Squid proxy with two nics - specify gateway

I have a proxy server with two nics, each pointing to a different router and a different internet connection.

example:

eth0 -> 192.168.1.2 -> 192.168.1.1
eth1 -> 10.0.0.2 -> 10.0.0.1

The gateway of the machine itself is 192.168.1.1 and thats how I want it.

but squid is using this for its default path to the internet, and I want it to use 10.0.0.1.

Is this possible without changing the machines gateway?
LVL 23
savoneAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Monis MontherConnect With a Mentor System ArchitectCommented:
0
 
woolnoirCommented:
Not sure this is possible - in this instance squid isnt using the connection - its pumping the data through the TCP/IP stack which is using the default route, which is pointing at that connection.

You need to look at policy based routing - which allows routing choices based on source/destination and protocol

http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH02.web.html
0
 
Monis MontherSystem ArchitectCommented:
Squid has a feature for sending requests via a certain IP address

 tcp_outgoing_address

Check it in the squid.conf file. I think this will solve your problem
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
savoneAuthor Commented:
@small_student

I took a look at this, but could not get it to work how I expected.  Do you have any examples or can you explain in deeper detail?
0
 
Monis MontherSystem ArchitectCommented:
OK let's try this.

I am assuming that people trying to connect to squid are in the network 10.0.0.0/24

Create an ACL

acl myusers src 10.0.0.0/24
tcp_outgoing_address 10.0.0.2 myusers

http_access allow myusers

The last line should be before any http_access deny ruls



0
 
Monis MontherSystem ArchitectCommented:
You should also add this line

server_persistent_connections off

0
 
savoneAuthor Commented:
Ok so I made the changes and now I am getting:

The following error was encountered:

    * Socket Failure

The system returned:

    (99) Cannot assign requested address


Below is my squid.conf file


# cat squid.conf
# NETWORK OPTIONS
# Squid normally listens to port 3128
# acl all src 0.0.0.0/0.0.0.0
# acl aivilanet src 10.0.0.0/24
acl all src 10.0.0.0/24


# tcp_outgoing_address 10.0.0.2 aivilanet 


http_port 10.0.0.2:8080

# TAG: auth_param
#Recommended minimum configuration per scheme:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

# ACCESS CONTROLS
# TAG: acl
acl adultUser proxy_auth savona 
acl adultUser proxy_auth stacy 
acl kidUser proxy_auth alivia 
acl whitelist dstdomain "/etc/squid/whitelist"



tcp_outgoing_address 10.0.0.1 adultUser 
tcp_outgoing_address 10.0.0.1 kidUser 



http_access allow adultUser
http_access allow kidUser whitelist
http_access deny all 
# http_reply_access allow aivilanet

access_log /var/log/squid/access.log squid

cache_dir ufs /var/spool/squid 1000 16 256

Open in new window

0
 
savoneAuthor Commented:
Also if I use tcp_outgoing_address 10.0.0.2 all the connection just hangs...
0
 
Monis MontherSystem ArchitectCommented:
1- the socket error your got was becasue you assigned 10.0.0.1, you must assign an IP that is configured on your NIC.

2- You have to bind it to a source IP first

You have
acl all src 10.0.0.0/24
http_access deny all

No one can access like this, try
acl all src 0.0.0.0/24
acl people src 10.0.0.0/24
tcp_outgoing_address 10.0.0.2 people  

http_access allow people adultUser

Keep the rest as it is, post your final config again please after you finish

0
 
savoneAuthor Commented:
First off, thanks for you patience...

Second, I think I followed what your saying here, unfortunately its still just hanging...


acl all src 0.0.0.0/24
acl people src 10.0.0.0/24


# tcp_outgoing_address 10.0.0.2 aivilanet


http_port 10.0.0.2:8080

# TAG: auth_param
#Recommended minimum configuration per scheme:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

# ACCESS CONTROLS
# TAG: acl
acl adultUser proxy_auth savona
acl adultUser proxy_auth stacy
acl kidUser proxy_auth alivia
acl whitelist dstdomain "/etc/squid/whitelist"



# tcp_outgoing_address 10.0.0.2 adultUser
# tcp_outgoing_address 10.0.0.2 kidUser
tcp_outgoing_address 10.0.0.2 people

http_access allow people adultUser
http_access allow people kidUser whitelist
http_access deny all
# http_reply_access allow aivilanet

server_persistent_connections off
access_log /var/log/squid/access.log squid

cache_dir ufs /var/spool/squid 1000 16 256

Open in new window

0
 
savoneAuthor Commented:
I just did some reading and it looks like outgoing IP address is to set the source IP coming from the proxy server, not to which IP address it should go out on....

Please tell me im wrong.
0
 
savoneAuthor Commented:
That link does not work for me.
0
 
Monis MontherSystem ArchitectCommented:
Do you mean the link is broken or that the content of the link did not solve your problem
0
 
savoneAuthor Commented:
Sorry, it works from home.

anyway, I have tried this over and over again with no luck.

I did post my config.  Do you think you can change the config for me to what you think will work and post it?
0
 
savoneAuthor Commented:
AHA! I got it to work.

here is what I think the problem was this whole time.

We were telling it to use source 10.0.0.2 with the tcp_outgoing_address directive, but the route was still going to the default route.

I added some static (source) routing rules:


ip route add 192.168.1.0/24 via 192.168.1.1 table 192
ip route add default via 192.168.1.1 table 192
ip rule add from 192.168.1.0/24 table 192
ip route add 10.0.0.0/24 via 10.0.0.1 table 10
ip route add default via 10.0.0.1 table 10
ip rule add from 10.0.0.0/24 table 10

And now it is working...


I would like to shake your hand small_student.  You have the patience of a saint.  Thank you so much for all your help!

0
 
savoneAuthor Commented:
Read last reply for total fix.  Thank you for your patience!
0
 
Monis MontherSystem ArchitectCommented:
Its a pelasue to be helpful
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.