Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Ilias Clifton

Hello,
 
I've been trying to get WCCP working but have been banging my head against a wall, so thought I would ask for help.
 
There are 2 internal subnets that I would like to use the squid proxy: 172.28.30.128/25 and 172.28.29.0/25
 
I have squid v3.5.25 running on Ubuntu 16 : 172.28.28.252
 
I have a Cisco 1841 - Adv IP - 12.4, see relevent config:
 
#Inside Interface
interface FastEthernet0/1
 ip address 172.28.28.1 255.255.255.240
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly max-reassemblies 64
 no ip mroute-cache
 duplex auto
 speed auto
 
#Loopback for wccp router ID
interface Loopback0
 ip address 172.28.28.33 255.255.255.255
 
ip wccp web-cache redirect-list PROXY_USERS group-list SQUID
 
ip access-list extended PROXY_USERS
 deny   tcp host 172.28.28.252 any
 permit tcp 172.28.30.128 0.0.0.127 any eq www
 permit tcp 172.28.29.0 0.0.0.127 any eq www
 deny   ip any any
 
ip access-list standard SQUID
 permit 172.28.28.252
 
 
 
On the Ubuntu box, I have the squid with the following config:
 
http_port 3128
http_port 3129 intercept 
acl localnet src 172.28.28.0/22   
http_access allow localnet
http_access allow localhost
http_access deny all
visible_hostname Squid
wccp2_router 172.28.28.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
 
If clients are manually set to use the proxy on port 3128, they work correctly.
 
Again on the Ubuntu box, I have setup the following gre tunnel.
 
ip tunnel add wccp0 mode gre remote 172.28.28.33 local 172.28.28.252 dev ens33 ttl 255
 
and the following redirect using iptables..
 
iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
 
In sysctl.conf, I have disabled reverse path filtering and enabled ip forarding.
 
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.ip_forward=1

When starting squid, using tcpdump, i see traffic between the Ubuntu box and the router on udp port 2048

00:39:34.587799 IP 172.28.28.252.2048 > 172.28.28.1.2048: UDP, length 144
00:39:34.590399 IP 172.28.28.1.2048 > 172.28.28.252.2048: UDP, length 140

I see the following message on the router..
%WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 172.28.28.252

So looks like it's working ok so far...

When I try and browse to a site from a client..
$ wget http://www.google.com

On the Ubuntu box, I see gre traffic on the ethernet interface..
00:44:22.340734 IP 172.28.28.33 > 172.28.28.252: GREv0, length 72: gre-proto-0x883e


I see the un-encapsulated traffic on the wccp0 interface:
00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80

Which is correctly showing original client IP and destination IP.

I can see hits on the iptable redirect rule:
pkts bytes target     prot opt in     out     source               destination        
  429 26280 REDIRECT   tcp  --  wccp0  any     anywhere             anywhere             tcp dpt:http redir ports 3129


But there is no response from squid on the Ubuntu box :-(

I don't see anything helpful in either access.log or cache.log.

I'm not sure if there is anything else that could be dropping the packet apart from return path filtering..

If someone could give me some pointers or any further debugging I could try, that would be great.


Thanks.







 
 
 
 
 
 
 
 
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Alex K
Hi,

At the wccp0  interface do you see bidirectional http traffic? If the squid box has multiple interfaces, do you see traffic on its wan interface? That traffic might need NATing. Also I would check if squidbox drops any packages in case you have firewall configured on it.

Alex



On Wed, May 9, 2018, 07:22 Ilias Clifton <[hidden email]> wrote:

Hello,
 
I've been trying to get WCCP working but have been banging my head against a wall, so thought I would ask for help.
 
There are 2 internal subnets that I would like to use the squid proxy: 172.28.30.128/25 and 172.28.29.0/25
 
I have squid v3.5.25 running on Ubuntu 16 : 172.28.28.252
 
I have a Cisco 1841 - Adv IP - 12.4, see relevent config:
 
#Inside Interface
interface FastEthernet0/1
 ip address 172.28.28.1 255.255.255.240
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly max-reassemblies 64
 no ip mroute-cache
 duplex auto
 speed auto
 
#Loopback for wccp router ID
interface Loopback0
 ip address 172.28.28.33 255.255.255.255
 
ip wccp web-cache redirect-list PROXY_USERS group-list SQUID
 
ip access-list extended PROXY_USERS
 deny   tcp host 172.28.28.252 any
 permit tcp 172.28.30.128 0.0.0.127 any eq www
 permit tcp 172.28.29.0 0.0.0.127 any eq www
 deny   ip any any
 
ip access-list standard SQUID
 permit 172.28.28.252
 
 
 
On the Ubuntu box, I have the squid with the following config:
 
http_port 3128
http_port 3129 intercept 
acl localnet src 172.28.28.0/22   
http_access allow localnet
http_access allow localhost
http_access deny all
visible_hostname Squid
wccp2_router 172.28.28.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
 
If clients are manually set to use the proxy on port 3128, they work correctly.
 
Again on the Ubuntu box, I have setup the following gre tunnel.
 
ip tunnel add wccp0 mode gre remote 172.28.28.33 local 172.28.28.252 dev ens33 ttl 255
 
and the following redirect using iptables..
 
iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
 
In sysctl.conf, I have disabled reverse path filtering and enabled ip forarding.
 
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.ip_forward=1

When starting squid, using tcpdump, i see traffic between the Ubuntu box and the router on udp port 2048

00:39:34.587799 IP 172.28.28.252.2048 > 172.28.28.1.2048: UDP, length 144
00:39:34.590399 IP 172.28.28.1.2048 > 172.28.28.252.2048: UDP, length 140

I see the following message on the router..
%WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 172.28.28.252

So looks like it's working ok so far...

When I try and browse to a site from a client..
$ wget http://www.google.com

On the Ubuntu box, I see gre traffic on the ethernet interface..
00:44:22.340734 IP 172.28.28.33 > 172.28.28.252: GREv0, length 72: gre-proto-0x883e


I see the un-encapsulated traffic on the wccp0 interface:
00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80

Which is correctly showing original client IP and destination IP.

I can see hits on the iptable redirect rule:
pkts bytes target     prot opt in     out     source               destination         
  429 26280 REDIRECT   tcp  --  wccp0  any     anywhere             anywhere             tcp dpt:http redir ports 3129


But there is no response from squid on the Ubuntu box :-(

I don't see anything helpful in either access.log or cache.log.

I'm not sure if there is anything else that could be dropping the packet apart from return path filtering..

If someone could give me some pointers or any further debugging I could try, that would be great.


Thanks.







 
 
 
 
 
 
 
 
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Ilias Clifton

 Hi Alex,

On the wccp0 interface I only see traffic arriving in 1 direction - original client ip to destination ip.

The ubuntu box only has a single ethernet interface -  Sorry, that should have been in my original question. I see the gre traffic arriving from the router, but again - no response.

I tried adding a MASQUERADE line to the iptables rules, just to see if it made a difference.. but same result.


 

Sent: Wednesday, May 09, 2018 at 2:37 PM
From: "Alex K" <[hidden email]>
To: "Ilias Clifton" <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Hi,
 
At the wccp0  interface do you see bidirectional http traffic? If the squid box has multiple interfaces, do you see traffic on its wan interface? That traffic might need NATing. Also I would check if squidbox drops any packages in case you have firewall configured on it.
 
Alex
  

On Wed, May 9, 2018, 07:22 Ilias Clifton <[hidden email][mailto:[hidden email]]> wrote:
Hello,
 
I've been trying to get WCCP working but have been banging my head against a wall, so thought I would ask for help.
 
There are 2 internal subnets that I would like to use the squid proxy: 172.28.30.128/25[http://172.28.30.128/25] and 172.28.29.0/25[http://172.28.29.0/25]
 
I have squid v3.5.25 running on Ubuntu 16 : 172.28.28.252
 
I have a Cisco 1841 - Adv IP - 12.4, see relevent config:
 
#Inside Interface
interface FastEthernet0/1
 ip address 172.28.28.1 255.255.255.240
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly max-reassemblies 64
 no ip mroute-cache
 duplex auto
 speed auto
 
#Loopback for wccp router ID
interface Loopback0
 ip address 172.28.28.33 255.255.255.255
 
ip wccp web-cache redirect-list PROXY_USERS group-list SQUID
 
ip access-list extended PROXY_USERS
 deny   tcp host 172.28.28.252 any
 permit tcp 172.28.30.128 0.0.0.127 any eq www
 permit tcp 172.28.29.0 0.0.0.127 any eq www
 deny   ip any any
 
ip access-list standard SQUID
 permit 172.28.28.252
 
 
 
On the Ubuntu box, I have the squid with the following config:
 
http_port 3128
http_port 3129 intercept 
acl localnet src 172.28.28.0/22[http://172.28.28.0/22]   
http_access allow localnet
http_access allow localhost
http_access deny all
visible_hostname Squid
wccp2_router 172.28.28.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
 
If clients are manually set to use the proxy on port 3128, they work correctly.
 
Again on the Ubuntu box, I have setup the following gre tunnel.
 
ip tunnel add wccp0 mode gre remote 172.28.28.33 local 172.28.28.252 dev ens33 ttl 255
 
and the following redirect using iptables..
 
iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
 
In sysctl.conf, I have disabled reverse path filtering and enabled ip forarding.
 
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.ip_forward=1

When starting squid, using tcpdump, i see traffic between the Ubuntu box and the router on udp port 2048

00:39:34.587799 IP 172.28.28.252.2048 > 172.28.28.1.2048: UDP, length 144
00:39:34.590399 IP 172.28.28.1.2048 > 172.28.28.252.2048: UDP, length 140

I see the following message on the router..
%WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 172.28.28.252

So looks like it's working ok so far...

When I try and browse to a site from a client..
$ wget http://www.google.com[http://www.google.com]

On the Ubuntu box, I see gre traffic on the ethernet interface..
00:44:22.340734 IP 172.28.28.33 > 172.28.28.252[http://172.28.28.252]: GREv0, length 72: gre-proto-0x883e


I see the un-encapsulated traffic on the wccp0 interface:
00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80

Which is correctly showing original client IP and destination IP.

I can see hits on the iptable redirect rule:
pkts bytes target     prot opt in     out     source               destination         
  429 26280 REDIRECT   tcp  --  wccp0  any     anywhere             anywhere             tcp dpt:http redir ports 3129


But there is no response from squid on the Ubuntu box :-(

I don't see anything helpful in either access.log or cache.log.

I'm not sure if there is anything else that could be dropping the packet apart from return path filtering..

If someone could give me some pointers or any further debugging I could try, that would be great.


Thanks.







 
 
 
 
 
 
 
 
_______________________________________________
squid-users mailing list
[hidden email][mailto:[hidden email]]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Alex K
Is the ubuntu able to reach Internet?
Do you see any events at squid access log?

Alex


On Wed, May 9, 2018, 07:59 Ilias Clifton <[hidden email]> wrote:

 Hi Alex,

On the wccp0 interface I only see traffic arriving in 1 direction - original client ip to destination ip.

The ubuntu box only has a single ethernet interface -  Sorry, that should have been in my original question. I see the gre traffic arriving from the router, but again - no response.

I tried adding a MASQUERADE line to the iptables rules, just to see if it made a difference.. but same result.


 

Sent: Wednesday, May 09, 2018 at 2:37 PM
From: "Alex K" <[hidden email]>
To: "Ilias Clifton" <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Hi,
 
At the wccp0  interface do you see bidirectional http traffic? If the squid box has multiple interfaces, do you see traffic on its wan interface? That traffic might need NATing. Also I would check if squidbox drops any packages in case you have firewall configured on it.
 
Alex
  

On Wed, May 9, 2018, 07:22 Ilias Clifton <[hidden email][mailto:[hidden email]]> wrote:
Hello,
 
I've been trying to get WCCP working but have been banging my head against a wall, so thought I would ask for help.
 
There are 2 internal subnets that I would like to use the squid proxy: 172.28.30.128/25[http://172.28.30.128/25] and 172.28.29.0/25[http://172.28.29.0/25]
 
I have squid v3.5.25 running on Ubuntu 16 : 172.28.28.252
 
I have a Cisco 1841 - Adv IP - 12.4, see relevent config:
 
#Inside Interface
interface FastEthernet0/1
 ip address 172.28.28.1 255.255.255.240
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly max-reassemblies 64
 no ip mroute-cache
 duplex auto
 speed auto
 
#Loopback for wccp router ID
interface Loopback0
 ip address 172.28.28.33 255.255.255.255
 
ip wccp web-cache redirect-list PROXY_USERS group-list SQUID
 
ip access-list extended PROXY_USERS
 deny   tcp host 172.28.28.252 any
 permit tcp 172.28.30.128 0.0.0.127 any eq www
 permit tcp 172.28.29.0 0.0.0.127 any eq www
 deny   ip any any
 
ip access-list standard SQUID
 permit 172.28.28.252
 
 
 
On the Ubuntu box, I have the squid with the following config:
 
http_port 3128
http_port 3129 intercept 
acl localnet src 172.28.28.0/22[http://172.28.28.0/22]   
http_access allow localnet
http_access allow localhost
http_access deny all
visible_hostname Squid
wccp2_router 172.28.28.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
 
If clients are manually set to use the proxy on port 3128, they work correctly.
 
Again on the Ubuntu box, I have setup the following gre tunnel.
 
ip tunnel add wccp0 mode gre remote 172.28.28.33 local 172.28.28.252 dev ens33 ttl 255
 
and the following redirect using iptables..
 
iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
 
In sysctl.conf, I have disabled reverse path filtering and enabled ip forarding.
 
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.ip_forward=1

When starting squid, using tcpdump, i see traffic between the Ubuntu box and the router on udp port 2048

00:39:34.587799 IP 172.28.28.252.2048 > 172.28.28.1.2048: UDP, length 144
00:39:34.590399 IP 172.28.28.1.2048 > 172.28.28.252.2048: UDP, length 140

I see the following message on the router..
%WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 172.28.28.252

So looks like it's working ok so far...

When I try and browse to a site from a client..
$ wget http://www.google.com[http://www.google.com]

On the Ubuntu box, I see gre traffic on the ethernet interface..
00:44:22.340734 IP 172.28.28.33 > 172.28.28.252[http://172.28.28.252]: GREv0, length 72: gre-proto-0x883e


I see the un-encapsulated traffic on the wccp0 interface:
00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80

Which is correctly showing original client IP and destination IP.

I can see hits on the iptable redirect rule:
pkts bytes target     prot opt in     out     source               destination         
  429 26280 REDIRECT   tcp  --  wccp0  any     anywhere             anywhere             tcp dpt:http redir ports 3129


But there is no response from squid on the Ubuntu box :-(

I don't see anything helpful in either access.log or cache.log.

I'm not sure if there is anything else that could be dropping the packet apart from return path filtering..

If someone could give me some pointers or any further debugging I could try, that would be great.


Thanks.







 
 
 
 
 
 
 
 
_______________________________________________
squid-users mailing list
[hidden email][mailto:[hidden email]]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Amos Jeffries
Administrator
In reply to this post by Ilias Clifton
On 09/05/18 16:59, Ilias Clifton wrote:
>
>  Hi Alex,
>
> On the wccp0 interface I only see traffic arriving in 1 direction - original client ip to destination ip.
>
> The ubuntu box only has a single ethernet interface -  Sorry, that should have been in my original question. I see the gre traffic arriving from the router, but again - no response.
>
> I tried adding a MASQUERADE line to the iptables rules, just to see if it made a difference.. but same result.
>

The MASQUERADE (or an equivalent SNAT) on the reply traffic going from
Squid back to the router is *definitely* needed to balance the REDIRECT
rule. Otherwise the router will reject or mishandle packets Squid sends
over the gre when you do get that part working.



>
> Sent: Wednesday, May 09, 2018 at 2:37 PM
> From: "Alex K"
>
> When I try and browse to a site from a client..
> $ wget http://www.google.com[http://www.google.com]
>
> On the Ubuntu box, I see gre traffic on the ethernet interface..
> 00:44:22.340734 IP 172.28.28.33 > 172.28.28.252[http://172.28.28.252]: GREv0, length 72: gre-proto-0x883e
>
>
> I see the un-encapsulated traffic on the wccp0 interface:
> 00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80
>
> Which is correctly showing original client IP and destination IP.
>
> I can see hits on the iptable redirect rule:
> pkts bytes target     prot opt in     out     source               destination         
>   429 26280 REDIRECT   tcp  --  wccp0  any     anywhere             anywhere             tcp dpt:http redir ports 3129
>
>
> But there is no response from squid on the Ubuntu box :-(

Is there outbound Squid<->server traffic happening? and what does that
look like?

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Ilias Clifton
In reply to this post by Alex K
Ubuntu box is able to connect to the internet ok. If client PCs are configured to use the Ubuntu box as proxy on port 3128 it works correctly.

No hits in access.log for any transparent clients via wccp.. No network response at all from Ubuntu.


If I change the iptables REDIRECT to a DNAT
iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.28.28.252:3129


I do get part of the TCP handshake done..

On the Ubuntu proxy I get :

on the wccp0 interface:
IP 172.28.29.4.53057 > 216.58.203.100.80 SYN

on the ens33 interface:
IP 216.58.203.100.80 > 172.28.29.4.53057 SYN,ACK

The client sees the SYN,ACK, it replies and thinks it has a session
IP 172.28.29.4.53057 > 216.58.203.100.80 ACK
IP 172.28.29.4.53057 > 216.58.203.100.80 GET / HTTP/1.1

But really these packets are lost and never make it back to the proxy.

I've tried adding the following iptables rules, but reply packets still have the source ip as the original destination.

iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
iptables -t nat -A POSTROUTING -o wccp0 -j MASQUERADE

Still no hits in the access.log

Should I be attempting to reply back down the gre tunnel with the REDIRECT, or replying directly to the client via DNAT. Is there any change to the squid config between these 2 options?

The clients are in a different subnet to the Ubuntu box if that makes any difference to how I should be replying.



 
 

Sent: Wednesday, May 09, 2018 at 3:08 PM
From: "Alex K" <[hidden email]>
To: "Ilias Clifton" <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Is the ubuntu able to reach Internet?
Do you see any events at squid access log?
 
Alex
  

On Wed, May 9, 2018, 07:59 Ilias Clifton <[hidden email][mailto:[hidden email]]> wrote:
 Hi Alex,

On the wccp0 interface I only see traffic arriving in 1 direction - original client ip to destination ip.

The ubuntu box only has a single ethernet interface -  Sorry, that should have been in my original question. I see the gre traffic arriving from the router, but again - no response.

I tried adding a MASQUERADE line to the iptables rules, just to see if it made a difference.. but same result.


 

Sent: Wednesday, May 09, 2018 at 2:37 PM
From: "Alex K" <[hidden email][mailto:[hidden email]]>
To: "Ilias Clifton" <[hidden email][mailto:[hidden email]]>
Cc: [hidden email][mailto:[hidden email]]
Subject: Re: [squid-users] Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Hi,
 
At the wccp0  interface do you see bidirectional http traffic? If the squid box has multiple interfaces, do you see traffic on its wan interface? That traffic might need NATing. Also I would check if squidbox drops any packages in case you have firewall configured on it.
 
Alex
  

On Wed, May 9, 2018, 07:22 Ilias Clifton <[hidden email][mailto:[hidden email]][mailto:[hidden email][mailto:[hidden email]]]> wrote:
Hello,
 
I've been trying to get WCCP working but have been banging my head against a wall, so thought I would ask for help.
 
There are 2 internal subnets that I would like to use the squid proxy: 172.28.30.128/25[http://172.28.30.128/25][http://172.28.30.128/25%5Bhttp://172.28.30.128/25%5D] and 172.28.29.0/25[http://172.28.29.0/25][http://172.28.29.0/25%5Bhttp://172.28.29.0/25%5D]
 
I have squid v3.5.25 running on Ubuntu 16 : 172.28.28.252
 
I have a Cisco 1841 - Adv IP - 12.4, see relevent config:
 
#Inside Interface
interface FastEthernet0/1
 ip address 172.28.28.1 255.255.255.240
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly max-reassemblies 64
 no ip mroute-cache
 duplex auto
 speed auto
 
#Loopback for wccp router ID
interface Loopback0
 ip address 172.28.28.33 255.255.255.255
 
ip wccp web-cache redirect-list PROXY_USERS group-list SQUID
 
ip access-list extended PROXY_USERS
 deny   tcp host 172.28.28.252 any
 permit tcp 172.28.30.128 0.0.0.127 any eq www
 permit tcp 172.28.29.0 0.0.0.127 any eq www
 deny   ip any any
 
ip access-list standard SQUID
 permit 172.28.28.252
 
 
 
On the Ubuntu box, I have the squid with the following config:
 
http_port 3128
http_port 3129 intercept 
acl localnet src 172.28.28.0/22[http://172.28.28.0/22][http://172.28.28.0/22%5Bhttp://172.28.28.0/22%5D]   
http_access allow localnet
http_access allow localhost
http_access deny all
visible_hostname Squid
wccp2_router 172.28.28.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
 
If clients are manually set to use the proxy on port 3128, they work correctly.
 
Again on the Ubuntu box, I have setup the following gre tunnel.
 
ip tunnel add wccp0 mode gre remote 172.28.28.33 local 172.28.28.252 dev ens33 ttl 255
 
and the following redirect using iptables..
 
iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
 
In sysctl.conf, I have disabled reverse path filtering and enabled ip forarding.
 
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.ip_forward=1

When starting squid, using tcpdump, i see traffic between the Ubuntu box and the router on udp port 2048

00:39:34.587799 IP 172.28.28.252.2048 > 172.28.28.1.2048: UDP, length 144
00:39:34.590399 IP 172.28.28.1.2048 > 172.28.28.252.2048: UDP, length 140

I see the following message on the router..
%WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 172.28.28.252

So looks like it's working ok so far...

When I try and browse to a site from a client..
$ wget http://www.google.com[http://www.google.com][http://www.google.com[http://www.google.com]]

On the Ubuntu box, I see gre traffic on the ethernet interface..
00:44:22.340734 IP 172.28.28.33 > 172.28.28.252[http://172.28.28.252[http://172.28.28.252]]: GREv0, length 72: gre-proto-0x883e


I see the un-encapsulated traffic on the wccp0 interface:
00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80

Which is correctly showing original client IP and destination IP.

I can see hits on the iptable redirect rule:
pkts bytes target     prot opt in     out     source               destination         
  429 26280 REDIRECT   tcp  --  wccp0  any     anywhere             anywhere             tcp dpt:http redir ports 3129


But there is no response from squid on the Ubuntu box :-(

I don't see anything helpful in either access.log or cache.log.

I'm not sure if there is anything else that could be dropping the packet apart from return path filtering..

If someone could give me some pointers or any further debugging I could try, that would be great.


Thanks.







 
 
 
 
 
 
 
 
_______________________________________________
squid-users mailing list
[hidden email][mailto:[hidden email]][mailto:[hidden email][mailto:[hidden email]]]
http://lists.squid-cache.org/listinfo/squid-users[http://lists.squid-cache.org/listinfo/squid-users]
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with WCCP: Cisco 1841 to Squid 3.5.25 on Ubuntu 16

Amos Jeffries
Administrator
On 09/05/18 18:36, Ilias Clifton wrote:

> Ubuntu box is able to connect to the internet ok. If client PCs are configured to use the Ubuntu box as proxy on port 3128 it works correctly.
>
> No hits in access.log for any transparent clients via wccp.. No network response at all from Ubuntu.
>
>
> If I change the iptables REDIRECT to a DNAT
> iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.28.28.252:3129
>
>
> I do get part of the TCP handshake done..
>
> On the Ubuntu proxy I get :
>
> on the wccp0 interface:
> IP 172.28.29.4.53057 > 216.58.203.100.80 SYN
>
> on the ens33 interface:
> IP 216.58.203.100.80 > 172.28.29.4.53057 SYN,ACK
>
> The client sees the SYN,ACK, it replies and thinks it has a session
> IP 172.28.29.4.53057 > 216.58.203.100.80 ACK
> IP 172.28.29.4.53057 > 216.58.203.100.80 GET / HTTP/1.1
>
> But really these packets are lost and never make it back to the proxy.

So the problem is likely the router settings for how those packets are
handled. Anything you can figure to find out where they are going would
be useful.


>
> I've tried adding the following iptables rules, but reply packets still have the source ip as the original destination.
>

Ah, that sounds like it is correct to me. The client thinks it is
talking to the origin server, not the proxy. So all the src-IP on the
reply packets have to be masqueraded as the origin server IP.


> iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o wccp0 -j MASQUERADE
>
> Still no hits in the access.log
>
> Should I be attempting to reply back down the gre tunnel with the REDIRECT, or replying directly to the client via DNAT. Is there any change to the squid config between these 2 options?

You configured Squid's return method as gre, so the gre tunnel should be
used for those packets. Or you could try configuring the router and
Squid as L2 return method - which seems to be the one half-working now.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users