I have the following network topology (in summary)
{internet}
|
[firewall & squid cache@pfsense]---[MT_AP]~[MT_STA with wds]---[hotspot@MT_router]---[clients]
|
|
[radius@ubuntu]
pfsense: LAN = 172.31.224.1/24 with transparent proxy cache
MikroTik: WAN's = dhcp client with 172.31.224.x/24
this is the squid.conf on pfsense(freebsd)
Code: Select all
http_port 172.31.224.1:3128 transparent
http_port 127.0.0.1:80 transparent
icp_port 0
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
icon_directory /usr/local/etc/squid/icons
visible_hostname net4u1.com
cache_mgr admin@net4u1.com
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
logfile_rotate 30
shutdown_lifetime 0 seconds
# Allow local network(s) on interface(s)
acl localnet src 172.31.224.0/255.255.255.0
forwarded_for transparent
via off
httpd_suppress_version_string on
uri_whitespace strip
dns_nameservers 127.0.0.1
cache_mem 2048 MB
maximum_object_size_in_memory 128 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir coss /var/squid/coss 8000 max-size=419840 block-size=512
cache_dir aufs /var/squid/cache 320000 128 256 min-size=419840
minimum_object_size 0 KB
maximum_object_size 399 MB
offline_mode off
cache_swap_low 90
cache_swap_high 95
# No redirector configured
# Setup some default acls
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1337 3128 1025-65535
acl sslports port 443 563 1337
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl partialcontent_req req_header Range .*
acl mallware url_regex "/usr/local/etc/squid/mallware.url"
acl conficker url_regex "/usr/local/etc/squid/conficker.url"
#acl dynamic urlpath_regex cgi-bin \?
#include /usr/local/etc/squid/include.conf
include /usr/local/etc/squid/tunning.conf
#cache deny dynamic
http_access allow manager localhost
http_access deny mallware
http_access deny conficker
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
# Always allow localhost connections
http_access allow localhost
quick_abort_min 32 KB
quick_abort_max 128 KB
quick_abort_pct 75
range_offset_limit 0 MB
request_body_max_size 0 allow all
reply_body_max_size 0 deny all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
# Throttle extensions matched in the url
acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
delay_access 1 allow throttle_exts
delay_access 1 deny all
# Custom options
zph_mode tos
zph_local 0x30
zph_parent 0
zph_option 136
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny all
Code: Select all
/ip firewall mangle
add chain=prerouting action=mark-packet dscp=12 new-packet-mark=proxy-hit passthrough=no
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 /
name=pmark packet-mark=proxy-hit parent=global-out priority=1 queue=default
and there is something wired, that is while monitoring the mangle rule I notice that the counter never increased and stay on 0 but while I change dscp value to 48 it's began to count (that's mean marking packets) I know that 30 in hex its equal to 48 in decimal (tos) and dscp its quarter of tos value 12
so please I need your help me to make this situation work for me
TIA
SaFi