[squid-users] Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Alex K rightkicktech at gmail.com
Wed May 9 05:08:17 UTC 2018


Is the ubuntu able to reach Internet?
Do you see any events at squid access log?

Alex


On Wed, May 9, 2018, 07:59 Ilias Clifton <adilias3 at gmx.com> wrote:

>
>  Hi Alex,
>
> On the wccp0 interface I only see traffic arriving in 1 direction -
> original client ip to destination ip.
>
> The ubuntu box only has a single ethernet interface -  Sorry, that should
> have been in my original question. I see the gre traffic arriving from the
> router, but again - no response.
>
> I tried adding a MASQUERADE line to the iptables rules, just to see if it
> made a difference.. but same result.
>
>
>
>
> Sent: Wednesday, May 09, 2018 at 2:37 PM
> From: "Alex K" <rightkicktech at gmail.com>
> To: "Ilias Clifton" <adilias3 at gmx.com>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Help with WCCP: Cisco 1841 to Squid 3.5.25 on
> Ubuntu 16
>
> Hi,
>
> At the wccp0  interface do you see bidirectional http traffic? If the
> squid box has multiple interfaces, do you see traffic on its wan interface?
> That traffic might need NATing. Also I would check if squidbox drops any
> packages in case you have firewall configured on it.
>
> Alex
>
>
> On Wed, May 9, 2018, 07:22 Ilias Clifton <adilias3 at gmx.com[mailto:
> adilias3 at gmx.com]> wrote:
> Hello,
>
> I've been trying to get WCCP working but have been banging my head against
> a wall, so thought I would ask for help.
>
> There are 2 internal subnets that I would like to use the squid proxy:
> 172.28.30.128/25[http://172.28.30.128/25]
> <http://172.28.30.128/25%5Bhttp://172.28.30.128/25%5D> and
> 172.28.29.0/25[http://172.28.29.0/25]
> <http://172.28.29.0/25%5Bhttp://172.28.29.0/25%5D>
>
> I have squid v3.5.25 running on Ubuntu 16 : 172.28.28.252
>
> I have a Cisco 1841 - Adv IP - 12.4, see relevent config:
>
> #Inside Interface
> interface FastEthernet0/1
>  ip address 172.28.28.1 255.255.255.240
>  ip wccp web-cache redirect in
>  ip nat inside
>  ip virtual-reassembly max-reassemblies 64
>  no ip mroute-cache
>  duplex auto
>  speed auto
>
> #Loopback for wccp router ID
> interface Loopback0
>  ip address 172.28.28.33 255.255.255.255
>
> ip wccp web-cache redirect-list PROXY_USERS group-list SQUID
>
> ip access-list extended PROXY_USERS
>  deny   tcp host 172.28.28.252 any
>  permit tcp 172.28.30.128 0.0.0.127 any eq www
>  permit tcp 172.28.29.0 0.0.0.127 any eq www
>  deny   ip any any
>
> ip access-list standard SQUID
>  permit 172.28.28.252
>
>
>
> On the Ubuntu box, I have the squid with the following config:
>
> http_port 3128
> http_port 3129 intercept
> acl localnet src 172.28.28.0/22[http://172.28.28.0/22]
> <http://172.28.28.0/22%5Bhttp://172.28.28.0/22%5D>
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> visible_hostname Squid
> wccp2_router 172.28.28.1
> wccp2_forwarding_method gre
> wccp2_return_method gre
> wccp2_service standard 0
>
> If clients are manually set to use the proxy on port 3128, they work
> correctly.
>
> Again on the Ubuntu box, I have setup the following gre tunnel.
>
> ip tunnel add wccp0 mode gre remote 172.28.28.33 local 172.28.28.252 dev
> ens33 ttl 255
>
> and the following redirect using iptables..
>
> iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j
> REDIRECT --to-ports 3129
>
> In sysctl.conf, I have disabled reverse path filtering and enabled ip
> forarding.
>
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
> net.ipv4.ip_forward=1
>
> When starting squid, using tcpdump, i see traffic between the Ubuntu box
> and the router on udp port 2048
>
> 00:39:34.587799 IP 172.28.28.252.2048 > 172.28.28.1.2048: UDP, length 144
> 00:39:34.590399 IP 172.28.28.1.2048 > 172.28.28.252.2048: UDP, length 140
>
> I see the following message on the router..
> %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client
> 172.28.28.252
>
> So looks like it's working ok so far...
>
> When I try and browse to a site from a client..
> $ wget http://www.google.com[http://www.google.com]
>
> On the Ubuntu box, I see gre traffic on the ethernet interface..
> 00:44:22.340734 IP 172.28.28.33 > 172.28.28.252[http://172.28.28.252]:
> GREv0, length 72: gre-proto-0x883e
>
>
> I see the un-encapsulated traffic on the wccp0 interface:
> 00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80
>
> Which is correctly showing original client IP and destination IP.
>
> I can see hits on the iptable redirect rule:
> pkts bytes target     prot opt in     out     source
>  destination
>   429 26280 REDIRECT   tcp  --  wccp0  any     anywhere
>  anywhere             tcp dpt:http redir ports 3129
>
>
> But there is no response from squid on the Ubuntu box :-(
>
> I don't see anything helpful in either access.log or cache.log.
>
> I'm not sure if there is anything else that could be dropping the packet
> apart from return path filtering..
>
> If someone could give me some pointers or any further debugging I could
> try, that would be great.
>
>
> Thanks.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org[mailto:squid-users at lists.squid-cache.org
> ]
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180509/5af275f9/attachment.html>


More information about the squid-users mailing list