Re: [squid-users] FreeBSD 5.1, Cisco 837 & WCCP Redirects

From: Adam Smith <[email protected]>
Date: Mon, 26 Jan 2004 14:22:38 +1030

On Mon, Jan 26, 2004 at 01:42:30PM +1030, Adam Smith said:
> On Sun, Jan 25, 2004 at 11:46:34PM +0200, Roman Synyuk said:
> > Hello.
> >
> > You need to configure forwarding incoming packets from GRE interface
> > to squid process:
> >
> > # ipfw add fwd 127.0.0.1,3128 ip from any to any via gre0 in
> > # ipfw add permit ip from any to any
>
> I tried this, however I'm still not seeing it work, and now I have more
> questions!
>
> IPFW:
>
> I am now counting any packets on my GRE rule:

Sorry, "now" should read "not".

> 01300 0 0 fwd 127.0.0.1,3128 ip from any to any via gre0 in
>
> I'm also not entirely sure at which level of my firewall rules I should be
> inserting this rule. I've tried just before "allow ip from me to any" and
> I've tried right at the very start but still, no packets are counted.
>
> CISCO 837:
>
> Which interface am I actually supposed to be running the WCCP redirect on?
> I'm starting to think it should be on my Ethernet0 interface, as this is
> where the GRE tunnel ends. It sorta makes better sense. Adding the
> wccp-redirect lines to it doesn't make any difference though -- users can
> still get out without anything going back to the proxy.
>
> If users are getting through, does this mean the wccp redirect is failing
> at the router end?
>
> Thanks for any pointers.
>
> > > Hello!
> > >
> > > I'm trying to set up a transparent proxy, but I'm running in to some
> > > difficulty. Here is my set up:
> > >
> > > * Cisco 837 running Cisco IOS 12.3
> > > * FreeBSD 5.1
> > > * squid-2.5.4_6 with WCCP compiled in
> > > * (also running apache-2.0.48_1, running on port 80)
> > >
> > > I have so far taken the following steps:
> > >
> > > In squid.conf:
> > > --------------
> > >
> > > ## WCCP Redirection (Transparent Proxy)
> > > ## ------------------------------------
> > > httpd_accel_host virtual
> > > httpd_accel_port 3128
> > > httpd_accel_with_proxy on
> > > httpd_accel_uses_host_header on
> > > wccp_router 10.0.0.254
> > > wccp_version 3
> > >
> > > On the Cisco 837:
> > > -----------------
> > >
> > > ip wccp version 1
> > > ip wccp web-cache redirect-list 2
> > > !
> > > interface BVI1
> > > description --- Bridging Interface ---
> > > ip address 150.101.x.x 255.255.255.248
> > > ip wccp web-cache redirect in
> > > ip nat outside
> > > end
> > > !
> > > access-list 2 permit 10.0.0.0 0.0.0.255
> > >
> > > On FreeBSD 5.1:
> > > ---------------
> > >
> > > <compiled 'device gre' into kernel>
> > >
> > > configured device with:
> > >
> > > # ifconfig gre0 create
> > > # ifconfig gre0 10.0.0.3 10.0.0.254 netmask 255.255.255.255 up
> > > # ifconfig gre0 tunnel 10.0.0.3 10.0.0.254
> > > # route delete 10.0.0.254
> > >
> > > ifconfig:
> > >
> > > gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476
> > > tunnel inet 10.0.0.3 --> 10.0.0.254
> > > inet6 fe80::240:5ff:fe03:3fb1%gre0 prefixlen 64 scopeid 0x5
> > > inet 10.0.0.3 --> 255.255.255.0 netmask 0xff000000
> > >
> > > Once all this is done and Squid starts I get the following messages on my
> > > 837:
> > >
> > > router#deb ip wccp event
> > > router#deb ip wccp packet
> > > *Mar 1 19:57:04.715: WCCP-PKT: Sending I_See_You packet to 10.0.0.3 w/ rcvd_id 000000C2
> > > *Mar 1 19:57:14.739: WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, change # 0000000B
> > > *Mar 1 19:57:14.739: %WCCP-5-CACHEFOUND: Web Cache 10.0.0.3 acquired
> > > *Mar 1 19:57:14.739: WCCP-PKT: Received valid Here_I_Am packet from 10.0.0.3 w/rcvd_id 000000C2
> > > *Mar 1 19:57:14.739: WCCP-PKT: Sending I_See_You packet to 10.0.0.3 w/ rcvd_id 000000C3
> > > *Mar 1 19:57:25.759: WCCP-PKT: Received valid Here_I_Am packet from 10.0.0.3 w/rcvd_id 000000C3
> > > *Mar 1 19:57:25.759: WCCP-PKT: Sending I_See_You packet to 10.0.0.3 w/ rcvd_id 000000C4
> > >
> > > So they're talking WCCP, however users can still browse the web and it
> > > seems to me as though the router isn't forwarding the traffic:
> > >
> > > router#sh ip wccp web-cache detail
> > > WCCP Cache-Engine information:
> > > Web Cache ID: 0.0.0.0
> > > Protocol Version: 0.3
> > > State: Usable
> > > Initial Hash Info: 00000000000000000000000000000000
> > > 00000000000000000000000000000000
> > > Assigned Hash Info: 00000000000000000000000000000000
> > > 00000000000000000000000000000000
> > > Hash Allotment: 0 (0.00%)
> > > Packets Redirected: 0
> > > Connect Time: 00:03:35
> > >
> > > I am not sure if interface BVI1 is supposed to be redirect in or redirect
> > > out, but so far having either has shown the same results.
> > >
> > > Squid logs are not showing anything.
> > >
> > > Is my understanding correct if I say that my 837 intercepts traffic on port
> > > 80 and then, using the GRE tunnel, redirects it to my FreeBSD box still on
> > > port 80, where squid handles it like a normal request? If this is the
> > > case, am I supposed to set up some kind of firewall rule that captures
> > > traffic in port 80 and remaps it to port 3128? If I do this, how can I
> > > have apache and squid running together?
> > >
> > > This is sort of what I have worked out after reading the setup steps for
> > > all sorts of linux/freebsd configurations, but I'm not so sure it's what I
> > > need to do. To test this I changed the listening port of squid to 80, and
> > > still saw no entries in my access.log tending me to believe that the
> > > wccp-redirect just ain't workin'.
> > >
> > > Can anyone shed any light?
> > >
> > >
> > > Cheers,
> > >
> > > --
> > > Adam Smith : adam@internode.com.au
> > > Internode : http://www.internode.on.net
> > > Phone : (08) 8228 2999
> > >
>
> --
> Adam Smith : adam@internode.com.au
> Internode : http://www.internode.on.net
> Phone : (08) 8228 2999

-- 
Adam Smith	: adam@internode.com.au
Internode	: http://www.internode.on.net
Phone		: (08) 8228 2999
Received on Sun Jan 25 2004 - 20:52:41 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:08 MST