[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] forwarding TPROXY squid and multi-ISP
From: <ngtech1ltd () gmail ! com>
Date: 2022-08-21 1:56:01
Message-ID: 002101d8b501$cc80af90$65820eb0$ () gmail ! com
[Download RAW message or body]
Hey Vieri,
I am missing couple pieces to understand and maybe re-produce the issue.
What Linux and Squid version are you using?
A tproxy setup is using the OS network stack for selecting the proper source and \
destination addresses. I have not implemented such a setup for a very long time but \
it's possible that you will need a simple REDIRECT iptables/nftables rule for \
specific LAN traffic.
I'm not sure how would you apply the policies but what I understand is that you are \
in a TPROXY mess. A TPROXY setup should have a static routing rules and usually \
cannot use multiple ISPs on the SQUID box (assuming each of the ISPs provides a \
different IPv4 address) I can see the point in such a setup but to make sure it works \
I will need more information.
It's probably possible to use 2 ISPs if you have some kind of routing and iptables \
rules in place.
I am missing too much technical details to give you a way how to implement such a \
setup.
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/
-----Original Message-----
From: squid-users <squid-users-bounces@lists.squid-cache.org> On Behalf Of Vieri
Sent: Tuesday, 16 August 2022 10:52
To: squid-users@lists.squid-cache.org
Subject: [squid-users] forwarding TPROXY squid and multi-ISP
Hi,
I'm using squid as a forward transparent proxy with something like this:
https_port 3130 tproxy ssl-bump [etc.]
The Squid service is running on a Linux FW which is the LAN's default gateway.
The host uses TPROXY such as:
25873 5262K TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 \
TPROXY redirect 0.0.0.0:3130 mark 0x200/0x200
This router has multiple physical and logical interfaces with a default route via \
172.16.0.2. The latter IP address is assigned to another Linux host acting as gateway \
to Internet.
Now, the Squid firewalling router also has a network interface connected to a \
different Internet provider (say, ISP2). Some LAN hosts are required to use that \
provider instead of the Internet gateway I mentioned before (via 172.16.0.2). If I do \
NOT apply TPROXY to these hosts (ie. if they by-pass squid) then they can access the \
alternate WAN provider after I apply some simple routing rules (eg. "from \
HOST_IP_ADDR lookup ISP2"). The rest of the hosts with TPROXIED traffic through Squid \
can also correctly access Internet via 172.16.0.2.
The only scenario that's failing is if I want to force LAN traffic through Squid for \
those hosts that need to access Internet via ISP2. I'm guessing that it may be \
because the Squid process is fetching data via 172.16.0.2 *always*.
How can I fix this? What are my options?
Is it possible to properly configure the same Squid system for this, or is it \
necessary to set up another Squid system via ISP2?
Regards
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic