[squid-users] Squid 4.8+ intercept

Grant Taylor gtaylor at tnetconsulting.net
Thu Aug 11 21:21:47 UTC 2022 

On 8/11/22 2:19 PM, ngtech1ltd at gmail.com wrote:
> Hey Grant,

Hi Eliezer,

> The issue is very simple, if squid and the clients sits on the same 
> subnet( not the same network segment) then squid will send the traffic 
> back directly to the client.

So you're talking about -- what I call -- the TCP triangle problem, 
which can be worked around a number of different ways.

> WCCP is not related to the network level of things and will not 
> resolve this exact same issue in most similar use cases.

I question the veracity of that statement.

Not the least of which is that WCCP uses GRE as an L2 transport between 
the router and Squid and that Squid sees the packets as the router saw 
them.  What's more is that replies are sent back from Squid via the 
router through said GRE tunnel.  --  This very much seems like network 
level, both layers 2 and 3, to me.

> You should never SNAT traffic from local network to the proxy since 
> you will cause some issue with this.

Please elaborate on what issues will be caused.

The only issue that I'm aware of is the fact that traffic will appear to 
be from the router, not the original client.  But, depending on how 
things are being used, the lack of real source IP may be perfectly fine. 
  The only thing that I'm aware of where the lack of a real source IP is 
when you are doing things specific to source IP.

Said another way, I'm not aware of any problems with SNATing if none of 
your configuration is dependent on the source IP.

> What you might want to do is to give the proxy a special subnet 
> against the mikrotik and to use policy based routing to forward the 
> clients traffic to the proxy.
> 
> If you can plug the proxy to another port on the Mikrotik device and 
> give it a special subnet it much more preferable.

Preference does not equate to viability.

> I believe that WCCP is not an option for Mikrotik so unless you have 
> a specific device that supports WCCP, don't bother thinking about it.

ACK

> Also, in the same breath I can tell you that most commercial services 
> that implement MITM have not been using and are not using WCCP.

In my opinion, what someone else is doing or not doing has extremely 
little influence on what I do or don't do.

> There are much smarter ways these days then basic WCCP to make sure 
> that the traffic will be passed to the right proxy.

Please elaborate on such ways, other than PBR.

> Also just take a minute and think: what WCCP gives exactly that a 
> Mikrotik admin cannot do?

For starters, my understanding is that WCCP can get the traffic to the 
proxy, in any subnet local or remote, without altering the source / 
destination IP address.

> A Mikrotik can be automated in such a way that WCCP would be inferior 
> to what Mikrotik can offer.  (To my knowledge)

Please elaborate.

I don't see what automation has to do with this discussion.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220811/152edc2d/attachment.bin>

More information about the squid-users mailing list