Community discussions

MikroTik App
 
Jeanluck
Member Candidate
Member Candidate
Topic Author
Posts: 280
Joined: Tue Apr 19, 2011 7:07 pm

Simple Squid question

Mon Aug 01, 2011 12:34 am

Hi,
I have a simple problem... but I don't know why :(

Net: 10.0.0.0/24
Gateway: 10.0.0.1
Squid: 10.0.0.2:3128

If I configure browsers with 10.0.0.2:3128 proxy, works fine, and also works fine if I configure squid as Mikrotik parent proxy with the nat redirect 80->8080.

But I want use squid without Mikrotik proxy, and I have:
"18 chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=3128 protocol=tcp dst-port=80 "
but don't work by timeout. Is another configuration needed for alone squid use?
Thanks
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Simple Squid question

Mon Aug 01, 2011 12:59 am

http://wiki.mikrotik.com/wiki/Hairpin_NAT
Same issue as in that wiki article: squid is sending traffic back directly to the client, which doesn't know what the hell is going on. Either move the squid box to a separate subnet, or add src-nat as discussed in the article.
 
Jeanluck
Member Candidate
Member Candidate
Topic Author
Posts: 280
Joined: Tue Apr 19, 2011 7:07 pm

Re: Simple Squid question

Mon Aug 01, 2011 1:05 am

Thanks! I will read it now
 
w0lt
Long time Member
Long time Member
Posts: 537
Joined: Wed Apr 02, 2008 2:12 pm
Location: Minnesota USA

Re: Simple Squid question

Mon Aug 01, 2011 2:26 am

What router are you using?
 
Jeanluck
Member Candidate
Member Candidate
Topic Author
Posts: 280
Joined: Tue Apr 19, 2011 7:07 pm

Re: Simple Squid question

Mon Aug 01, 2011 11:54 am

I'ts a x86 with 5.5 version (dual core and 2Gb), and kvm squid inside (for few users)

I read http://wiki.mikrotik.com/wiki/Hairpin_NAT and I understand the problem. Sounds simple, but still did not get to adapt the proposed solution to my problem and I have still timeout. I'm on it ...I will comment later if I could fix it...
 
jtroybailey
Member Candidate
Member Candidate
Posts: 176
Joined: Thu Oct 07, 2010 10:24 am
Location: Brisbane, Australia

Re: Simple Squid question

Mon Aug 01, 2011 12:12 pm

just put the squid server on a different subnet and use the same dstnat rules with the new ip
 
Jeanluck
Member Candidate
Member Candidate
Topic Author
Posts: 280
Joined: Tue Apr 19, 2011 7:07 pm

Re: Simple Squid question

Mon Aug 01, 2011 1:47 pm

Hi, :( :(
I put squid in other subnet:
Main subnet: 10.0.0.0/24
Squid subnet: 10.0.1.0/24 - Squid IP: 10.0.1.2 - Gateway: 10.0.1.1

For give connectivity to squid for http access, I add to my RouterOS bridge the IP address 10.0.1.1/24, so I have:
# ADDRESS NETWORK INTERFACE
0 10.0.0.1/24 10.0.0.0 bridge1
1 D 93.156.58.209/21 93.156.56.0 ether1
2 10.0.1.1/24 10.0.1.0 bridge1

And in nat rules i have:
chain=dstnat action=dst-nat to-addresses=10.0.1.2 to-ports=3128 protocol=tcp src-address=10.0.0.0/24 dst-port=80

But nothing... I try a lot of options... :(
Any ideas please?
Thank you very much to all
 
jtroybailey
Member Candidate
Member Candidate
Posts: 176
Joined: Thu Oct 07, 2010 10:24 am
Location: Brisbane, Australia

Re: Simple Squid question

Mon Aug 01, 2011 1:51 pm

dont use a bridge to start with

and this is a rule i use:
chain=dstnat action=dst-nat to-addresses=172.19.65.250 to-ports=3128 
     protocol=tcp dst-address=!172.16.0.0/12 in-interface=ether3 dst-port=80
 
Jeanluck
Member Candidate
Member Candidate
Topic Author
Posts: 280
Joined: Tue Apr 19, 2011 7:07 pm

Re: Simple Squid question

Mon Aug 01, 2011 5:45 pm

I try again with same subnet, as http://wiki.mikrotik.com/wiki/Hairpin_NAT

subnet: 10.0.0.0/24 (Gateway: 10.0.0.1)
Client: 10.0.0.20
Squid: 10.0.0.2:3128
Wan port: ether2

Nat rules:
0 chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=3128 protocol=tcp src-address=10.0.0.20 dst-address=!10.0.0.0/24 dst-port=80
1 chain=srcnat action=masquerade protocol=tcp src-address=10.0.0.20 dst-address=10.0.0.2 out-interface=ether2 dst-port=80,3128

But nothing... timeout :(. Althoug i see increment in packets in both rules when I try to navegate.
I try a lot of options, but I think that the correct one is this.

Any ideas please?
 
w0lt
Long time Member
Long time Member
Posts: 537
Joined: Wed Apr 02, 2008 2:12 pm
Location: Minnesota USA

Re: Simple Squid question

Tue Aug 02, 2011 12:40 am

Did you configure iptables on the squid server?

I run mine in "Transparent" mode.

If so, you should have something similar to this in your iptables:

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
 
Jeanluck
Member Candidate
Member Candidate
Topic Author
Posts: 280
Joined: Tue Apr 19, 2011 7:07 pm

Re: Simple Squid question

Tue Aug 02, 2011 12:50 am

No. .. I do not touch iptables ... I did not know that it was necessary ...
Thanks, I'll try adding that
 
Jeanluck
Member Candidate
Member Candidate
Topic Author
Posts: 280
Joined: Tue Apr 19, 2011 7:07 pm

Re: Simple Squid question

Tue Aug 02, 2011 1:25 am

I find that I have the firewall disabled, allows all traffic :(
 
abcwarbot
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Sun Apr 25, 2010 9:23 pm

Re: Simple Squid question

Fri Oct 07, 2011 7:54 am

Hi all.

@Jeanluck - Just want to ask you about the performance of this setup. I setup the same scenenario on my network but i get slow pages loading and the squid proxy always takes to much to receive the request for a new site.



Best regards
 
Jeanluck
Member Candidate
Member Candidate
Topic Author
Posts: 280
Joined: Tue Apr 19, 2011 7:07 pm

Re: Simple Squid question

Fri Oct 07, 2011 12:13 pm

In the end It could not work properly :(
Please, if you give the correct settings let me know.
Thank you very much.

Who is online

Users browsing this forum: onnyloh, tim427 and 78 guests