[squid-users] Zyxel USG20 and Squid 3.3

[wn48z]

> NP: Its too late now, but please in future start new threads for new
> topics. It seriously screws up reading for those of us with threaded
> mailers or forum-style mirrors of the mailing list like Nabble.
Yes, this was not planned - I first used the wrong button in my email 
program (list-answer and not create). But later (before your reply) I 
also create this new thread - shall we use the other thread for further 
posts?

> Sounds like a nasty recipe for trouble forwarding all your LAN traffic
> via somewhere on the Internet to your internal proxy. I hope that is
> just terrible documentation on the part of the firewall authors.
>
>
> The answer to your problem sits in how this firewall feature actually
> works...
>
> * If thats a fancy name for NAT or NAPT / port-forwarding then its not
> usable to get traffic to Squid.
>
> * If its a mini proxy relaying the traffic then Squid should be setup
> with a regular forward-proxy port to receive it.
>
> * If its something else, it may or may not be workable.
>
> Squid requires firewalls and routers on other machines to be doing
> Layer-2 (routing) or Layer-3 (tunneling) packet forwarding without the
> IP address destroying operations that NAT does.
The ZyXel USG 20 is a linux based hardware router/firewall solution for 
small business use. I have found a small online overview to the HTTP 
Redirect functionality. In my opinion - this should work well with Squid?

http://www.manualslib.com/manual/363461/Zyxel-Communications-Zywall-Usg-20.html?page=347#manual 


The picture on this site shows exactly my configuration.
>> On MySquid, a Squid 2.7 stable version is running with this setting:
>>
>> http_port 3128 transparent
>>
>> It works fine - any HTTP requests from LAN goes through the MySquid Proxy.
>>
> Well it *seems* to work. But only because Squid-2.7 was lying to you in
> its logs.
>
> Old Squid like 2.7 would take the most outrageous lies and forgery in
> the TCP/IP packets and believe them. But log the HTTP level details and
> tell you it was going to the place the client wanted even if the client
> would actually have gone to some other server entirely had Squid not
> been there in the path.
>
> 3.2 and later contain a bit more security to ensure the traffic actually
> goes to the server the client was connecting to (ORIGINAL_DST or a
> properly DNS listed equivalent with the same domain name).
Could be that it lies - but I also use squidGuard and blocked content is 
really blocked - so I think that Squid 2.7 should work correctly.

> Your firewall though is telling your Squid that the web server the
> client was visiting is hosted at SquidIP:3128. NAT lies!
>
>> But that is no option - I can't and will not define manual proxy settings for any client in the LAN :-(
> No need to fear manual configuration. At the very least WPAD
> auto-configuration is your friend.
>
>
> You also have the easier option of placing the Squid machine physically
> in the network path before or after the ZyXel. Configuring the Squid box
> as a bridge + router with NAT sending port 80 traffic through Squid
> directly on the same box as required to make interception work.
The Squid box should not work as a network device. This is not an 
option. I think it should be possible to make Squid 3.x work if it was 
possible with Squid 2.7?

Tkanks, Martin