[squid-users] Intercept mode failing
Antony Stone
Antony.Stone at squid.open.source.it
Tue Jan 3 10:39:38 UTC 2017
On Tuesday 03 January 2017 at 11:13:33, Hoggins! wrote:
> Okay, I get that.
>
> Le 03/01/2017 à 10:33, Antony Stone a écrit :
> > No - you must do the NAT (or REDIRECT) rule *on the Squid server*.
>
> Well, my Squid server is not on the same network as my clients, so I
> need something else than just a REDIRECT on the Squid itself.
I'm not sure you fully understand what REDIRECT does. It changes the
destination address of the packets which *were* going to random web servers
around the Internet, and have now reached your Squid box, so thatthey go to
the local address of your Squid machien instead (and therefore Squid can see
them and process them).
> > If you need to use policy routing to get the packets to the Squid machine
> > in the first place, that's okay, but this *must* be packet routing, not
> > address translation
>
> Policy routing was my first choice, but there is one important detail in
> my setup : between my gateway (192.168.22.10) and my Squid
> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a
> link-local route to 192.168.55.3 so I can't add the default route to it
> inside a routing table (I get "Network is unreachable", which is expected).
So, if you can't route packets from the gateway to Squid, how was your NAT
setup getting them there?
You said in your original posting: "192.168.55.3 being the Squid server,
directly connected to the Internet, on a network my gateway has the routes
for", suggesting that your gateway *can* route to the Squid server.
> So I guess I'm stuck.
Maybe you need to do policy routing on the gateway to the IPsec endpoint, and
then further routing from there to Squid?
Antony.
--
"Remember: the S in IoT stands for Security."
- Jan-Piet Mens
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list