[squid-users] squid tcp_outgoing_address feature not working

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 15 10:58:04 UTC 2015 

On 15/04/2015 10:21 p.m., naishal0748 wrote:
> Hello,
> 
> I received following reply from Amos.
> 
> ---------------
> 
> Welcome to the world of application layer gateways.
> 
> There is no guarantee that IPv4 is being used outbound. You may in fact
> be using IPv6 to contact servers.
>  All that means is that you need to set a WAN1 IPv6 address in a second
> tcp_outgoing_address line for the IPv6.
> 
> 
> Also be aware the selection of NIC is entirely up to the kernel routing
> logics. Older Linux were well-known for their annoying ability to accept
> or send from any NIC using any IP assigned to the machine, depending on
> whether you had some voodoo setup in the routing config or not. CentOS
> uses ancient enough kernels that it probably does not have the bug fixes
> for that.
> 
> So, double check that Squid is actually sending from 192.168.3.15 like
> you expect. If not we can help you a little further to figure out why
> and see if that fixes things for you.
> 
> 
> One other effect I've seen in action is that NAT on outbound can take
> Squids tcp_outgoing_address and change it so the packets go out the
> wrong NIC with different IP entirely.
> 
> 
> Otherwise its a kernel routing problem, and we probably cant help with that.
> 
> -------------------------------
> 
> I am actually checking using traceroute from client system , and it is
> always showing me 192.168.5.1 default Gateway IP.
> 

>From the client system you will only ever see the IPs on the
client->Squid connection. Not the details of the Squid->origin connection.

Squid has zero control over what TCP connections the *client* opens.

You need to use tcpdump on the Squid machine, or machine(s) at the other
end of the WAN1/2 connections to see what the Squid->origin traffic uses.


> If it is getting difficult with squid configurations, please let me know if
> it is possible to implement this setup using iptables, so that iptables
> directly routes the traffic from specific source towards specific Gateway /
> NIC.

Routing is configured with the "ip route" tool, not the iptables (NAT
and firewall tool).

To see what your current routing does, run:
 ip -4 route show
 ip -6 route show


> 
> Anyhow, basically I want the specific source traffic to go via specific
> Gateway.

Understood.

Amos

More information about the squid-users mailing list