<div dir="auto"><div>Hi,<div dir="auto"><br></div><div dir="auto">At the <span style="font-family:sans-serif;font-size:12.8px">wccp0 </span> interface do you see bidirectional http traffic? If the squid box has multiple interfaces, do you see traffic on its wan interface? That traffic might need NATing. Also I would check if squidbox drops any packages in case you have firewall configured on it.</div><div dir="auto"><br></div><div dir="auto">Alex</div><div dir="auto"><br></div><br><br><div class="gmail_quote"><div dir="ltr">On Wed, May 9, 2018, 07:22 Ilias Clifton <<a href="mailto:adilias3@gmx.com">adilias3@gmx.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Hello,<br>
<br>
I've been trying to get WCCP working but have been banging my head against a wall, so thought I would ask for help.<br>
<br>
There are 2 internal subnets that I would like to use the squid proxy: <a href="http://172.28.30.128/25" rel="noreferrer noreferrer" target="_blank">172.28.30.128/25</a> and <a href="http://172.28.29.0/25" rel="noreferrer noreferrer" target="_blank">172.28.29.0/25</a><br>
<br>
I have squid v3.5.25 running on Ubuntu 16 : 172.28.28.252<br>
<br>
I have a Cisco 1841 - Adv IP - 12.4, see relevent config:<br>
<br>
#Inside Interface<br>
interface FastEthernet0/1<br>
ip address 172.28.28.1 255.255.255.240<br>
ip wccp web-cache redirect in<br>
ip nat inside<br>
ip virtual-reassembly max-reassemblies 64<br>
no ip mroute-cache<br>
duplex auto<br>
speed auto<br>
<br>
#Loopback for wccp router ID<br>
interface Loopback0<br>
ip address 172.28.28.33 255.255.255.255<br>
<br>
ip wccp web-cache redirect-list PROXY_USERS group-list SQUID<br>
<br>
ip access-list extended PROXY_USERS<br>
deny tcp host 172.28.28.252 any<br>
permit tcp 172.28.30.128 0.0.0.127 any eq www<br>
permit tcp 172.28.29.0 0.0.0.127 any eq www<br>
deny ip any any<br>
<br>
ip access-list standard SQUID<br>
permit 172.28.28.252<br>
<br>
<br>
<br>
On the Ubuntu box, I have the squid with the following config:<br>
<br>
http_port 3128<br>
http_port 3129 intercept <br>
acl localnet src <a href="http://172.28.28.0/22" rel="noreferrer noreferrer" target="_blank">172.28.28.0/22</a> <br>
http_access allow localnet<br>
http_access allow localhost<br>
http_access deny all<br>
visible_hostname Squid<br>
wccp2_router 172.28.28.1<br>
wccp2_forwarding_method gre<br>
wccp2_return_method gre<br>
wccp2_service standard 0<br>
<br>
If clients are manually set to use the proxy on port 3128, they work correctly.<br>
<br>
Again on the Ubuntu box, I have setup the following gre tunnel.<br>
<br>
ip tunnel add wccp0 mode gre remote 172.28.28.33 local 172.28.28.252 dev ens33 ttl 255<br>
<br>
and the following redirect using iptables..<br>
<br>
iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129<br>
<br>
In sysctl.conf, I have disabled reverse path filtering and enabled ip forarding.<br>
<br>
net.ipv4.conf.default.rp_filter=0<br>
net.ipv4.conf.all.rp_filter=0<br>
net.ipv4.ip_forward=1<br>
<br>
When starting squid, using tcpdump, i see traffic between the Ubuntu box and the router on udp port 2048<br>
<br>
00:39:34.587799 IP 172.28.28.252.2048 > 172.28.28.1.2048: UDP, length 144<br>
00:39:34.590399 IP 172.28.28.1.2048 > 172.28.28.252.2048: UDP, length 140<br>
<br>
I see the following message on the router..<br>
%WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 172.28.28.252<br>
<br>
So looks like it's working ok so far...<br>
<br>
When I try and browse to a site from a client..<br>
$ wget <a href="http://www.google.com" rel="noreferrer noreferrer" target="_blank">http://www.google.com</a><br>
<br>
On the Ubuntu box, I see gre traffic on the ethernet interface..<br>
00:44:22.340734 IP 172.28.28.33 > <a href="http://172.28.28.252" rel="noreferrer noreferrer" target="_blank">172.28.28.252</a>: GREv0, length 72: gre-proto-0x883e<br>
<br>
<br>
I see the un-encapsulated traffic on the wccp0 interface:<br>
00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80<br>
<br>
Which is correctly showing original client IP and destination IP.<br>
<br>
I can see hits on the iptable redirect rule:<br>
pkts bytes target prot opt in out source destination <br>
429 26280 REDIRECT tcp -- wccp0 any anywhere anywhere tcp dpt:http redir ports 3129<br>
<br>
<br>
But there is no response from squid on the Ubuntu box :-(<br>
<br>
I don't see anything helpful in either access.log or cache.log.<br>
<br>
I'm not sure if there is anything else that could be dropping the packet apart from return path filtering..<br>
<br>
If someone could give me some pointers or any further debugging I could try, that would be great.<br>
<br>
<br>
Thanks.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div></div></div>