Solved

Squid proxy with two nics - specify gateway

Posted on 2010-11-08
17
627 Views
Last Modified: 2012-05-10
I have a proxy server with two nics, each pointing to a different router and a different internet connection.

example:

eth0 -> 192.168.1.2 -> 192.168.1.1
eth1 -> 10.0.0.2 -> 10.0.0.1

The gateway of the machine itself is 192.168.1.1 and thats how I want it.

but squid is using this for its default path to the internet, and I want it to use 10.0.0.1.

Is this possible without changing the machines gateway?
0
Comment
Question by:savone
  • 9
  • 7
17 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 34084626
Not sure this is possible - in this instance squid isnt using the connection - its pumping the data through the TCP/IP stack which is using the default route, which is pointing at that connection.

You need to look at policy based routing - which allows routing choices based on source/destination and protocol

http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH02.web.html
0
 
LVL 14

Expert Comment

by:small_student
ID: 34085161
Squid has a feature for sending requests via a certain IP address

 tcp_outgoing_address

Check it in the squid.conf file. I think this will solve your problem
0
 
LVL 23

Author Comment

by:savone
ID: 34085287
@small_student

I took a look at this, but could not get it to work how I expected.  Do you have any examples or can you explain in deeper detail?
0
 
LVL 14

Expert Comment

by:small_student
ID: 34085583
OK let's try this.

I am assuming that people trying to connect to squid are in the network 10.0.0.0/24

Create an ACL

acl myusers src 10.0.0.0/24
tcp_outgoing_address 10.0.0.2 myusers

http_access allow myusers

The last line should be before any http_access deny ruls



0
 
LVL 14

Expert Comment

by:small_student
ID: 34085813
You should also add this line

server_persistent_connections off

0
 
LVL 23

Author Comment

by:savone
ID: 34085908
Ok so I made the changes and now I am getting:

The following error was encountered:

    * Socket Failure

The system returned:

    (99) Cannot assign requested address


Below is my squid.conf file


# cat squid.conf
# NETWORK OPTIONS
# Squid normally listens to port 3128
# acl all src 0.0.0.0/0.0.0.0
# acl aivilanet src 10.0.0.0/24
acl all src 10.0.0.0/24


# tcp_outgoing_address 10.0.0.2 aivilanet 


http_port 10.0.0.2:8080

# TAG: auth_param
#Recommended minimum configuration per scheme:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

# ACCESS CONTROLS
# TAG: acl
acl adultUser proxy_auth savona 
acl adultUser proxy_auth stacy 
acl kidUser proxy_auth alivia 
acl whitelist dstdomain "/etc/squid/whitelist"



tcp_outgoing_address 10.0.0.1 adultUser 
tcp_outgoing_address 10.0.0.1 kidUser 



http_access allow adultUser
http_access allow kidUser whitelist
http_access deny all 
# http_reply_access allow aivilanet

access_log /var/log/squid/access.log squid

cache_dir ufs /var/spool/squid 1000 16 256

Open in new window

0
 
LVL 23

Author Comment

by:savone
ID: 34085932
Also if I use tcp_outgoing_address 10.0.0.2 all the connection just hangs...
0
 
LVL 14

Expert Comment

by:small_student
ID: 34086067
1- the socket error your got was becasue you assigned 10.0.0.1, you must assign an IP that is configured on your NIC.

2- You have to bind it to a source IP first

You have
acl all src 10.0.0.0/24
http_access deny all

No one can access like this, try
acl all src 0.0.0.0/24
acl people src 10.0.0.0/24
tcp_outgoing_address 10.0.0.2 people  

http_access allow people adultUser

Keep the rest as it is, post your final config again please after you finish

0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 23

Author Comment

by:savone
ID: 34086284
First off, thanks for you patience...

Second, I think I followed what your saying here, unfortunately its still just hanging...


acl all src 0.0.0.0/24
acl people src 10.0.0.0/24


# tcp_outgoing_address 10.0.0.2 aivilanet


http_port 10.0.0.2:8080

# TAG: auth_param
#Recommended minimum configuration per scheme:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

# ACCESS CONTROLS
# TAG: acl
acl adultUser proxy_auth savona
acl adultUser proxy_auth stacy
acl kidUser proxy_auth alivia
acl whitelist dstdomain "/etc/squid/whitelist"



# tcp_outgoing_address 10.0.0.2 adultUser
# tcp_outgoing_address 10.0.0.2 kidUser
tcp_outgoing_address 10.0.0.2 people

http_access allow people adultUser
http_access allow people kidUser whitelist
http_access deny all
# http_reply_access allow aivilanet

server_persistent_connections off
access_log /var/log/squid/access.log squid

cache_dir ufs /var/spool/squid 1000 16 256

Open in new window

0
 
LVL 23

Author Comment

by:savone
ID: 34088078
I just did some reading and it looks like outgoing IP address is to set the source IP coming from the proxy server, not to which IP address it should go out on....

Please tell me im wrong.
0
 
LVL 14

Accepted Solution

by:
small_student earned 500 total points
ID: 34091005
0
 
LVL 23

Author Comment

by:savone
ID: 34094631
That link does not work for me.
0
 
LVL 14

Expert Comment

by:small_student
ID: 34094709
Do you mean the link is broken or that the content of the link did not solve your problem
0
 
LVL 23

Author Comment

by:savone
ID: 34098287
Sorry, it works from home.

anyway, I have tried this over and over again with no luck.

I did post my config.  Do you think you can change the config for me to what you think will work and post it?
0
 
LVL 23

Author Comment

by:savone
ID: 34098410
AHA! I got it to work.

here is what I think the problem was this whole time.

We were telling it to use source 10.0.0.2 with the tcp_outgoing_address directive, but the route was still going to the default route.

I added some static (source) routing rules:


ip route add 192.168.1.0/24 via 192.168.1.1 table 192
ip route add default via 192.168.1.1 table 192
ip rule add from 192.168.1.0/24 table 192
ip route add 10.0.0.0/24 via 10.0.0.1 table 10
ip route add default via 10.0.0.1 table 10
ip rule add from 10.0.0.0/24 table 10

And now it is working...


I would like to shake your hand small_student.  You have the patience of a saint.  Thank you so much for all your help!

0
 
LVL 23

Author Closing Comment

by:savone
ID: 34098413
Read last reply for total fix.  Thank you for your patience!
0
 
LVL 14

Expert Comment

by:small_student
ID: 34099923
Its a pelasue to be helpful
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now