Simple Squid question

Jeanluck · July 31, 2011, 9:34pm

Hi,
I have a simple problem… but I don’t know why

Net: 10.0.0.0/24
Gateway: 10.0.0.1
Squid: 10.0.0.2:3128

If I configure browsers with 10.0.0.2:3128 proxy, works fine, and also works fine if I configure squid as Mikrotik parent proxy with the nat redirect 80->8080.

But I want use squid without Mikrotik proxy, and I have:
"18 chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=3128 protocol=tcp dst-port=80 "
but don’t work by timeout. Is another configuration needed for alone squid use?
Thanks

fewi · July 31, 2011, 9:59pm

http://wiki.mikrotik.com/wiki/Hairpin_NAT
Same issue as in that wiki article: squid is sending traffic back directly to the client, which doesn’t know what the hell is going on. Either move the squid box to a separate subnet, or add src-nat as discussed in the article.

Jeanluck · July 31, 2011, 10:05pm

Thanks! I will read it now

w0lt · July 31, 2011, 11:26pm

What router are you using?

Jeanluck · August 1, 2011, 8:54am

I’ts a x86 with 5.5 version (dual core and 2Gb), and kvm squid inside (for few users)

I read http://wiki.mikrotik.com/wiki/Hairpin_NAT and I understand the problem. Sounds simple, but still did not get to adapt the proposed solution to my problem and I have still timeout. I’m on it …I will comment later if I could fix it…

jtroybailey · August 1, 2011, 9:12am

just put the squid server on a different subnet and use the same dstnat rules with the new ip

Jeanluck · August 1, 2011, 10:47am

Hi,
I put squid in other subnet:
Main subnet: 10.0.0.0/24
Squid subnet: 10.0.1.0/24 - Squid IP: 10.0.1.2 - Gateway: 10.0.1.1

For give connectivity to squid for http access, I add to my RouterOS bridge the IP address 10.0.1.1/24, so I have:

ADDRESS NETWORK INTERFACE

0 10.0.0.1/24 10.0.0.0 bridge1
1 D 93.156.58.209/21 93.156.56.0 ether1
2 10.0.1.1/24 10.0.1.0 bridge1

And in nat rules i have:
chain=dstnat action=dst-nat to-addresses=10.0.1.2 to-ports=3128 protocol=tcp src-address=10.0.0.0/24 dst-port=80

But nothing… I try a lot of options…
Any ideas please?
Thank you very much to all

jtroybailey · August 1, 2011, 10:51am

dont use a bridge to start with

and this is a rule i use:

chain=dstnat action=dst-nat to-addresses=172.19.65.250 to-ports=3128 
     protocol=tcp dst-address=!172.16.0.0/12 in-interface=ether3 dst-port=80

Jeanluck · August 1, 2011, 2:45pm

I try again with same subnet, as http://wiki.mikrotik.com/wiki/Hairpin_NAT

subnet: 10.0.0.0/24 (Gateway: 10.0.0.1)
Client: 10.0.0.20
Squid: 10.0.0.2:3128
Wan port: ether2

Nat rules:
0 chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=3128 protocol=tcp src-address=10.0.0.20 dst-address=!10.0.0.0/24 dst-port=80
1 chain=srcnat action=masquerade protocol=tcp src-address=10.0.0.20 dst-address=10.0.0.2 out-interface=ether2 dst-port=80,3128

But nothing… timeout . Althoug i see increment in packets in both rules when I try to navegate.
I try a lot of options, but I think that the correct one is this.

Any ideas please?

w0lt · August 1, 2011, 9:40pm

Did you configure iptables on the squid server?

I run mine in “Transparent” mode.

If so, you should have something similar to this in your iptables:

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT

Jeanluck · August 1, 2011, 9:50pm

No. .. I do not touch iptables … I did not know that it was necessary …
Thanks, I’ll try adding that

Jeanluck · August 1, 2011, 10:25pm

I find that I have the firewall disabled, allows all traffic

abcwarbot · October 7, 2011, 4:54am

Hi all.

@Jeanluck - Just want to ask you about the performance of this setup. I setup the same scenenario on my network but i get slow pages loading and the squid proxy always takes to much to receive the request for a new site.

Best regards

Jeanluck · October 7, 2011, 9:13am

In the end It could not work properly
Please, if you give the correct settings let me know.
Thank you very much.