Assistance with WCCPv2 Setup with Cisco Router

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Assistance with WCCPv2 Setup with Cisco Router

Waldon, Cooper

Hello All,

 

I’m trying to set up a transparent proxy for http and https using Cisco Routers and Squid.  I have followed the configuration examples that are listed under the wccp2 overview section (http://wiki.squid-cache.org/Features/Wccp2) of the squid wiki but I’m still having some issues.

 

I have a little lab set up with a Cisco 7200 Router and a VM with CentOS running the proxy.

 

The “WAN” IP of the Router is 192.168.0.23.  The IP of the Squid Proxy is 192.168.0.24 and both have the default gateway of 192.168.0.1 which is the “ISP”

 

The Client is sitting on a LAN behind the Router in the 10.10.10.0/24 subnet and is also sitting behind nat.

 

I believe that the router and proxy are communicating properly based on the information in the show ip wccp command on the router as it shows clients and routers as well as showing that packets are being forwarded:

 

R3#show ip wccp

Global WCCP information:

    Router information:

        Router Identifier:                   192.168.0.23

        Configured source-interface:         GigabitEthernet5/0

 

    Service Identifier: web-cache

        Protocol Version:                    2.00

        Number of Service Group Clients:     1

        Number of Service Group Routers:     1

        Total Packets Redirected:            1079

          Process:                           0

          CEF:                               1079

        Service mode:                        Open

        Service Access-list:                 -none-

        Total Packets Dropped Closed:        0

        Redirect access-list:                100

        Total Packets Denied Redirect:       0

        Total Packets Unassigned:            0

        Group access-list:                   10

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total GRE Bypassed Packets Received: 0

          Process:                           0

          CEF:                               0

       GRE tunnel interface:                Tunnel1

 

    Service Identifier: 70

        Protocol Version:                    2.00

        Number of Service Group Clients:     1

        Number of Service Group Routers:     1

        Total Packets Redirected:            500

          Process:                           0

          CEF:                               500

        Service mode:                        Open

        Service Access-list:                 -none-

        Total Packets Dropped Closed:        0

        Redirect access-list:                100

        Total Packets Denied Redirect:       0

        Total Packets Unassigned:            0

        Group access-list:                   10

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total GRE Bypassed Packets Received: 0

          Process:                           0

          CEF:                               0

        GRE tunnel interface:                Tunnel0

 

Here is the relevant squid wccp configuration:

 

----Output removed----

# Squid normally listens to port 3128

http_port 3128

http_port 0.0.0.0:3129

 

# WCCPv2 Parameters

wccp2_router 192.168.0.23

wccp2_forwarding_method 1

wccp2_return_method 1

wccp2_assignment_method hash

wccp2_service standard 0

wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=231 ports=443

 

---Output remove----

 

I think that the issue lies with the iptables configuration as I do not see any packets been processed in the nat table.  I have tried a few different methods such as:

 

iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT –to-port 3129

iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 443 -j REDIRECT –to-port 3129

iptables -t nat -A POSTROUTING -j MASQUERADE

 

or

 

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.0.24:3129

iptables -t nat -A PREROUTING -p tcp –dport 443 -j DNAT –to-destination 192.168.0.24:3129

iptables -t nat -A POSTROUTING -j MASQUERADE

 

I have also tried adding ACCEPT commands to the PREROUTING zone just in case the proxy is dropping the packets right away but that also doesn’t work.

 

The proxy functions perfectly when the client is configured to use a proxy so there doesn’t appear to be any issues with routing or anything like that, it’s just the transparent proxying that isn’t working.

 

If anyone has any suggestions of what I could try that would be greatly appreciated.  Let me know if anything is unclear or if you need further clarification.

 

Thank you,

Cooper Waldon

 

 

Cooper Waldon Network Engineer l OTN l 416-446-4110 x 4473 l www.otn.ca | Service Desk 1-855-654-0888 x2

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Assistance with WCCPv2 Setup with Cisco Router

Yuri Voinov



22.03.2017 1:04, Waldon, Cooper пишет:

Hello All,

 

I’m trying to set up a transparent proxy for http and https using Cisco Routers and Squid.  I have followed the configuration examples that are listed under the wccp2 overview section (http://wiki.squid-cache.org/Features/Wccp2) of the squid wiki but I’m still having some issues.

 

I have a little lab set up with a Cisco 7200 Router and a VM with CentOS running the proxy.

 

The “WAN” IP of the Router is 192.168.0.23.  The IP of the Squid Proxy is 192.168.0.24 and both have the default gateway of 192.168.0.1 which is the “ISP”

 

The Client is sitting on a LAN behind the Router in the 10.10.10.0/24 subnet and is also sitting behind nat.

 

I believe that the router and proxy are communicating properly based on the information in the show ip wccp command on the router as it shows clients and routers as well as showing that packets are being forwarded:

 

R3#show ip wccp

Global WCCP information:

    Router information:

        Router Identifier:                   192.168.0.23

        Configured source-interface:         GigabitEthernet5/0

 

    Service Identifier: web-cache

        Protocol Version:                    2.00

        Number of Service Group Clients:     1

        Number of Service Group Routers:     1

        Total Packets Redirected:            1079

          Process:                           0

          CEF:                               1079

        Service mode:                        Open

        Service Access-list:                 -none-

        Total Packets Dropped Closed:        0

        Redirect access-list:                100

        Total Packets Denied Redirect:       0

        Total Packets Unassigned:            0

        Group access-list:                   10

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total GRE Bypassed Packets Received: 0

          Process:                           0

          CEF:                               0

       GRE tunnel interface:                Tunnel1

 

    Service Identifier: 70

        Protocol Version:                    2.00

        Number of Service Group Clients:     1

        Number of Service Group Routers:     1

        Total Packets Redirected:            500

          Process:                           0

          CEF:                               500

        Service mode:                        Open

        Service Access-list:                 -none-

        Total Packets Dropped Closed:        0

        Redirect access-list:                100

        Total Packets Denied Redirect:       0

        Total Packets Unassigned:            0

        Group access-list:                   10

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total GRE Bypassed Packets Received: 0

          Process:                           0

          CEF:                               0

        GRE tunnel interface:                Tunnel0

 

Here is the relevant squid wccp configuration:

 

----Output removed----

# Squid normally listens to port 3128

http_port 3128

http_port 0.0.0.0:3129

 

# WCCPv2 Parameters

wccp2_router 192.168.0.23

wccp2_forwarding_method 1

wccp2_return_method 1

wccp2_assignment_method hash

wccp2_service standard 0

wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=231 ports=443

 

---Output remove----

 

I think that the issue lies with the iptables configuration as I do not see any packets been processed in the nat table.  I have tried a few different methods such as:

 

iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT –to-port 3129

iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 443 -j REDIRECT –to-port 3129

iptables -t nat -A POSTROUTING -j MASQUERADE

 

or

 

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.0.24:3129

iptables -t nat -A PREROUTING -p tcp –dport 443 -j DNAT –to-destination 192.168.0.24:3129

iptables -t nat -A POSTROUTING -j MASQUERADE

 

I have also tried adding ACCEPT commands to the PREROUTING zone just in case the proxy is dropping the packets right away but that also doesn’t work.

1.Ports, you using for redirection, in squid, should be defined as 'intercept':

http_port 3126 intercept

https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA2.crt key=/usr/local/squid/etc/rootCA2.key tls-cafile=/usr/local/squid/etc/rootCA12.crt options=SINGLE_DH_USE:SINGLE_ECDH_USE tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS tls-no-npn sslflags=VERIFY_CRL_ALL

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA2.crt key=/usr/local/squid/etc/rootCA2.key tls-cafile=/usr/local/squid/etc/rootCA12.crt options=SINGLE_DH_USE:SINGLE_ECDH_USE tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS tls-no-npn sslflags=VERIFY_CRL_ALL

(example from my config, DON'T copy-n-paste!)

2. HTTP and HTTPS ports should be different.
3. HTTPS port should be configured correctly.

http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoIOSv15Wccp2

Read carefully - here is explained almost all.

 

The proxy functions perfectly when the client is configured to use a proxy so there doesn’t appear to be any issues with routing or anything like that, it’s just the transparent proxying that isn’t working.

 

If anyone has any suggestions of what I could try that would be greatly appreciated.  Let me know if anything is unclear or if you need further clarification.

 

Thank you,

Cooper Waldon

 

 

Cooper Waldon Network Engineer l OTN l 416-446-4110 x 4473 l www.otn.ca | Service Desk 1-855-654-0888 x2

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Assistance with WCCPv2 Setup with Cisco Router

Yuri Voinov
In reply to this post by Waldon, Cooper

Ah, forgot about this:

http://wiki.squid-cache.org/ConfigExamples/Intercept


22.03.2017 1:04, Waldon, Cooper пишет:

Hello All,

 

I’m trying to set up a transparent proxy for http and https using Cisco Routers and Squid.  I have followed the configuration examples that are listed under the wccp2 overview section (http://wiki.squid-cache.org/Features/Wccp2) of the squid wiki but I’m still having some issues.

 

I have a little lab set up with a Cisco 7200 Router and a VM with CentOS running the proxy.

 

The “WAN” IP of the Router is 192.168.0.23.  The IP of the Squid Proxy is 192.168.0.24 and both have the default gateway of 192.168.0.1 which is the “ISP”

 

The Client is sitting on a LAN behind the Router in the 10.10.10.0/24 subnet and is also sitting behind nat.

 

I believe that the router and proxy are communicating properly based on the information in the show ip wccp command on the router as it shows clients and routers as well as showing that packets are being forwarded:

 

R3#show ip wccp

Global WCCP information:

    Router information:

        Router Identifier:                   192.168.0.23

        Configured source-interface:         GigabitEthernet5/0

 

    Service Identifier: web-cache

        Protocol Version:                    2.00

        Number of Service Group Clients:     1

        Number of Service Group Routers:     1

        Total Packets Redirected:            1079

          Process:                           0

          CEF:                               1079

        Service mode:                        Open

        Service Access-list:                 -none-

        Total Packets Dropped Closed:        0

        Redirect access-list:                100

        Total Packets Denied Redirect:       0

        Total Packets Unassigned:            0

        Group access-list:                   10

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total GRE Bypassed Packets Received: 0

          Process:                           0

          CEF:                               0

       GRE tunnel interface:                Tunnel1

 

    Service Identifier: 70

        Protocol Version:                    2.00

        Number of Service Group Clients:     1

        Number of Service Group Routers:     1

        Total Packets Redirected:            500

          Process:                           0

          CEF:                               500

        Service mode:                        Open

        Service Access-list:                 -none-

        Total Packets Dropped Closed:        0

        Redirect access-list:                100

        Total Packets Denied Redirect:       0

        Total Packets Unassigned:            0

        Group access-list:                   10

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total GRE Bypassed Packets Received: 0

          Process:                           0

          CEF:                               0

        GRE tunnel interface:                Tunnel0

 

Here is the relevant squid wccp configuration:

 

----Output removed----

# Squid normally listens to port 3128

http_port 3128

http_port 0.0.0.0:3129

 

# WCCPv2 Parameters

wccp2_router 192.168.0.23

wccp2_forwarding_method 1

wccp2_return_method 1

wccp2_assignment_method hash

wccp2_service standard 0

wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=231 ports=443

 

---Output remove----

 

I think that the issue lies with the iptables configuration as I do not see any packets been processed in the nat table.  I have tried a few different methods such as:

 

iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT –to-port 3129

iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 443 -j REDIRECT –to-port 3129

iptables -t nat -A POSTROUTING -j MASQUERADE

 

or

 

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.0.24:3129

iptables -t nat -A PREROUTING -p tcp –dport 443 -j DNAT –to-destination 192.168.0.24:3129

iptables -t nat -A POSTROUTING -j MASQUERADE

 

I have also tried adding ACCEPT commands to the PREROUTING zone just in case the proxy is dropping the packets right away but that also doesn’t work.

 

The proxy functions perfectly when the client is configured to use a proxy so there doesn’t appear to be any issues with routing or anything like that, it’s just the transparent proxying that isn’t working.

 

If anyone has any suggestions of what I could try that would be greatly appreciated.  Let me know if anything is unclear or if you need further clarification.

 

Thank you,

Cooper Waldon

 

 

Cooper Waldon Network Engineer l OTN l 416-446-4110 x 4473 l www.otn.ca | Service Desk 1-855-654-0888 x2

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Assistance with WCCPv2 Setup with Cisco Router

Yuri Voinov
In reply to this post by Waldon, Cooper

PS. You configured GRE tunnel, as I can see. Check it defined on both sides: on router and on your proxy box. Also note, GRE will process on router CPU, instead of L2 redirection, which is runs on control plane and hardware accelerated.


22.03.2017 1:04, Waldon, Cooper пишет:

Hello All,

 

I’m trying to set up a transparent proxy for http and https using Cisco Routers and Squid.  I have followed the configuration examples that are listed under the wccp2 overview section (http://wiki.squid-cache.org/Features/Wccp2) of the squid wiki but I’m still having some issues.

 

I have a little lab set up with a Cisco 7200 Router and a VM with CentOS running the proxy.

 

The “WAN” IP of the Router is 192.168.0.23.  The IP of the Squid Proxy is 192.168.0.24 and both have the default gateway of 192.168.0.1 which is the “ISP”

 

The Client is sitting on a LAN behind the Router in the 10.10.10.0/24 subnet and is also sitting behind nat.

 

I believe that the router and proxy are communicating properly based on the information in the show ip wccp command on the router as it shows clients and routers as well as showing that packets are being forwarded:

 

R3#show ip wccp

Global WCCP information:

    Router information:

        Router Identifier:                   192.168.0.23

        Configured source-interface:         GigabitEthernet5/0

 

    Service Identifier: web-cache

        Protocol Version:                    2.00

        Number of Service Group Clients:     1

        Number of Service Group Routers:     1

        Total Packets Redirected:            1079

          Process:                           0

          CEF:                               1079

        Service mode:                        Open

        Service Access-list:                 -none-

        Total Packets Dropped Closed:        0

        Redirect access-list:                100

        Total Packets Denied Redirect:       0

        Total Packets Unassigned:            0

        Group access-list:                   10

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total GRE Bypassed Packets Received: 0

          Process:                           0

          CEF:                               0

       GRE tunnel interface:                Tunnel1

 

    Service Identifier: 70

        Protocol Version:                    2.00

        Number of Service Group Clients:     1

        Number of Service Group Routers:     1

        Total Packets Redirected:            500

          Process:                           0

          CEF:                               500

        Service mode:                        Open

        Service Access-list:                 -none-

        Total Packets Dropped Closed:        0

        Redirect access-list:                100

        Total Packets Denied Redirect:       0

        Total Packets Unassigned:            0

        Group access-list:                   10

        Total Messages Denied to Group:      0

        Total Authentication failures:       0

        Total GRE Bypassed Packets Received: 0

          Process:                           0

          CEF:                               0

        GRE tunnel interface:                Tunnel0

 

Here is the relevant squid wccp configuration:

 

----Output removed----

# Squid normally listens to port 3128

http_port 3128

http_port 0.0.0.0:3129

 

# WCCPv2 Parameters

wccp2_router 192.168.0.23

wccp2_forwarding_method 1

wccp2_return_method 1

wccp2_assignment_method hash

wccp2_service standard 0

wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=231 ports=443

 

---Output remove----

 

I think that the issue lies with the iptables configuration as I do not see any packets been processed in the nat table.  I have tried a few different methods such as:

 

iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT –to-port 3129

iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 443 -j REDIRECT –to-port 3129

iptables -t nat -A POSTROUTING -j MASQUERADE

 

or

 

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.0.24:3129

iptables -t nat -A PREROUTING -p tcp –dport 443 -j DNAT –to-destination 192.168.0.24:3129

iptables -t nat -A POSTROUTING -j MASQUERADE

 

I have also tried adding ACCEPT commands to the PREROUTING zone just in case the proxy is dropping the packets right away but that also doesn’t work.

 

The proxy functions perfectly when the client is configured to use a proxy so there doesn’t appear to be any issues with routing or anything like that, it’s just the transparent proxying that isn’t working.

 

If anyone has any suggestions of what I could try that would be greatly appreciated.  Let me know if anything is unclear or if you need further clarification.

 

Thank you,

Cooper Waldon

 

 

Cooper Waldon Network Engineer l OTN l 416-446-4110 x 4473 l www.otn.ca | Service Desk 1-855-654-0888 x2

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Assistance with WCCPv2 Setup with Cisco Router

Waldon, Cooper
In reply to this post by Waldon, Cooper

Sorry, I didn't see your original reply. 


I will look into these issues and troubleshoot further, thank you.


Cooper




From: squid-users <[hidden email]> on behalf of [hidden email] <[hidden email]>
Sent: Tuesday, March 21, 2017 3:14 PM
To: [hidden email]
Subject: squid-users Digest, Vol 31, Issue 67
 
Send squid-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.squid-cache.org%2Flistinfo%2Fsquid-users&data=01%7C01%7Ccwaldon%40otn.ca%7C719ecf3df906402c5bef08d4708e801f%7Cb211ab61e77f4bffabd5f70e4344653f%7C1&sdata=S%2BTxOG9DaQkq8MDxF5obmrM4R%2BtekaFg8S4fXUlynec%3D&reserved=0
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: Assistance with WCCPv2 Setup with Cisco Router (Yuri Voinov)


----------------------------------------------------------------------

Message: 1
Date: Wed, 22 Mar 2017 01:14:19 +0600
From: Yuri Voinov <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] Assistance with WCCPv2 Setup with Cisco
        Router
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Ah, forgot about this:

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.squid-cache.org%2FConfigExamples%2FIntercept&data=01%7C01%7Ccwaldon%40otn.ca%7C719ecf3df906402c5bef08d4708e801f%7Cb211ab61e77f4bffabd5f70e4344653f%7C1&sdata=EPs3eDmARBmwyp8VES4Ret7aO8ZlIQ7H1LRZKC7lUQQ%3D&reserved=0


22.03.2017 1:04, Waldon, Cooper пишет:
>
> Hello All,
>

>
> I’m trying to set up a transparent proxy for http and https using
> Cisco Routers and Squid.  I have followed the configuration examples
> that are listed under the wccp2 overview section
> (https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.squid-cache.org%2FFeatures%2FWccp2&data=01%7C01%7Ccwaldon%40otn.ca%7C719ecf3df906402c5bef08d4708e801f%7Cb211ab61e77f4bffabd5f70e4344653f%7C1&sdata=kEcy58RMI6q8cV0SzQacGAjm6q5NsSGO%2By8PRmvUf5w%3D&reserved=0) of the squid wiki but I’m
> still having some issues.
>

>
> I have a little lab set up with a Cisco 7200 Router and a VM with
> CentOS running the proxy.
>

>
> The “WAN” IP of the Router is 192.168.0.23.  The IP of the Squid Proxy
> is 192.168.0.24 and both have the default gateway of 192.168.0.1 which
> is the “ISP”
>

>
> The Client is sitting on a LAN behind the Router in the 10.10.10.0/24
> subnet and is also sitting behind nat.
>

>
> I believe that the router and proxy are communicating properly based
> on the information in the show ip wccp command on the router as it
> shows clients and routers as well as showing that packets are being
> forwarded:
>

>
> R3#show ip wccp
>
> Global WCCP information:
>
>     Router information:
>
>         Router Identifier:                   192.168.0.23
>
>         Configured source-interface:         GigabitEthernet5/0
>

>
>     Service Identifier: web-cache
>
>         Protocol Version:                    2.00
>
>         Number of Service Group Clients:     1
>
>         Number of Service Group Routers:     1
>
>         Total Packets Redirected:            1079
>
>           Process:                           0
>
>           CEF:                               1079
>
>         Service mode:                        Open
>
>         Service Access-list:                 -none-
>
>         Total Packets Dropped Closed:        0
>
>         Redirect access-list:                100
>
>         Total Packets Denied Redirect:       0
>
>         Total Packets Unassigned:            0
>
>         Group access-list:                   10
>
>         Total Messages Denied to Group:      0
>
>         Total Authentication failures:       0
>
>         Total GRE Bypassed Packets Received: 0
>
>           Process:                           0
>
>           CEF:                               0
>
>        GRE tunnel interface:                Tunnel1
>

>
>     Service Identifier: 70
>
>         Protocol Version:                    2.00
>
>         Number of Service Group Clients:     1
>
>         Number of Service Group Routers:     1
>
>         Total Packets Redirected:            500
>
>           Process:                           0
>
>           CEF:                               500
>
>         Service mode:                        Open
>
>         Service Access-list:                 -none-
>
>         Total Packets Dropped Closed:        0
>
>         Redirect access-list:                100
>
>         Total Packets Denied Redirect:       0
>
>         Total Packets Unassigned:            0
>
>         Group access-list:                   10
>
>         Total Messages Denied to Group:      0
>
>         Total Authentication failures:       0
>
>         Total GRE Bypassed Packets Received: 0
>
>           Process:                           0
>
>           CEF:                               0
>
>         GRE tunnel interface:                Tunnel0
>

>
> Here is the relevant squid wccp configuration:
>

>
> ----Output removed----
>
> # Squid normally listens to port 3128
>
> http_port 3128
>
> http_port 0.0.0.0:3129
>

>
> # WCCPv2 Parameters
>
> wccp2_router 192.168.0.23
>
> wccp2_forwarding_method 1
>
> wccp2_return_method 1
>
> wccp2_assignment_method hash
>
> wccp2_service standard 0
>
> wccp2_service dynamic 70
>
> wccp2_service_info 70 protocol=tcp
> flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=231 ports=443
>

>
> ---Output remove----
>

>
> I think that the issue lies with the iptables configuration as I do
> not see any packets been processed in the nat table.  I have tried a
> few different methods such as:
>

>
> iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT
> –to-port 3129
>
> iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 443 -j REDIRECT
> –to-port 3129
>
> iptables -t nat -A POSTROUTING -j MASQUERADE
>

>
> or
>

>
> iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination
> 192.168.0.24:3129
>
> iptables -t nat -A PREROUTING -p tcp –dport 443 -j DNAT
> –to-destination 192.168.0.24:3129
>
> iptables -t nat -A POSTROUTING -j MASQUERADE
>

>
> I have also tried adding ACCEPT commands to the PREROUTING zone just
> in case the proxy is dropping the packets right away but that also
> doesn’t work.
>

>
> The proxy functions perfectly when the client is configured to use a
> proxy so there doesn’t appear to be any issues with routing or
> anything like that, it’s just the transparent proxying that isn’t working.
>

>
> If anyone has any suggestions of what I could try that would be
> greatly appreciated.  Let me know if anything is unclear or if you
> need further clarification.
>

>
> Thank you,
>
> Cooper Waldon
>

>

>
> *Cooper Waldon** **l **Network
> Engineer** **l****OTN****l****416-446-4110 x 4473 **l** **www.otn.ca*
> <http://www.otn.ca/>***|****Service Desk 1-855-654-0888 x2*
>

>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.squid-cache.org%2Flistinfo%2Fsquid-users&data=01%7C01%7Ccwaldon%40otn.ca%7C719ecf3df906402c5bef08d4708e801f%7Cb211ab61e77f4bffabd5f70e4344653f%7C1&sdata=S%2BTxOG9DaQkq8MDxF5obmrM4R%2BtekaFg8S4fXUlynec%3D&reserved=0

--
Bugs to the Future
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.squid-cache.org%2Fpipermail%2Fsquid-users%2Fattachments%2F20170322%2F19763217%2Fattachment.html&data=01%7C01%7Ccwaldon%40otn.ca%7C719ecf3df906402c5bef08d4708e801f%7Cb211ab61e77f4bffabd5f70e4344653f%7C1&sdata=%2BdRlah9JgnWfvUSTiulB%2BaTWQXY%2BNmyP%2BsAa4A%2FXL%2BU%3D&reserved=0>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.squid-cache.org%2Fpipermail%2Fsquid-users%2Fattachments%2F20170322%2F19763217%2Fattachment.key&data=01%7C01%7Ccwaldon%40otn.ca%7C719ecf3df906402c5bef08d4708e801f%7Cb211ab61e77f4bffabd5f70e4344653f%7C1&sdata=CnmuhfgaBl5NFNuEp0C9VqbOuFAhlX32zIehczGNRl8%3D&reserved=0>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.squid-cache.org%2Fpipermail%2Fsquid-users%2Fattachments%2F20170322%2F19763217%2Fattachment.sig&data=01%7C01%7Ccwaldon%40otn.ca%7C719ecf3df906402c5bef08d4708e801f%7Cb211ab61e77f4bffabd5f70e4344653f%7C1&sdata=z1x4mb0FAeJqa0WPXZdnHuKgXc8BLAVL6INMTfquOaY%3D&reserved=0>

------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
[hidden email]
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.squid-cache.org%2Flistinfo%2Fsquid-users&data=01%7C01%7Ccwaldon%40otn.ca%7C719ecf3df906402c5bef08d4708e801f%7Cb211ab61e77f4bffabd5f70e4344653f%7C1&sdata=S%2BTxOG9DaQkq8MDxF5obmrM4R%2BtekaFg8S4fXUlynec%3D&reserved=0


------------------------------

End of squid-users Digest, Vol 31, Issue 67
*******************************************

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...