[squid-users] Logging of 'indirect' requests, e.g. involving NAT or VPN
Antony Stone
Antony.Stone at squid.open.source.it
Fri Jun 26 10:02:06 UTC 2015
On Friday 26 Jun 2015 at 10:42, Henry S. Thompson wrote:
> Antony Stone writes:
> >
> > It's entirely plausible (I'd even say common) for VPN clients to get
> > 192.168.... addresses; also if there's a NATting router in the path
> > and Squid is logging its address, that could easily be 192.168....
>
> Thanks for your input, but I'm still confused. My (perhaps naive)
> understanding was that a VPN host or NATting router assigns local
> subnet range IPs (e.g. 192.168... or 10.10...) to its clients, but
> presents their traffic to the world, including any proxy, as if from
> themselves, encapsulated using their own public, static, 'real' IP.
> So I don't see how, for example "a NATting router['s] ... address"
> could ever be 192.168...
Imagine the following setup:
Organisation has a bunch of servers (maybe at their office in a server room,
maybe in a data centre, doesn't matter which), some of which have public IPs,
but all of which have private IPs on an internal subnet (for system management
purposes, aside from anything else). One of these servers is the squid proxy.
Another server is the VPN endpoint for remote client machines.
Remote client connects to public IP of the VPN server, gets assigned a
192.168.x.y address. Remote client is configured to use the Squid proxy
server. When it does so, its request (from 192.168.x.y) is routed from the
VPN endpoint to the Squid server (they can talk directly to each other because
they're both on the same subnet, no NAT involved) and the Squid server then
sends the request out to the Internet to fetch a web page.
The client IP logged by the Squid server in this scenario is 192.168.x.y
Alternatively, imagine the organisation has several office locations
interconnected using MPLS or some similar private connectivity (ie: not over
the Internet, or tunneled if it is over the Internet - the end result either
way being that each office has a 192.168.a.0/24 subnet for its clients).
One of the offices has a Squid server and a connection to the Internet;
connections from clients at the other offices go over the private links to
this office, via Squid, to the Internet.
Again, in this setup Squid will see the true IP address of the clients, ie:
192.168.a.b because that's the only address the clients have, and with direct
interconnects there's no need for NATting to a public IP along the way.
I repeat my recommendation - pick one of the 192.168.m.n addresses you're
seeing in the log files and ask whoever looks after this network which machine
has that address (or at least, what that subnet range is used for) - I think
it's going to turn out to be one of:
a) a real client in something like the second scenario above
b) a VPN client in the first scenario above
c) an internal router in a variation of the second scenario above
Regards,
Antony.
--
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.
- Frank Skinner
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list