[squid-users] Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16
Alex K
rightkicktech at gmail.com
Wed May 9 04:37:12 UTC 2018
Hi,
At the wccp0 interface do you see bidirectional http traffic? If the squid
box has multiple interfaces, do you see traffic on its wan interface? That
traffic might need NATing. Also I would check if squidbox drops any
packages in case you have firewall configured on it.
Alex
On Wed, May 9, 2018, 07:22 Ilias Clifton <adilias3 at gmx.com> wrote:
>
> Hello,
>
> I've been trying to get WCCP working but have been banging my head against
> a wall, so thought I would ask for help.
>
> There are 2 internal subnets that I would like to use the squid proxy:
> 172.28.30.128/25 and 172.28.29.0/25
>
> I have squid v3.5.25 running on Ubuntu 16 : 172.28.28.252
>
> I have a Cisco 1841 - Adv IP - 12.4, see relevent config:
>
> #Inside Interface
> interface FastEthernet0/1
> ip address 172.28.28.1 255.255.255.240
> ip wccp web-cache redirect in
> ip nat inside
> ip virtual-reassembly max-reassemblies 64
> no ip mroute-cache
> duplex auto
> speed auto
>
> #Loopback for wccp router ID
> interface Loopback0
> ip address 172.28.28.33 255.255.255.255
>
> ip wccp web-cache redirect-list PROXY_USERS group-list SQUID
>
> ip access-list extended PROXY_USERS
> deny tcp host 172.28.28.252 any
> permit tcp 172.28.30.128 0.0.0.127 any eq www
> permit tcp 172.28.29.0 0.0.0.127 any eq www
> deny ip any any
>
> ip access-list standard SQUID
> permit 172.28.28.252
>
>
>
> On the Ubuntu box, I have the squid with the following config:
>
> http_port 3128
> http_port 3129 intercept
> acl localnet src 172.28.28.0/22
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> visible_hostname Squid
> wccp2_router 172.28.28.1
> wccp2_forwarding_method gre
> wccp2_return_method gre
> wccp2_service standard 0
>
> If clients are manually set to use the proxy on port 3128, they work
> correctly.
>
> Again on the Ubuntu box, I have setup the following gre tunnel.
>
> ip tunnel add wccp0 mode gre remote 172.28.28.33 local 172.28.28.252 dev
> ens33 ttl 255
>
> and the following redirect using iptables..
>
> iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j
> REDIRECT --to-ports 3129
>
> In sysctl.conf, I have disabled reverse path filtering and enabled ip
> forarding.
>
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
> net.ipv4.ip_forward=1
>
> When starting squid, using tcpdump, i see traffic between the Ubuntu box
> and the router on udp port 2048
>
> 00:39:34.587799 IP 172.28.28.252.2048 > 172.28.28.1.2048: UDP, length 144
> 00:39:34.590399 IP 172.28.28.1.2048 > 172.28.28.252.2048: UDP, length 140
>
> I see the following message on the router..
> %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client
> 172.28.28.252
>
> So looks like it's working ok so far...
>
> When I try and browse to a site from a client..
> $ wget http://www.google.com
>
> On the Ubuntu box, I see gre traffic on the ethernet interface..
> 00:44:22.340734 IP 172.28.28.33 > 172.28.28.252: GREv0, length 72:
> gre-proto-0x883e
>
>
> I see the un-encapsulated traffic on the wccp0 interface:
> 00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80
>
> Which is correctly showing original client IP and destination IP.
>
> I can see hits on the iptable redirect rule:
> pkts bytes target prot opt in out source
> destination
> 429 26280 REDIRECT tcp -- wccp0 any anywhere
> anywhere tcp dpt:http redir ports 3129
>
>
> But there is no response from squid on the Ubuntu box :-(
>
> I don't see anything helpful in either access.log or cache.log.
>
> I'm not sure if there is anything else that could be dropping the packet
> apart from return path filtering..
>
> If someone could give me some pointers or any further debugging I could
> try, that would be great.
>
>
> Thanks.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180509/83e5f41f/attachment-0001.html>
More information about the squid-users
mailing list