[squid-users] Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Amos Jeffries squid3 at treenet.co.nz
Wed May 9 08:50:41 UTC 2018


On 09/05/18 18:36, Ilias Clifton wrote:
> Ubuntu box is able to connect to the internet ok. If client PCs are configured to use the Ubuntu box as proxy on port 3128 it works correctly.
> 
> No hits in access.log for any transparent clients via wccp.. No network response at all from Ubuntu.
> 
> 
> If I change the iptables REDIRECT to a DNAT
> iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.28.28.252:3129
> 
> 
> I do get part of the TCP handshake done..
> 
> On the Ubuntu proxy I get :
> 
> on the wccp0 interface:
> IP 172.28.29.4.53057 > 216.58.203.100.80 SYN
> 
> on the ens33 interface:
> IP 216.58.203.100.80 > 172.28.29.4.53057 SYN,ACK
> 
> The client sees the SYN,ACK, it replies and thinks it has a session
> IP 172.28.29.4.53057 > 216.58.203.100.80 ACK
> IP 172.28.29.4.53057 > 216.58.203.100.80 GET / HTTP/1.1
> 
> But really these packets are lost and never make it back to the proxy.

So the problem is likely the router settings for how those packets are
handled. Anything you can figure to find out where they are going would
be useful.


> 
> I've tried adding the following iptables rules, but reply packets still have the source ip as the original destination.
> 

Ah, that sounds like it is correct to me. The client thinks it is
talking to the origin server, not the proxy. So all the src-IP on the
reply packets have to be masqueraded as the origin server IP.


> iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o wccp0 -j MASQUERADE
> 
> Still no hits in the access.log
> 
> Should I be attempting to reply back down the gre tunnel with the REDIRECT, or replying directly to the client via DNAT. Is there any change to the squid config between these 2 options?

You configured Squid's return method as gre, so the gre tunnel should be
used for those packets. Or you could try configuring the router and
Squid as L2 return method - which seems to be the one half-working now.


Amos


More information about the squid-users mailing list