'Re: [squid-users] forwarding TPROXY squid and multi-ISP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] forwarding TPROXY squid and multi-ISP
From:       <ngtech1ltd () gmail ! com>
Date:       2022-08-21 1:56:01
Message-ID: 002101d8b501$cc80af90$65820eb0$ () gmail ! com
[Download RAW message or body]

Hey Vieri,

I am missing couple pieces to understand and maybe re-produce the issue.
What Linux and Squid version are you using?

A tproxy setup is using the OS network stack for selecting the proper source and \
destination addresses. I have not implemented such a setup for a very long time but \
it's possible that you will need a simple REDIRECT iptables/nftables rule for \
specific LAN traffic.

I'm not sure how would you apply the policies but what I understand is that you are \
in a TPROXY mess. A TPROXY setup should have a static routing rules and usually \
cannot use multiple ISPs on the SQUID box (assuming each of the ISPs provides a \
different IPv4 address) I can see the point in such a setup but to make sure it works \
I will need more information.

It's probably possible to use 2 ISPs if you have some kind of routing and iptables \
rules in place.

I am missing too much technical details to give you a way how to implement such a \
setup.

Eliezer

----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

-----Original Message-----
From: squid-users <squid-users-bounces@lists.squid-cache.org> On Behalf Of Vieri
Sent: Tuesday, 16 August 2022 10:52
To: squid-users@lists.squid-cache.org
Subject: [squid-users] forwarding TPROXY squid and multi-ISP

Hi,

I'm using squid as a forward transparent proxy with something like this:

https_port 3130 tproxy ssl-bump [etc.]

The Squid service is running on a Linux FW which is the LAN's default gateway.
The host uses TPROXY such as:

25873 5262K TPROXY     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0         \
TPROXY redirect 0.0.0.0:3130 mark 0x200/0x200

This router has multiple physical and logical interfaces with a default route via \
172.16.0.2. The latter IP address is assigned to another Linux host acting as gateway \
to Internet.

Now, the Squid firewalling router also has a network interface connected to a \
different Internet provider (say, ISP2). Some LAN hosts are required to use that \
provider instead of the Internet gateway I mentioned before (via 172.16.0.2). If I do \
NOT apply TPROXY to these hosts (ie. if they by-pass squid) then they can access the \
alternate WAN provider after I apply some simple routing rules (eg. "from \
HOST_IP_ADDR lookup ISP2"). The rest of the hosts with TPROXIED traffic through Squid \
can also correctly access Internet via 172.16.0.2.

The only scenario that's failing is if I want to force LAN traffic through Squid for \
those hosts that need to access Internet via ISP2. I'm guessing that it may be \
because the Squid process is fetching data via 172.16.0.2 *always*.

How can I fix this? What are my options?
Is it possible to properly configure the same Squid system for this, or is it \
necessary to set up another Squid system via ISP2?

Regards
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic