[squid-users] Intercept mode failing
Hoggins!
fuckspam at wheres5.com
Tue Jan 3 13:08:36 UTC 2017
Ah !
Le 03/01/2017 à 13:53, Eliezer Croitoru a écrit :
> Hey,
>
> There is also another option.
> You can open a tunnel (IPIP, GRE, OTHER) between the proxy and the router to make it possible to directly route traffic to the proxy.
That would actually solve a lot of my problems.
>
> If you need some help with it let me know.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Hoggins!
> Sent: Tuesday, January 3, 2017 12:54 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Intercept mode failing
>
> Hello,
>
> (answering to both Amos and Antony here, you got the same questioning ;) )
>
> Le 03/01/2017 à 11:45, Amos Jeffries a écrit :
>> On 2017-01-03 23:13, Hoggins! wrote:
>>> Okay, I get that.
>>>
>>> Le 03/01/2017 à 10:33, Antony Stone a écrit :
>>>> No - you must do the NAT (or REDIRECT) rule *on the Squid server*.
>>> Well, my Squid server is not on the same network as my clients, so I
>>> need something else than just a REDIRECT on the Squid itself.
>> That does not matter when the DNAT or REDIRECT is done on the Squid
>> machine.
> OK, I'll have a deeper look into that, indeed I'm not familiar with what REDIRECT *exactly* does.
>
>>>> If you need to use policy routing to get the packets to the Squid
>>>> machine in the first place, that's okay, but this *must* be packet
>>>> routing, not address translation
>>> Policy routing was my first choice, but there is one important detail
>>> in my setup : between my gateway (192.168.22.10) and my Squid
>>> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a
>>> link-local route to 192.168.55.3 so I can't add the default route to
>>> it inside a routing table (I get "Network is unreachable", which is
>>> expected).
>>>
>>> So I guess I'm stuck.
>>
>> So how did the packets get to the Squid machine after your DNAT ?
>>
>> The route does not have to be link-local. Any type of route will do so
>> long as all the routers handling the packets know which way to pass
>> them, and the dst-IP address is not changed.
> Well, xfrm routing is a lot different than "classic" routing, I learnt it the hard way. DNAT *will* work whereas policy routing won't if I don't explicitly declare all my subnets in my IPSec tunnel configuration. Got a big discussion about that on StrongSwan's mailing-list, and I believe this sums it up pretty nicely :
> http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png
>
> Anyway, yes, if I try to add a route by :
> ip route add default via <IP ADDRESS> table 123
>
> <IP ADDRESS> *has* to be directly reachable. Or it has to be in the routing table somehow. But the routing table handling the tunnelled packets is not managed by iproute2.
>
> So as I can't do otherwise, I'm going to experiment a bit more with the REDIRECT + DNAT between the gateway and the Squid server.
>
> Thanks for your help !
>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170103/9ba167a0/attachment.sig>
More information about the squid-users
mailing list