Re: Transparent Squid and traffic control

Wed, 05 Jan 2011 13:24:42 -0800 


John Nielsen wrote:

On Jan 4, 2011, at 8:01 AM, Fazal Ahmed Malik wrote:


I have problem in running transparent squid along with dummynet on FreeBSD 7. I 
have mpd5 for dialin pppoe which is working perfect along with ipfw dummynet 
traffic control. Now i want to setup transparent squid using ipfw fwd rule. if 
i place fwd rule before dummynet rule transparent squid start working but than 
traffic is not being controlled. Than i placed fwd rule after the dummynet pipe 
here traffic controlled but transparent squid stop working.Any body have 
experience in such configuration where both work simultaneously please gave me 
some hints.


I have done this successfully in the past. You need to remember that for every 
web request there are potentially two TCP conversations: one between the client 
and the proxy and one between the proxy and the server.

You probably do not want to pipe the first type of conversation--requests that 
can be served from the proxy's cache do not use WAN bandwidth and should be 
served at full speed over the LAN.

You DO want to pipe the second type of conversation. Requests from the proxy to 
web servers over the WAN will compete with other traffic for bandwidth.

So leave your fwd rule before the dummynet rule(s) and be sure that LAN traffic 
is not piped.

Then add rules to pipe requests from the proxy's external IP to non-LAN 
addresses on port 80. Something like these:

Downstream:
ipfw add skipto $ACCEPT tcp from $LAN 80 to me
ipfw add pipe $M tcp from any 80 to $EXTIP

Upstream:
ipfw add skipto $ACCEPT tcp from me to $LAN 80
ipfw add pipe $N tcp from $EXTIP to any 80

If you post a specific ruleset you can get specific advice. :)

JN

_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
John try thinking about using tproxy with your squids and then it will be invisible to your IPFW traffic control as the http traffic will have a spoofed source and not 'confuse' your bw control setup. 

-Mike
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Reply via email to