[squid-users] Intercept mode failing

Amos Jeffries squid3 at treenet.co.nz
Tue Jan 3 10:45:00 UTC 2017


On 2017-01-03 23:13, Hoggins! wrote:
> Okay, I get that.
> 
> Le 03/01/2017 à 10:33, Antony Stone a écrit :
>> No - you must do the NAT (or REDIRECT) rule *on the Squid server*.
> 
> Well, my Squid server is not on the same network as my clients, so I
> need something else than just a REDIRECT on the Squid itself.

That does not matter when the DNAT or REDIRECT is done on the Squid 
machine.

> 
>> 
>> If you need to use policy routing to get the packets to the Squid 
>> machine in
>> the first place, that's okay, but this *must* be packet routing, not 
>> address
>> translation
> 
> Policy routing was my first choice, but there is one important detail 
> in
> my setup : between my gateway (192.168.22.10) and my Squid
> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a
> link-local route to 192.168.55.3 so I can't add the default route to it
> inside a routing table (I get "Network is unreachable", which is 
> expected).
> 
> So I guess I'm stuck.


So how did the packets get to the Squid machine after your DNAT ?

The route does not have to be link-local. Any type of route will do so 
long as all the routers handling the packets know which way to pass 
them, and the dst-IP address is not changed.

Amos



More information about the squid-users mailing list