Hi, At the wccp0 interface do you see bidirectional http traffic? If the squid box has multiple interfaces, do you see traffic on its wan interface? That traffic might need NATing. Also I would check if squidbox drops any packages in case you have firewall configured on it.
Alex On Wed, May 9, 2018, 07:22 Ilias Clifton <adili...@gmx.com> wrote: > > Hello, > > I've been trying to get WCCP working but have been banging my head against > a wall, so thought I would ask for help. > > There are 2 internal subnets that I would like to use the squid proxy: > 172.28.30.128/25 and 172.28.29.0/25 > > I have squid v3.5.25 running on Ubuntu 16 : 172.28.28.252 > > I have a Cisco 1841 - Adv IP - 12.4, see relevent config: > > #Inside Interface > interface FastEthernet0/1 > ip address 172.28.28.1 255.255.255.240 > ip wccp web-cache redirect in > ip nat inside > ip virtual-reassembly max-reassemblies 64 > no ip mroute-cache > duplex auto > speed auto > > #Loopback for wccp router ID > interface Loopback0 > ip address 172.28.28.33 255.255.255.255 > > ip wccp web-cache redirect-list PROXY_USERS group-list SQUID > > ip access-list extended PROXY_USERS > deny tcp host 172.28.28.252 any > permit tcp 172.28.30.128 0.0.0.127 any eq www > permit tcp 172.28.29.0 0.0.0.127 any eq www > deny ip any any > > ip access-list standard SQUID > permit 172.28.28.252 > > > > On the Ubuntu box, I have the squid with the following config: > > http_port 3128 > http_port 3129 intercept > acl localnet src 172.28.28.0/22 > http_access allow localnet > http_access allow localhost > http_access deny all > visible_hostname Squid > wccp2_router 172.28.28.1 > wccp2_forwarding_method gre > wccp2_return_method gre > wccp2_service standard 0 > > If clients are manually set to use the proxy on port 3128, they work > correctly. > > Again on the Ubuntu box, I have setup the following gre tunnel. > > ip tunnel add wccp0 mode gre remote 172.28.28.33 local 172.28.28.252 dev > ens33 ttl 255 > > and the following redirect using iptables.. > > iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 3129 > > In sysctl.conf, I have disabled reverse path filtering and enabled ip > forarding. > > net.ipv4.conf.default.rp_filter=0 > net.ipv4.conf.all.rp_filter=0 > net.ipv4.ip_forward=1 > > When starting squid, using tcpdump, i see traffic between the Ubuntu box > and the router on udp port 2048 > > 00:39:34.587799 IP 172.28.28.252.2048 > 172.28.28.1.2048: UDP, length 144 > 00:39:34.590399 IP 172.28.28.1.2048 > 172.28.28.252.2048: UDP, length 140 > > I see the following message on the router.. > %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client > 172.28.28.252 > > So looks like it's working ok so far... > > When I try and browse to a site from a client.. > $ wget http://www.google.com > > On the Ubuntu box, I see gre traffic on the ethernet interface.. > 00:44:22.340734 IP 172.28.28.33 > 172.28.28.252: GREv0, length 72: > gre-proto-0x883e > > > I see the un-encapsulated traffic on the wccp0 interface: > 00:56:26.888519 IP 172.28.29.4.52128 > 216.58.203.100.80 > > Which is correctly showing original client IP and destination IP. > > I can see hits on the iptable redirect rule: > pkts bytes target prot opt in out source > destination > 429 26280 REDIRECT tcp -- wccp0 any anywhere > anywhere tcp dpt:http redir ports 3129 > > > But there is no response from squid on the Ubuntu box :-( > > I don't see anything helpful in either access.log or cache.log. > > I'm not sure if there is anything else that could be dropping the packet > apart from return path filtering.. > > If someone could give me some pointers or any further debugging I could > try, that would be great. > > > Thanks. > > > > > > > > > > > > > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
