[squid-users] Squid box for two networks

Eliezer Croitoru eliezer at ngtech.co.il
Thu Jul 20 20:29:30 UTC 2017 

First take joseph advice.
This is the right way of doing things.
And since I have here couple MikroTik devices sitting I took one to create the same scenario that you have and the full configuration can be seen at:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MikroTik-Route-To-Intercept-Squid

And on my site at:
http://ngtech.co.il/paste/1786/raw/

Technically since the px is on the same segment as the MikroTik it's better to accept traffic(in both the mangle and the filter tables) by the mac address of the px rather then the ip but for your case the ip should play fine with the combination of the interface which the traffic from the px flows in\at.
When it will all work for you as expected I will add this scenario with your network diagram as an example to the wiki(if it's fine with you that the project will use the diagram..).

Thanks,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Pablo Ruben Maldonado
Sent: Thursday, July 20, 2017 21:51
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid box for two networks

Hi Eliezer, thanks for you reply.

I'm marking and routing traffic to port 80 from my lan's http://192.168.110.0/24 (Work!) and http://192.168.115.0/24 (Fail!). The mark line in Mangle is:

add action=mark-connection chain=prerouting comment="TCP 80: Tr\E1fico HTTP de\
    sde la red WIFI. Se marca la conexi\F3n para QoS y Policy Routing. Ser\E1 \
    routeado hacia Proxy03" !connection-bytes !connection-limit \
    connection-mark=no-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80 \
    !fragment !hotspot !icmp-options !in-bridge-port in-interface=eth4-wifi \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-connection-mark=conn_proxy !nth !out-bridge-port \
    !out-interface !p2p !packet-mark !packet-size passthrough=yes \
    !per-connection-classifier !port !priority protocol=tcp !psd !random \
    !routing-mark !routing-table src-address=http://192.168.115.0/24 !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl

The packet mark and route lines:

add action=mark-packet chain=prerouting comment=\
    "TCP 80: Se marca el paquete para Queue Tree (Up)" !connection-bytes \
    !connection-limit connection-mark=conn_proxy !connection-nat-state \
    !connection-rate !connection-state !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-packet-mark=up_tcp_80_pkt !nth !out-bridge-port \
    !out-interface !p2p !packet-mark !packet-size passthrough=yes \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat !ttl
add action=mark-routing chain=prerouting comment=\
    "TCP 80: Se ejecuta el Policy Routing hacia Proxy03" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address dst-address-list=!clientslist !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-routing-mark=route_toproxy03 !nth \
    !out-bridge-port !out-interface !p2p packet-mark=up_tcp_80_pkt \
    !packet-size passthrough=no !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl

Thanks

On Thu, Jul 20, 2017 at 2:11 PM, Eliezer Croitoru <mailto:eliezer at ngtech.co.il> wrote:
Hey Pablo,

I am working as a tech support for MikroTik devices and the tcpdump dumps are leaving couple things unknown.
Can you share the MikroTik rules PBR rules you are using?
Are you using any kind of connection marking and tracking in the mix or just plain source based routing?
I am pretty sure that the issue is in the reverse path and not backwards.
If you can export your MikroTik configuration I might be able to try and help you find the right rules if these are wrong.
Also make sure that the squid box has reverse path filtering disabled using:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#Set_Reverse_Path_Filter_machine_globally_script

And also take a peek at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration

I planned to add into the wiki an article\tutorial how to setup squid with MikroTik since there are more than a dozen of articles\tutorials that just do not do it the right way.

Eliezer

* you can send me the configuration privately if these are sensitive

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:eliezer at ngtech.co.il


From: squid-users [mailto:mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Pablo Ruben Maldonado
Sent: Thursday, July 20, 2017 16:41
To: mailto:squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid box for two networks

The packets are routing using a mark and later routing rules inside my principal router (Mikrotik). Attach images with examples of packets arriving to Squid box.

On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone <mailto:mailto:Antony.Stone at squid.open.source.it> wrote:
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:

> Hi, i add information missing in original post. Thanks for assistance:
>
> The Squid Box has setup for Intercept Mode. Iptables rules here:
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

How are you routing the packets from the firewall to Squid?

> The config paste in https://pastebin.com/Witg3cG1
>
> Thanks
>
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
>
> mailto:mailto:pablo.ruben.maldonado at gmail.com> wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > http://192.168.110.0/24 for several months. Now I want setup to another lan
> > http://192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?

Can you give us any examples of packets as seen by tcpdump on the Squid box:

a) from http://192.168.110.0/24

b) from http://192.168.115.0/24


Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
mailto:mailto:squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list