[squid-users] forwarding TPROXY squid and multi-ISP
Vieri
rentorbuy at yahoo.com
Tue Aug 16 07:52:07 UTC 2022
Hi,
I'm using squid as a forward transparent proxy with something like this:
https_port 3130 tproxy ssl-bump [etc.]
The Squid service is running on a Linux FW which is the LAN's default gateway.
The host uses TPROXY such as:
25873 5262K TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 TPROXY redirect 0.0.0.0:3130 mark 0x200/0x200
This router has multiple physical and logical interfaces with a default route via 172.16.0.2. The latter IP address is assigned to another Linux host acting as gateway to Internet.
Now, the Squid firewalling router also has a network interface connected to a different Internet provider (say, ISP2). Some LAN hosts are required to use that provider instead of the Internet gateway I mentioned before (via 172.16.0.2).
If I do NOT apply TPROXY to these hosts (ie. if they by-pass squid) then they can access the alternate WAN provider after I apply some simple routing rules (eg. "from HOST_IP_ADDR lookup ISP2").
The rest of the hosts with TPROXIED traffic through Squid can also correctly access Internet via 172.16.0.2.
The only scenario that's failing is if I want to force LAN traffic through Squid for those hosts that need to access Internet via ISP2.
I'm guessing that it may be because the Squid process is fetching data via 172.16.0.2 *always*.
How can I fix this? What are my options?
Is it possible to properly configure the same Squid system for this, or is it necessary to set up another Squid system via ISP2?
Regards
More information about the squid-users
mailing list