Hi,
I was trying to redirect traffic to port 80 to other machine on my network to proxy:
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.3 to-ports=8080
I can see, that request is sent to squid, but there is a problem with showing the page. When I type ip of squid manually to browser everything is ok, but in this case (port redirection) it is not working.
Can someone help me ?
Mikolaj
i suggest you to use proxy-test package and configure parent proxy feature.
Hm… could you tell me some more about this ?
MJ
This is fairly well documented elsewhere. If you want to transparent proxy to squid you need an accept rule for the return traffic from the squid proxy, otherwise the return traffic will be re-natted and never reach the client.
ip firewall add chain=dstnat in-interface=ether-internal src-address=x.x.x.x protocol=tcp dst-port=80 action=accept
x.x.x.x is the address of your squid proxy. in-interface is the interface that the proxy is connected to.
As mentioned you can also use the webproxy test. Specifying a parent proxy is pretty much self explanatory. Check the manual for this - it is very easy to do.
Also note this rule needs to be above your proxy dstnat rule
Here’s a working example of transparent proxy with mikrotik and linux dedicated squid server
my network class is 10.4.0.0/24 and proxy server address 10.0.10.1:8080
/ ip firewall nat
add chain=dstnat src-address=10.4.0.0/24 protocol=tcp dst-port=80 \
action=dst-nat to-addresses=10.0.10.1 to-ports=8080 comment="nat to squid" disabled=no
also in squid.conf you need to add these lines:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Nikola
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
What version of Squid are you running? What release of linux?
I am running 2.6STABLE9 on CentOS 4.4 and had to compile squid with netfilter support and add transparent option to squid.conf.
The options you list above I thought were for BSD systems as I understand.
http://www.visolve.com/squid/sqguide.php
How is this setup working for you? I just recently switched from the integrated Mikrotik caches(tried both) to DST-NAT’ing to an external Squid. Works great overall. Websites that use a form of NTLM for authentication work fine with squid 2.6 where they did not with Mikrotik or 2.5 squid. Seems to run much faster too. CPU load on Mikrotik used to hit 100 percent at peak times when it was caching. Now that its just DST-NAT’ing to squid it peaks at 9 percent. Squid box peaks at 1.5 percent CPU load.
There is one problem. At certain times usually peak times certain IP’s trying to use the cache will lose access. They can do everything but http. They can even ping the cache. At that same time other users will be using it fine. The stats on squid will look great and there are what looks like plenty of free ‘file descriptors’ according to squid stats. A few minutes later and that user will come back.
Not sure what is going on. Perhaps the Mikrotik DST-NAT table has all it can handle at 400+ IP’s with a large number of connections each at peak times? This is on Mikrotik 2.9.39 release. Any ideas?
Matt
Squid version is 2.5.STABLE6 and linux Centos 4.3
The options you list above I thought were for BSD systems as I understand.
I had squid on many systems and i can say that squid.conf is unique for all (depending on compile options)
what message is displayed to clients at time it hangs? access deny or connection timeout?
Nikola
what message is displayed to clients at time it hangs? access deny or connection timeout?
They get nothing. Times out and gives error message that page cannot be displayed. Few minutes later it starts working. According to cachemgr there are still free file descriptors. I have added “ulimit -HSn 8192” to rc.local and rebooted and then recompiled squid with 8192 instead of 1024 descriptors. Gonna see if that fixes it but I doubt it.
I am redirecting to squid with DST-NAT in the Mikrotik. I added a static route on squid linux box back to the router. Like I said it works fine but once in a while certain IP’s just cannot go anywhere for a few minutes. At work I saw it happen twice yesterday to our IP. VNC’ed into another PC on different IP and it was working fine. Cleared up in about 3 minutes.
This cache is feeding about 500 wireless accounts and 250 dialup.
Any help appreciated, thanks.
Matt
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
I am running 2.6STABLE9 on CentOS 4.4 and had to compile squid with netfilter support and add transparent option to squid.conf.
HCI/Nikola
both of you are right.. first configuration is required to use squid as transparent proxy in 2.5 and prior releases, in 2.6 release, only adding transparent option to http_port gets the things going..
concerning ur problem HCI, squid default configuration is not enough to take up 500 wireless & 250 dialup customer’s web traffic.. better use cachemgr to monitor if there’s bottleneck in squid.
secondly try setting manual proxy in browser when your browsing stops to check if the problem is with squid or mikrotik..
regards,
Asad Raza
Yes I agree - to handle that many clients (750+) requires a lot more than the standard squid conf. Also what hardware are you running? It should be around a 2.8Ghz with 512mb RAM minimum.
concerning ur problem HCI, squid default configuration is not enough to take up 500 wireless & 250 dialup customer’s web traffic.. better use cachemgr to monitor if there’s bottleneck in squid.
I increased file descriptors to 8192. What else needs tweaked? I am using cachemgr but see no smoking gun.
Matt
file descriptor is not the only thing…there’s connection limit, fileing system, kernel twakes n much much mroe things in conf file..get some consultant if you want a high performance cache or you can contact me at born2be_loved@hotmail.com
regds,
Asad Raza