[squid-users] Squid 4.8+ intercept

ngtech1ltd at gmail.com ngtech1ltd at gmail.com
Thu Aug 11 20:19:34 UTC 2022 

Hey Grant,

The issue is very simple, if squid and the clients sits on the same subnet( not the same network segment)
then squid will send the traffic back directly to the client.
WCCP is not related to the network level of things and will not resolve this exact same issue in most similar use cases.
(there are which can but this is not the use case)

You should never SNAT traffic from local network to the proxy since you will cause some issue with this.
What you might want to do is to give the proxy a special subnet against the mikrotik and to use policy based routing
to forward the clients traffic to the proxy.

If you can plug the proxy to another port on the Mikrotik device and give it a special subnet it much more preferable.

I believe that WCCP is not an option for Mikrotik so unless you have a specific device that supports WCCP, don't bother thinking about it.
Also, in the same breath I can tell you that most commercial services that implement MITM have not been using and are not using WCCP.
There are much smarter ways these days then basic WCCP to make sure that the traffic will be passed to the right proxy.

Also just take a minute and think: what WCCP gives exactly that a Mikrotik admin cannot do?
A Mikrotik can be automated in such a way that WCCP would be inferior to what Mikrotik can offer.
(To my knowledge)

Eliezer

----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Grant Taylor
Sent: Thursday, 11 August 2022 6:48
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 4.8+ intercept

On 8/10/22 3:47 AM, ngtech1ltd at gmail.com wrote:
> If the proxy sits in the same network that the clients sit it won’t work.

Why not?

Is this because of -- what I call -- the TCP triangle problem?  - 
Meaning that Squid sees the source as the client and replies directly?

If that's the case, you can cheat by SNATing the traffic that's going to 
Squid such that Squid sees the router as the source of the traffic. 
Thus Squid replies to the router which unDNATs it and sends it back to 
the original / real client.

Aside:  Isn't this what WCCP was originally meant to address?  Is WCCP a 
non-starter any more?  Even with TLS bump / monkey in the middle?



-- 
Grant. . . .
unix || die

More information about the squid-users mailing list