FW: [squid-users] wccp and MTU

From: Damian-Grint Philip <[email protected]>
Date: Mon, 13 Dec 2004 15:42:51 -0000

Sk,

We have the same problem here.

The problem with clients typing a proxy server in manually, is that if
that proxy goes offline, all browsing stops - it's much better to use
the WPAD standard (draft-ietf-wrec-wpad-01.txt) to push a proxy.pac
script
(http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html)
to clients so you can specify a list of proxies to try, and even allow
to go direct if none are working.

Most of our clients have autoconfigure set, and I force any remaining
traffic to WCCP. It is quite easy to build a Squid server which handles
direct and wccp simultaneously - proxy-aware goes to port 3128 and the
rest is picked up and redirected by the WCCP router as destined for port
80 on non-internal IPs.

So the other half of my solution is as follows:

We use Group Policy to try to force all IE clients to have Automatically
detect settings ticked.
This makes IE look for http://wpad.<defaultdomain>/wpad.dat.

in dns I have:

wpad IN CNAME <intranetserver>

In the root of our Intranet server, I have a wpad.dat file (which on our
network is actually an ASP file that examines the client IP before
returning the autoproxy script to IE. - I took this more complicated
approach because on some Win2K boxes, the MyIPAddress() javascript
function is broken, and I want to split our traffic across multiple
squids and multiple Internet feeds based on subnet. To make it execute,
I configure the IIS server to map GETs for *.dat files to asp.dll.) Be
aware that IE sometimes issues GET for wpad and sometimes for the IP - I
use host headers for each. Also check out the various issues to do with
proxy caching in the Microsoft world.

Your wpad.dat will deliver something like the following; the first three
lines just stop internal servers being accessed through squid:

function FindProxyForURL(url, host)
{
        if (isPlainHostName(host) ||
            dnsDomainIs(host, ".ourinternaldomain.co.uk") ||
            dnsDomainIs(host, ".anotherinternaldomain.co.uk"))
                return "DIRECT";
        else
                return "PROXY webproxy1:3128; PROXY webproxy2:3128;
DIRECT";
}

Hope that helps

Phil

-----Original Message-----
From: sk [mailto:suresh.kumar@online.com.kh]
Sent: 13 December 2004 11:31
To: Damian-Grint Philip
Subject: Re: [squid-users] wccp and MTU

Thanks a lot for this idea!

Here situation has been complicated.
some clients are asked to put the proxy in their ie.
some are not asked.
and more. some are bypasssed from wccp.

really confused what to do.

Pls help.
SK

----- Original Message -----
From: "Damian-Grint Philip" <pdamian-grint@collierscre.co.uk>
To: "Squid Users" <squid-users@squid-cache.org>
Sent: Monday, December 13, 2004 5:45 PM
Subject: RE: [squid-users] wccp and MTU

If you can't get around the MTU/DF problem, you can always force the DF
bit off in a particular direction using route maps (we have
ieclient->privaterouter->greovermpls->privaterouter->squidwccp->thirdpar
tyrouter->mpls->ourfirewall->internet):

access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
! don't touch internal traffic
access-list 100 permit ip 10.0.0.0 0.255.255.255 any ! mark
internet-bound traffic only for WCCP
access-list 100 deny ip any any

access-list 102 deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
! don't touch internal traffic
access-list 102 permit tcp any 10.0.0.0 0.255.255.255 ! but do match
traffic returning from the internet
access-list 102 deny tcp any any

ip wccp version 1
ip wccp web-cache redirect-list 100

route-map clear-df permit 10
 match ip address 102
 set ip df 0

interface Ethernet0/0
 ip address 10.64.0.254 255.255.0.0
 no ip redirects
 ip wccp web-cache redirect out
 ip route-cache same-interface
 ip policy route-map clear-df
 ipx network 64 encapsulation SAP

Where our squid boxes are on the E0/0 network and so is the next hop to
the internet - here, the DF is switched off on returning traffic before
it is pushed into GRE tunnels back to clients.

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: 10 December 2004 13:38
To: sk
Cc: Squid Users
Subject: Re: [squid-users] wccp and MTU

You can try the patch in Bug #1154

Regards
Henrik

On Fri, 10 Dec 2004, sk wrote:

> Thanks for the reply.
>
> Could you throw some more light on how to set the path mtu.
>
> TIA
> Sk
>
> ----- Original Message -----
> From: "Henrik Nordstrom" <hno@squid-cache.org>
> To: "sk" <suresh.kumar@online.com.kh>
> Cc: <squid-users@squid-cache.org>
> Sent: Friday, December 10, 2004 8:04 PM
> Subject: Re: [squid-users] wccp and MTU
>
>
>> On Fri, 10 Dec 2004, sk wrote:
>>
>>> Could somebody tell how to set mtu for wccp redirection
>>>
>>> a lot of clients using pppoe have problem with wccp redirection.
They
> can
>>> work if they point their browsers directly to the squid.
>>
>> I guess these PPPoE users using a smaller MTU than the default? Such
>> situation is a common source of problems with most WCCP routers as
they do
>> not track connections and fails to send the ICMP "must fragment"
messages
>> to the Squid server.
>>
>> The MTU is set by the MTU of the interface or route on the Squid
server.
>>
>> Another viable option is to disable Path-MTU discovery towards the
>> clients.
>>
>> Regards
>> Henrik
>>
>

________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
Received on Mon Dec 13 2004 - 08:41:46 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST