. Tcpdump inform me that the
> packages come
> > > to squid box. But in Squid's log I do not see anything. Can they give
> me
> > > some tip?
>
> Can you give us any examples of packets as seen by tcpdump on the Squid
> box:
>
> a) from http://192.168.110.0/24
>
> b) from http://192.168.115.0/24
>
>
> Antony.
>
> --
> BASIC is to computer languages what Roman numerals are to arithmetic.
>
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
> _______________________________________________
> squid-users mailing list
> mailto:squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170720/5ec23554/attachment.html>

More information about the squid-users mailing list