Squid box for two networks

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid box for two networks

Pablo Ruben Maldonado
Hello, I have a squid box 3.5 working without problems for the lan 192.168.110.0/24 for several months. Now I want setup to another lan 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come to squid box. But in Squid's log I do not see anything. Can they give me some tip?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Craddock, Tommy

Hello,



 

 

Hello, I have a squid box 3.5 working without problems for the lan 192.168.110.0/24 for several months. Now I want setup to another lan 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come to squid box. But in Squid's log I do not see anything. Can they give me some tip?


We need more info on your config.  Either post your squid.conf, or link to it from a site like pastebin. 

 

Off the top of my head, did you create an ACL allowing this new subnet to use the proxy?

 

 


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Antony Stone
In reply to this post by Pablo Ruben Maldonado
On Monday 17 July 2017 at 21:31:50, Pablo Ruben Maldonado wrote:

> Hello, I have a squid box 3.5 working without problems for the lan
> 192.168.110.0/24 for several months. Now I want setup to another lan
> 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come to
> squid box. But in Squid's log I do not see anything. Can they give me some
> tip?

How is that new subnet connected to the Squid box?

Is it connected on a second network card in the Squid machine, or is it routed
via a separate gateway connecting the two networks?


Antony.

--
All generalisations are inaccurate.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Matus UHLAR - fantomas
In reply to this post by Pablo Ruben Maldonado
On 17.07.17 17:31, Pablo Ruben Maldonado wrote:
>Hello, I have a squid box 3.5 working without problems for the lan
>192.168.110.0/24 for several months. Now I want setup to another lan
>192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come to
>squid box. But in Squid's log I do not see anything. Can they give me some
>tip?

local firewall on the squid box probably?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Antony Stone
On Tuesday 18 July 2017 at 12:11:58, Matus UHLAR - fantomas wrote:

> On 17.07.17 17:31, Pablo Ruben Maldonado wrote:
> >Hello, I have a squid box 3.5 working without problems for the lan
> >192.168.110.0/24 for several months. Now I want setup to another lan
> >192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come to
> >squid box. But in Squid's log I do not see anything. Can they give me some
> >tip?
>
> local firewall on the squid box probably?

Can you SSH from a machine on 192.168.115.0/24 to the Squid server?

For that matter, can you ping it?

Does the Squid server have an appropriate route to get back to machines on
192.168.115.0/24?


Antony.

--
This is not a rehearsal.
This is Real Life.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Pablo Ruben Maldonado
In reply to this post by Matus UHLAR - fantomas
The iptables only follow configuration:

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

On Tue, Jul 18, 2017 at 8:11 AM, Matus UHLAR - fantomas <[hidden email]> wrote:
On 17.07.17 17:31, Pablo Ruben Maldonado wrote:
Hello, I have a squid box 3.5 working without problems for the lan
192.168.110.0/24 for several months. Now I want setup to another lan
192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come to
squid box. But in Squid's log I do not see anything. Can they give me some
tip?

local firewall on the squid box probably?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Antony Stone
On Tuesday 18 July 2017 at 13:09:31, Pablo Ruben Maldonado wrote:

> The iptables only follow configuration:
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

Oh, you didn't say this was an intercepting proxy - that sort of thing does
make a difference...

Maybe you could also answer my questions:

On Monday 17 July 2017 at 22:57:13, Antony Stone wrote:

> How is that new subnet connected to the Squid box?
>
> Is it connected on a second network card in the Squid machine, or is it
> routed via a separate gateway connecting the two networks?

Given what you've now told us, that this machine is an intercepting proxy,
please give us a network map - how are the following interconnected with each
other:

 - the subnet 192.168.110.0/24
 - the subnet 192.168.115.0/24
 - the Squid server
 - the Internet-facing router

On Tuesday 18 July 2017 at 12:15:32, Antony Stone wrote:

> Can you SSH from a machine on 192.168.115.0/24 to the Squid server?
>
> For that matter, can you ping it?
>
> Does the Squid server have an appropriate route to get back to machines on
> 192.168.115.0/24?

If you can give us more information about your network and your Squid
configuration, this may well make it easier for us to guess what is going on.


Antony.

--
Numerous psychological studies over the years have demonstrated that the
majority of people genuinely believe they are not like the majority of people.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Amos Jeffries
Administrator
On 19/07/17 00:28, Antony Stone wrote:
>
> Maybe you could also answer my questions:
>

In addition to those answers, please also post at least the http_port
and https_port lines from your squid.conf.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Pablo Ruben Maldonado
In reply to this post by Pablo Ruben Maldonado
Hi, i add information missing in original post. Thanks for assistance:

The Squid Box has setup for Intercept Mode. Iptables rules here:

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

The config paste in https://pastebin.com/Witg3cG1

Thanks

On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <[hidden email]> wrote:
Hello, I have a squid box 3.5 working without problems for the lan 192.168.110.0/24 for several months. Now I want setup to another lan 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come to squid box. But in Squid's log I do not see anything. Can they give me some tip?


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

Network map.pdf (29K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Antony Stone
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:

> Hi, i add information missing in original post. Thanks for assistance:
>
> The Squid Box has setup for Intercept Mode. Iptables rules here:
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

How are you routing the packets from the firewall to Squid?

> The config paste in https://pastebin.com/Witg3cG1
>
> Thanks
>
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
>
> [hidden email]> wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > 192.168.110.0/24 for several months. Now I want setup to another lan
> > 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?

Can you give us any examples of packets as seen by tcpdump on the Squid box:

a) from 192.168.110.0/24

b) from 192.168.115.0/24


Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Pablo Ruben Maldonado
The packets are routing using a mark and later routing rules inside my principal router (Mikrotik). Attach images with examples of packets arriving to Squid box.

On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone <[hidden email]> wrote:
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:

> Hi, i add information missing in original post. Thanks for assistance:
>
> The Squid Box has setup for Intercept Mode. Iptables rules here:
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

How are you routing the packets from the firewall to Squid?

> The config paste in https://pastebin.com/Witg3cG1
>
> Thanks
>
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
>
> [hidden email]> wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > 192.168.110.0/24 for several months. Now I want setup to another lan
> > 192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?

Can you give us any examples of packets as seen by tcpdump on the Squid box:

a) from 192.168.110.0/24

b) from 192.168.115.0/24


Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

192168110.net.png (25K) Download Attachment
192168115.net.png (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Eliezer Croitoru
Hey Pablo,

I am working as a tech support for MikroTik devices and the tcpdump dumps are leaving couple things unknown.
Can you share the MikroTik rules PBR rules you are using?
Are you using any kind of connection marking and tracking in the mix or just plain source based routing?
I am pretty sure that the issue is in the reverse path and not backwards.
If you can export your MikroTik configuration I might be able to try and help you find the right rules if these are wrong.
Also make sure that the squid box has reverse path filtering disabled using:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#Set_Reverse_Path_Filter_machine_globally_script

And also take a peek at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration

I planned to add into the wiki an article\tutorial how to setup squid with MikroTik since there are more than a dozen of articles\tutorials that just do not do it the right way.

Eliezer

* you can send me the configuration privately if these are sensitive

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Pablo Ruben Maldonado
Sent: Thursday, July 20, 2017 16:41
To: [hidden email]
Subject: Re: [squid-users] Squid box for two networks

The packets are routing using a mark and later routing rules inside my principal router (Mikrotik). Attach images with examples of packets arriving to Squid box.

On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone <mailto:[hidden email]> wrote:
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:

> Hi, i add information missing in original post. Thanks for assistance:
>
> The Squid Box has setup for Intercept Mode. Iptables rules here:
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

How are you routing the packets from the firewall to Squid?

> The config paste in https://pastebin.com/Witg3cG1
>
> Thanks
>
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
>
> mailto:[hidden email]> wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > http://192.168.110.0/24 for several months. Now I want setup to another lan
> > http://192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?

Can you give us any examples of packets as seen by tcpdump on the Squid box:

a) from http://192.168.110.0/24

b) from http://192.168.115.0/24


Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
mailto:[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Pablo Ruben Maldonado
Hi Eliezer, thanks for you reply.

I'm marking and routing traffic to port 80 from my lan's 192.168.110.0/24 (Work!) and 192.168.115.0/24 (Fail!). The mark line in Mangle is:

add action=mark-connection chain=prerouting comment="TCP 80: Tr\E1fico HTTP de\
    sde la red WIFI. Se marca la conexi\F3n para QoS y Policy Routing. Ser\E1 \
    routeado hacia Proxy03" !connection-bytes !connection-limit \
    connection-mark=no-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80 \
    !fragment !hotspot !icmp-options !in-bridge-port in-interface=eth4-wifi \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-connection-mark=conn_proxy !nth !out-bridge-port \
    !out-interface !p2p !packet-mark !packet-size passthrough=yes \
    !per-connection-classifier !port !priority protocol=tcp !psd !random \
    !routing-mark !routing-table src-address=192.168.115.0/24 !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl

The packet mark and route lines:

add action=mark-packet chain=prerouting comment=\
    "TCP 80: Se marca el paquete para Queue Tree (Up)" !connection-bytes \
    !connection-limit connection-mark=conn_proxy !connection-nat-state \
    !connection-rate !connection-state !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-packet-mark=up_tcp_80_pkt !nth !out-bridge-port \
    !out-interface !p2p !packet-mark !packet-size passthrough=yes \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat !ttl
add action=mark-routing chain=prerouting comment=\
    "TCP 80: Se ejecuta el Policy Routing hacia Proxy03" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address dst-address-list=!clientslist !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-routing-mark=route_toproxy03 !nth \
    !out-bridge-port !out-interface !p2p packet-mark=up_tcp_80_pkt \
    !packet-size passthrough=no !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl

Thanks

On Thu, Jul 20, 2017 at 2:11 PM, Eliezer Croitoru <[hidden email]> wrote:
Hey Pablo,

I am working as a tech support for MikroTik devices and the tcpdump dumps are leaving couple things unknown.
Can you share the MikroTik rules PBR rules you are using?
Are you using any kind of connection marking and tracking in the mix or just plain source based routing?
I am pretty sure that the issue is in the reverse path and not backwards.
If you can export your MikroTik configuration I might be able to try and help you find the right rules if these are wrong.
Also make sure that the squid box has reverse path filtering disabled using:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#Set_Reverse_Path_Filter_machine_globally_script

And also take a peek at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration

I planned to add into the wiki an article\tutorial how to setup squid with MikroTik since there are more than a dozen of articles\tutorials that just do not do it the right way.

Eliezer

* you can send me the configuration privately if these are sensitive

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Pablo Ruben Maldonado
Sent: Thursday, July 20, 2017 16:41
To: [hidden email]
Subject: Re: [squid-users] Squid box for two networks

The packets are routing using a mark and later routing rules inside my principal router (Mikrotik). Attach images with examples of packets arriving to Squid box.

On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone <mailto:[hidden email]> wrote:
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:

> Hi, i add information missing in original post. Thanks for assistance:
>
> The Squid Box has setup for Intercept Mode. Iptables rules here:
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

How are you routing the packets from the firewall to Squid?

> The config paste in https://pastebin.com/Witg3cG1
>
> Thanks
>
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
>
> mailto:[hidden email]> wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > http://192.168.110.0/24 for several months. Now I want setup to another lan
> > http://192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?

Can you give us any examples of packets as seen by tcpdump on the Squid box:

a) from http://192.168.110.0/24

b) from http://192.168.115.0/24


Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
mailto:[hidden email]
http://lists.squid-cache.org/listinfo/squid-users




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

joseph
This post was updated on .
 you might need his configuration

/ip firewall address-list
add address=192.168.110.0/24 comment="one route port 80" list=http-route
add address=192.168.115.0/24 comment="two route port 80" list=http-route

/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Clients HTTP route to cache" dst-port=80 \
    new-routing-mark=http passthrough=yes protocol=tcp src-address-list=http-route
       
/ip route
add comment="Cache route" distance=1 gateway=192.168.10.1 routing-mark=http

using squid as gateway
ps.... 192.168.10.1  is squid box so put yours
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Pablo Ruben Maldonado
Joseph, these lines already exists in my setup. Thanks.

Remember you what my Squid box work for my primary lan (192.168.110.0/24) but don't work to the second lan (192.168.115.0/24)

On Thu, Jul 20, 2017 at 4:49 PM, joseph <[hidden email]> wrote:
 you might need his configuration

/ip firewall address-list
add address=192.168.110.0/24 comment="one route port 80" list=http-route
add address=192.168.115.0/24 comment="two route port 80" list=http-route

/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Clients HTTP route to cache" dst-port=80 \
    new-routing-mark=http passthrough=yes protocol=tcp
src-address-list=http-route

/ip route
add comment="Cache route" distance=1 gateway=192.168.1.1 routing-mark=http

using squid as gateway
ps.... 192.168.10.1  is squid box so put yours




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-box-for-two-networks-tp4683119p4683193.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Eliezer Croitoru
In reply to this post by Pablo Ruben Maldonado
First take joseph advice.
This is the right way of doing things.
And since I have here couple MikroTik devices sitting I took one to create the same scenario that you have and the full configuration can be seen at:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MikroTik-Route-To-Intercept-Squid

And on my site at:
http://ngtech.co.il/paste/1786/raw/

Technically since the px is on the same segment as the MikroTik it's better to accept traffic(in both the mangle and the filter tables) by the mac address of the px rather then the ip but for your case the ip should play fine with the combination of the interface which the traffic from the px flows in\at.
When it will all work for you as expected I will add this scenario with your network diagram as an example to the wiki(if it's fine with you that the project will use the diagram..).

Thanks,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Pablo Ruben Maldonado
Sent: Thursday, July 20, 2017 21:51
To: [hidden email]
Subject: Re: [squid-users] Squid box for two networks

Hi Eliezer, thanks for you reply.

I'm marking and routing traffic to port 80 from my lan's http://192.168.110.0/24 (Work!) and http://192.168.115.0/24 (Fail!). The mark line in Mangle is:

add action=mark-connection chain=prerouting comment="TCP 80: Tr\E1fico HTTP de\
    sde la red WIFI. Se marca la conexi\F3n para QoS y Policy Routing. Ser\E1 \
    routeado hacia Proxy03" !connection-bytes !connection-limit \
    connection-mark=no-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80 \
    !fragment !hotspot !icmp-options !in-bridge-port in-interface=eth4-wifi \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-connection-mark=conn_proxy !nth !out-bridge-port \
    !out-interface !p2p !packet-mark !packet-size passthrough=yes \
    !per-connection-classifier !port !priority protocol=tcp !psd !random \
    !routing-mark !routing-table src-address=http://192.168.115.0/24 !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl

The packet mark and route lines:

add action=mark-packet chain=prerouting comment=\
    "TCP 80: Se marca el paquete para Queue Tree (Up)" !connection-bytes \
    !connection-limit connection-mark=conn_proxy !connection-nat-state \
    !connection-rate !connection-state !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-packet-mark=up_tcp_80_pkt !nth !out-bridge-port \
    !out-interface !p2p !packet-mark !packet-size passthrough=yes \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat !ttl
add action=mark-routing chain=prerouting comment=\
    "TCP 80: Se ejecuta el Policy Routing hacia Proxy03" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address dst-address-list=!clientslist !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" new-routing-mark=route_toproxy03 !nth \
    !out-bridge-port !out-interface !p2p packet-mark=up_tcp_80_pkt \
    !packet-size passthrough=no !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl

Thanks

On Thu, Jul 20, 2017 at 2:11 PM, Eliezer Croitoru <mailto:[hidden email]> wrote:
Hey Pablo,

I am working as a tech support for MikroTik devices and the tcpdump dumps are leaving couple things unknown.
Can you share the MikroTik rules PBR rules you are using?
Are you using any kind of connection marking and tracking in the mix or just plain source based routing?
I am pretty sure that the issue is in the reverse path and not backwards.
If you can export your MikroTik configuration I might be able to try and help you find the right rules if these are wrong.
Also make sure that the squid box has reverse path filtering disabled using:
http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#Set_Reverse_Path_Filter_machine_globally_script

And also take a peek at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration

I planned to add into the wiki an article\tutorial how to setup squid with MikroTik since there are more than a dozen of articles\tutorials that just do not do it the right way.

Eliezer

* you can send me the configuration privately if these are sensitive

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:[hidden email]


From: squid-users [mailto:mailto:[hidden email]] On Behalf Of Pablo Ruben Maldonado
Sent: Thursday, July 20, 2017 16:41
To: mailto:[hidden email]
Subject: Re: [squid-users] Squid box for two networks

The packets are routing using a mark and later routing rules inside my principal router (Mikrotik). Attach images with examples of packets arriving to Squid box.

On Thu, Jul 20, 2017 at 10:27 AM, Antony Stone <mailto:mailto:[hidden email]> wrote:
On Thursday 20 July 2017 at 14:08:27, Pablo Ruben Maldonado wrote:

> Hi, i add information missing in original post. Thanks for assistance:
>
> The Squid Box has setup for Intercept Mode. Iptables rules here:
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

How are you routing the packets from the firewall to Squid?

> The config paste in https://pastebin.com/Witg3cG1
>
> Thanks
>
> On Mon, Jul 17, 2017 at 5:31 PM, Pablo Ruben Maldonado <
>
> mailto:mailto:[hidden email]> wrote:
> > Hello, I have a squid box 3.5 working without problems for the lan
> > http://192.168.110.0/24 for several months. Now I want setup to another lan
> > http://192.168.115.0/24 but I cannot. Tcpdump inform me that the packages come
> > to squid box. But in Squid's log I do not see anything. Can they give me
> > some tip?

Can you give us any examples of packets as seen by tcpdump on the Squid box:

a) from http://192.168.110.0/24

b) from http://192.168.115.0/24


Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
mailto:mailto:[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

joseph
In reply to this post by Pablo Ruben Maldonado
well this work almost 10 year

an u can do 2 mark if you want to   make shur u use same marking new-routing-mark=http
on each range
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid box for two networks

Pablo Ruben Maldonado
Thanks to all for your help.

Eliezer, certainly that can use my graph.

I could confirm that my problem is in rules mark connection and mark packet that i use to stop the big downloads across the port 80. But this it is my problem. Even I have it pending.

On Thu, Jul 20, 2017 at 5:13 PM, joseph <[hidden email]> wrote:
well this work almost 10 year

an u can do 2 mark if you want to   make shur u use same marking
new-routing-mark=http
on each range



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-box-for-two-networks-tp4683119p4683197.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...