Community discussions

MUM Europe 2020
 
jalokim
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Thu Dec 07, 2006 1:39 pm
Location: PL, Tychy
Contact:

Problems with redirecting 80 from MT to 8080 on Linux/Squid

Mon Jan 15, 2007 7:44 pm

Hi,

I was trying to redirect traffic to port 80 to other machine on my network to proxy:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.3 to-ports=8080

I can see, that request is sent to squid, but there is a problem with showing the page. When I type ip of squid manually to browser everything is ok, but in this case (port redirection) it is not working.

Can someone help me ?

Mikolaj
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Tue Jan 16, 2007 9:47 am

i suggest you to use proxy-test package and configure parent proxy feature.
 
jalokim
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Thu Dec 07, 2006 1:39 pm
Location: PL, Tychy
Contact:

Wed Jan 17, 2007 10:12 am

i suggest you to use proxy-test package and configure parent proxy feature.
Hm..... could you tell me some more about this ?

MJ
 
User avatar
savagedavid
Trainer
Trainer
Posts: 310
Joined: Thu Aug 25, 2005 12:58 pm
Location: Cape Town, South Africa
Contact:

Wed Jan 17, 2007 11:13 pm

This is fairly well documented elsewhere. If you want to transparent proxy to squid you need an accept rule for the return traffic from the squid proxy, otherwise the return traffic will be re-natted and never reach the client.
 ip firewall add chain=dstnat in-interface=ether-internal src-address=x.x.x.x protocol=tcp dst-port=80 action=accept 
x.x.x.x is the address of your squid proxy. in-interface is the interface that the proxy is connected to.

As mentioned you can also use the webproxy test. Specifying a parent proxy is pretty much self explanatory. Check the manual for this - it is very easy to do.
 
User avatar
savagedavid
Trainer
Trainer
Posts: 310
Joined: Thu Aug 25, 2005 12:58 pm
Location: Cape Town, South Africa
Contact:

Wed Jan 17, 2007 11:14 pm

Also note this rule needs to be above your proxy dstnat rule
 
nikolaz
just joined
Posts: 12
Joined: Sun Oct 15, 2006 1:18 pm
Location: Belgrade
Contact:

Mon Jan 22, 2007 5:45 pm

Here's a working example of transparent proxy with mikrotik and linux dedicated squid server

my network class is 10.4.0.0/24 and proxy server address 10.0.10.1:8080
/ ip firewall nat 
add chain=dstnat src-address=10.4.0.0/24 protocol=tcp dst-port=80 \
action=dst-nat to-addresses=10.0.10.1 to-ports=8080 comment="nat to squid" disabled=no 
also in squid.conf you need to add these lines:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Nikola
 
hci
Long time Member
Long time Member
Posts: 609
Joined: Fri May 28, 2004 5:10 pm

Fri Feb 02, 2007 7:50 am

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
What version of Squid are you running? What release of linux?

I am running 2.6STABLE9 on CentOS 4.4 and had to compile squid with netfilter support and add transparent option to squid.conf.

The options you list above I thought were for BSD systems as I understand.

http://www.visolve.com/squid/sqguide.php

How is this setup working for you? I just recently switched from the integrated Mikrotik caches(tried both) to DST-NAT'ing to an external Squid. Works great overall. Websites that use a form of NTLM for authentication work fine with squid 2.6 where they did not with Mikrotik or 2.5 squid. Seems to run much faster too. CPU load on Mikrotik used to hit 100 percent at peak times when it was caching. Now that its just DST-NAT'ing to squid it peaks at 9 percent. Squid box peaks at 1.5 percent CPU load.

There is one problem. At certain times usually peak times certain IP's trying to use the cache will lose access. They can do everything but http. They can even ping the cache. At that same time other users will be using it fine. The stats on squid will look great and there are what looks like plenty of free 'file descriptors' according to squid stats. A few minutes later and that user will come back.

Not sure what is going on. Perhaps the Mikrotik DST-NAT table has all it can handle at 400+ IP's with a large number of connections each at peak times? This is on Mikrotik 2.9.39 release. Any ideas?

Matt
 
nikolaz
just joined
Posts: 12
Joined: Sun Oct 15, 2006 1:18 pm
Location: Belgrade
Contact:

Fri Feb 02, 2007 9:26 am

Squid version is 2.5.STABLE6 and linux Centos 4.3
The options you list above I thought were for BSD systems as I understand.
I had squid on many systems and i can say that squid.conf is unique for all (depending on compile options)

what message is displayed to clients at time it hangs? access deny or connection timeout?

Nikola
 
hci
Long time Member
Long time Member
Posts: 609
Joined: Fri May 28, 2004 5:10 pm

Fri Feb 02, 2007 6:27 pm

what message is displayed to clients at time it hangs? access deny or connection timeout?
They get nothing. Times out and gives error message that page cannot be displayed. Few minutes later it starts working. According to cachemgr there are still free file descriptors. I have added "ulimit -HSn 8192" to rc.local and rebooted and then recompiled squid with 8192 instead of 1024 descriptors. Gonna see if that fixes it but I doubt it.

I am redirecting to squid with DST-NAT in the Mikrotik. I added a static route on squid linux box back to the router. Like I said it works fine but once in a while certain IP's just cannot go anywhere for a few minutes. At work I saw it happen twice yesterday to our IP. VNC'ed into another PC on different IP and it was working fine. Cleared up in about 3 minutes.

This cache is feeding about 500 wireless accounts and 250 dialup.

Any help appreciated, thanks.

Matt
 
virtualmystic
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Fri Jan 19, 2007 7:09 pm
Location: Lahore, pakistan

Sat Feb 03, 2007 7:51 pm

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
I am running 2.6STABLE9 on CentOS 4.4 and had to compile squid with netfilter support and add transparent option to squid.conf.
HCI/Nikola

both of you are right.. first configuration is required to use squid as transparent proxy in 2.5 and prior releases, in 2.6 release, only adding transparent option to http_port gets the things going..

concerning ur problem HCI, squid default configuration is not enough to take up 500 wireless & 250 dialup customer's web traffic.. better use cachemgr to monitor if there's bottleneck in squid.

secondly try setting manual proxy in browser when your browsing stops to check if the problem is with squid or mikrotik..

regards,
Asad Raza
 
User avatar
savagedavid
Trainer
Trainer
Posts: 310
Joined: Thu Aug 25, 2005 12:58 pm
Location: Cape Town, South Africa
Contact:

Sun Feb 04, 2007 10:12 am

Yes I agree - to handle that many clients (750+) requires a lot more than the standard squid conf. Also what hardware are you running? It should be around a 2.8Ghz with 512mb RAM minimum.
 
hci
Long time Member
Long time Member
Posts: 609
Joined: Fri May 28, 2004 5:10 pm

Thu Feb 15, 2007 7:20 pm

concerning ur problem HCI, squid default configuration is not enough to take up 500 wireless & 250 dialup customer's web traffic.. better use cachemgr to monitor if there's bottleneck in squid.
I increased file descriptors to 8192. What else needs tweaked? I am using cachemgr but see no smoking gun.

Matt
 
virtualmystic
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Fri Jan 19, 2007 7:09 pm
Location: Lahore, pakistan

Thu Feb 15, 2007 7:36 pm

file descriptor is not the only thing...there's connection limit, fileing system, kernel twakes n much much mroe things in conf file..get some consultant if you want a high performance cache or you can contact me at born2be_loved@hotmail.com

regds,
Asad Raza

Who is online

Users browsing this forum: No registered users and 43 guests