<div dir="ltr">Hi Eliezer, thanks for you reply.<div><br></div><div>I'm marking and routing traffic to port 80 from my lan's <a href="http://192.168.110.0/24">192.168.110.0/24</a> (Work!) and <a href="http://192.168.115.0/24">192.168.115.0/24</a> (Fail!). The mark line in Mangle is:</div><div><br></div><div><div>add action=mark-connection chain=prerouting comment="TCP 80: Tr\E1fico HTTP de\</div><div> sde la red WIFI. Se marca la conexi\F3n para QoS y Policy Routing. Ser\E1 \</div><div> routeado hacia Proxy03" !connection-bytes !connection-limit \</div><div> connection-mark=no-mark !connection-nat-state !connection-rate \</div><div> !connection-state !connection-type !content disabled=no !dscp \</div><div> !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80 \</div><div> !fragment !hotspot !icmp-options !in-bridge-port in-interface=eth4-wifi \</div><div> !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \</div><div> log=no log-prefix="" new-connection-mark=conn_proxy !nth !out-bridge-port \</div><div> !out-interface !p2p !packet-mark !packet-size passthrough=yes \</div><div> !per-connection-classifier !port !priority protocol=tcp !psd !random \</div><div> !routing-mark !routing-table src-address=<a href="http://192.168.115.0/24">192.168.115.0/24</a> !src-address-list \</div><div> !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \</div><div> !ttl</div></div><div><br></div><div>The packet mark and route lines:</div><div><br></div><div><div>add action=mark-packet chain=prerouting comment=\</div><div> "TCP 80: Se marca el paquete para Queue Tree (Up)" !connection-bytes \</div><div> !connection-limit connection-mark=conn_proxy !connection-nat-state \</div><div> !connection-rate !connection-state !connection-type !content disabled=no \</div><div> !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \</div><div> !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \</div><div> !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \</div><div> log=no log-prefix="" new-packet-mark=up_tcp_80_pkt !nth !out-bridge-port \</div><div> !out-interface !p2p !packet-mark !packet-size passthrough=yes \</div><div> !per-connection-classifier !port !priority !protocol !psd !random \</div><div> !routing-mark !routing-table !src-address !src-address-list \</div><div> !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss time=\</div><div> 0s-1d,sun,mon,tue,wed,thu,fri,sat !ttl</div><div>add action=mark-routing chain=prerouting comment=\</div><div> "TCP 80: Se ejecuta el Policy Routing hacia Proxy03" !connection-bytes \</div><div> !connection-limit !connection-mark !connection-nat-state !connection-rate \</div><div> !connection-state !connection-type !content disabled=no !dscp \</div><div> !dst-address dst-address-list=!clientslist !dst-address-type !dst-limit \</div><div> !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \</div><div> !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \</div><div> log=no log-prefix="" new-routing-mark=route_toproxy03 !nth \</div><div> !out-bridge-port !out-interface !p2p packet-mark=up_tcp_80_pkt \</div><div> !packet-size passthrough=no !per-connection-classifier !port !priority \</div><div> !protocol !psd !random !routing-mark !routing-table !src-address \</div><div> !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \</div><div> !tcp-mss !time !ttl</div></div><div><br></div><div>Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 20, 2017 at 2:11 PM, Eliezer Croitoru <span dir="ltr"><<a href="mailto:eliezer@ngtech.co.il" target="_blank">eliezer@ngtech.co.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hey Pablo,<br>
<br>
I am working as a tech support for MikroTik devices and the tcpdump dumps are leaving couple things unknown.<br>
Can you share the MikroTik rules PBR rules you are using?<br>
Are you using any kind of connection marking and tracking in the mix or just plain source based routing?<br>
I am pretty sure that the issue is in the reverse path and not backwards.<br>
If you can export your MikroTik configuration I might be able to try and help you find the right rules if these are wrong.<br>
Also make sure that the squid box has reverse path filtering disabled using:<br>
<a href="http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#Set_Reverse_Path_Filter_machine_globally_script" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/<wbr>EliezerCroitoru/Drafts/MwanLB#<wbr>Set_Reverse_Path_Filter_<wbr>machine_globally_script</a><br>
<br>
And also take a peek at:<br>
<a href="http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/<wbr>ConfigExamples/<wbr>UbuntuTproxy4Wccp2#Linux_and_<wbr>Squid_Configuration</a><br>
<br>
I planned to add into the wiki an article\tutorial how to setup squid with MikroTik since there are more than a dozen of articles\tutorials that just do not do it the right way.<br>
<br>
Eliezer<br>
<br>
* you can send me the configuration privately if these are sensitive<br>
<br>
----<br>
<a href="http://ngtech.co.il/lmgtfy/" rel="noreferrer" target="_blank">http://ngtech.co.il/lmgtfy/</a><br>
Linux System Administrator<br>
Mobile: +972-5-28704261<br>
Email: <a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a><br>
<br>
<br>
From: squid-users [mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@<wbr>lists.squid-cache.org</a>] On Behalf Of Pablo Ruben Maldonado<br>
Sent: Thursday, July 20, 2017 16:41<br>
To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
Subject: Re: [squid-users] Squid box for two networks<br>
<span class=""><br>
The packets are routing using a mark and later routing rules inside my principal router (Mikrotik). Attach images with examples of packets arriving to Squid box.<br>
<br>
</span><span class="">On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone <mailto:<a href="mailto:Antony.Stone@squid.open.source.it">Antony.Stone@squid.<wbr>open.source.it</a>> wrote:<br>
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:<br>
<br>
> Hi, i add information missing in original post. Thanks for assistance:<br>
><br>
> The Squid Box has setup for Intercept Mode. Iptables rules here:<br>
><br>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128<br>
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129<br>
<br>
How are you routing the packets from the firewall to Squid?<br>
<br>
> The config paste in <a href="https://pastebin.com/Witg3cG1" rel="noreferrer" target="_blank">https://pastebin.com/Witg3cG1</a><br>
><br>
> Thanks<br>
><br>
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <<br>
><br>
</span><span class="">> mailto:<a href="mailto:pablo.ruben.maldonado@gmail.com">pablo.ruben.maldonado@<wbr>gmail.com</a>> wrote:<br>
> > Hello, I have a squid box 3.5 working without problems for the lan<br>
</span>> > <a href="http://192.168.110.0/24" rel="noreferrer" target="_blank">http://192.168.110.0/24</a> for several months. Now I want setup to another lan<br>
> > <a href="http://192.168.115.0/24" rel="noreferrer" target="_blank">http://192.168.115.0/24</a> but I cannot. Tcpdump inform me that the packages come<br>
<span class="">> > to squid box. But in Squid's log I do not see anything. Can they give me<br>
> > some tip?<br>
<br>
Can you give us any examples of packets as seen by tcpdump on the Squid box:<br>
<br>
</span>a) from <a href="http://192.168.110.0/24" rel="noreferrer" target="_blank">http://192.168.110.0/24</a><br>
<br>
b) from <a href="http://192.168.115.0/24" rel="noreferrer" target="_blank">http://192.168.115.0/24</a><br>
<span class=""><br>
<br>
Antony.<br>
<br>
--<br>
BASIC is to computer languages what Roman numerals are to arithmetic.<br>
<br>
Please reply to the list;<br>
please *don't* CC me.<br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
</span>mailto:<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.<wbr>squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
<br>
<br>
</blockquote></div><br></div>