asked on
Forward non standard ports to the internet via Squid
Dear Experts,
We have two data centers, one is in New York and the second is in Chicago. Our vendor in the Chicago Data Center is ceasing the ISP Services. We have a circuit between both data center. We have deployed squid proxy on a Ubuntu 16.04 Server in the New York Data Center and are planning forward the internet traffic from the servers in the Chicago Data Center using the Squid Proxy.
We are able to forward the standard internet port i.e 80, 443, but we are unable to forward non standard internet ports e.g. 11002, 55005 that we might use for other data services.
When I run a sniffer from our main office firewall to check the incoming traffic coming from the Chicago data center via 11002 and its is coming via the Chicago ISP instead of the New York Squid Proxy Server.
Any help will be appreciated
Thank you,
M
Please find diagram attached. Please let
Squid.png
We have two data centers, one is in New York and the second is in Chicago. Our vendor in the Chicago Data Center is ceasing the ISP Services. We have a circuit between both data center. We have deployed squid proxy on a Ubuntu 16.04 Server in the New York Data Center and are planning forward the internet traffic from the servers in the Chicago Data Center using the Squid Proxy.
We are able to forward the standard internet port i.e 80, 443, but we are unable to forward non standard internet ports e.g. 11002, 55005 that we might use for other data services.
When I run a sniffer from our main office firewall to check the incoming traffic coming from the Chicago data center via 11002 and its is coming via the Chicago ISP instead of the New York Squid Proxy Server.
Any help will be appreciated
Thank you,
M
Please find diagram attached. Please let
Squid.png
Internet Protocols
Last Comment
Frank Helk
ASKER
We have a layer 3 mpls link between chicago and new york data center. we are using ibgp between both sites.
I tried putting the new york squid proxy in internet explorer settings. I am able to browse using the NY proxy from the chicago server on port 80. But when I try connecting to a sftp site. its still using the chicago internet or if I telnet to the main office over the internet using port 11002 or port 22 or port 5000 its still using the chicago internet.
not sure how we can run a squid in chicago when we wont have any internet connection in a few months and we have a
static route between both sites
I tried putting the new york squid proxy in internet explorer settings. I am able to browse using the NY proxy from the chicago server on port 80. But when I try connecting to a sftp site. its still using the chicago internet or if I telnet to the main office over the internet using port 11002 or port 22 or port 5000 its still using the chicago internet.
not sure how we can run a squid in chicago when we wont have any internet connection in a few months and we have a
static route between both sites
ASKER
thank you for your help arnold
It sounds that your bgp route for mpks is secondary to the ISP feed,
Show ip Route on yourchicago route which is preferred.
You can enable policy based routing and direct access attempts based ports to have the my side of the MPLS as the next hop.
Squid peer will feed all requests it gets through the peer.
Chicago
Internet <=> rourer <=> squid peer NY lan ip squid
^
||mpls link
NY. v
Internet <=> router <=> squid
Your non standard ports have to ve forwarded/refirected by the rourer on the Chicago side.
Show ip Route on yourchicago route which is preferred.
You can enable policy based routing and direct access attempts based ports to have the my side of the MPLS as the next hop.
Squid peer will feed all requests it gets through the peer.
Chicago
Internet <=> rourer <=> squid peer NY lan ip squid
^
||mpls link
NY. v
Internet <=> router <=> squid
Your non standard ports have to ve forwarded/refirected by the rourer on the Chicago side.
Oh, your ibgp peering between my and Chicago, does my push 0.0.0.0 0.0.0.0 as a viable path (all traffic)
A proxy setting on a system can be configured to forward all ports, you then have to modify acceptable ports to be permitted.
I.e. Add your non-standard ports to the SSL_PORTS which will mean that a pass through connect will be made, the only concern with such an approach, your access restriction if any to the end device will have to be changed since they will be seen as coming from the Chicago proxy ip.
A proxy setting on a system can be configured to forward all ports, you then have to modify acceptable ports to be permitted.
I.e. Add your non-standard ports to the SSL_PORTS which will mean that a pass through connect will be made, the only concern with such an approach, your access restriction if any to the end device will have to be changed since they will be seen as coming from the Chicago proxy ip.
ASKER
Yes, the default route is going via the server's gateway and hence the traffic is going through the router. I will remove the gateway from the server and will try the non ssl ports.
I will add a static route also to be able to reach the ny squid proxy server
so I just need to mention the non ssl ports in squid.conf in this section
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 11002 # test stunnel port
acl Safe_ports port 11005 # test stunnel port
Thanks Arnold.
I will add a static route also to be able to reach the ny squid proxy server
so I just need to mention the non ssl ports in squid.conf in this section
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 11002 # test stunnel port
acl Safe_ports port 11005 # test stunnel port
Thanks Arnold.
Instead of removing the gateway from the server, add a route on the rputer to point the traffic to this destination to the ny side by redirecting it ....
X.y.z.a 255.255.255.0 ny_side ip.
X.y.z.a 255.255.255.0 ny_side ip.
ASKER
u mean to add another default static route on the CHI Servers
route add 0.0.0.0 mask 0.0.0.0 ny ip metric 1
route add 0.0.0.0 mask 0.0.0.0 ny ip metric 1
The default route to ny will be needed when the ISP connection terminates.
You could use two default with the ny path with a lower preference higher metric value to automatically transition when the ISP connection drops.
Pushing through the ibgp that the path to ny is a viable path to the outside.
I would encourage you to make changes in the Chicago router versus on the servers. Default gateway should point to the local router.
Not sure setting the NY ip as the gateway will work since the system has no path to the ny segment.
Once the ip drops, will the router go away?
You could use two default with the ny path with a lower preference higher metric value to automatically transition when the ISP connection drops.
Pushing through the ibgp that the path to ny is a viable path to the outside.
I would encourage you to make changes in the Chicago router versus on the servers. Default gateway should point to the local router.
Not sure setting the NY ip as the gateway will work since the system has no path to the ny segment.
Once the ip drops, will the router go away?
ASKER
The router is not gonna go. The vendor controls the network in Chicago. We only have servers hosted there. I just remembered that I need to enable port 25 also.
Your network topology and access. You can not on the server mitigate an issue related an external feed drop
Do you control the router? What do you control?
Routing table on the router in Chicago to mark the preferred path out is through the MPLS to my.
NY has a LAN as does Chicago, do you use the LAN side Ips from New York in your reference, or the public Ips for NY?
Are you able to access the squid in New York using the LAN ip of the New York squid box?
This will confirm whether you already have routing setup for LAN to LAN over the MPLS link.
In such a. Case, configuring the cache_perr on the Chicago squid to send requests to the NY squid via the LAN IP should do the trick of addressing browsing from your Chicago LAN through the MPLS to NY squid....
Then configuring squid to allow these non standard ports, and then setting the proxy settings on the client to secure all ports through the local squid proxy.
On the by squid, you would need to make similar changes to allow these non-standard ports to pass through it.
Do you control the router? What do you control?
Routing table on the router in Chicago to mark the preferred path out is through the MPLS to my.
NY has a LAN as does Chicago, do you use the LAN side Ips from New York in your reference, or the public Ips for NY?
Are you able to access the squid in New York using the LAN ip of the New York squid box?
This will confirm whether you already have routing setup for LAN to LAN over the MPLS link.
In such a. Case, configuring the cache_perr on the Chicago squid to send requests to the NY squid via the LAN IP should do the trick of addressing browsing from your Chicago LAN through the MPLS to NY squid....
Then configuring squid to allow these non standard ports, and then setting the proxy settings on the client to secure all ports through the local squid proxy.
On the by squid, you would need to make similar changes to allow these non-standard ports to pass through it.
ASKER
Your network topology and access. You can not on the server mitigate an issue related an external feed drop
Windows Server > Proxy settings NY Internal IP Port 3128 > NY Internet
The servers in Chicago can fully see the NY Local Network and NY Local Network can fully see Chicago.
Do you control the router? What do you control?
We have control only to the servers. The vendor control that routers and chicago network
Routing table on the router in Chicago to mark the preferred path out is through the MPLS to my.
I can speak to the vendor and get the routing table.
Chicago server default route is pointing to the chicago isp
The windows proxy settings are pointing to the Internal IP of the NY Squid Server at port 3128
NY has a LAN as does Chicago, do you use the LAN side Ips from New York in your reference, or the public Ips for NY?
We use the LAN Side IPs in Chicago and NY
Are you able to access the squid in New York using the LAN ip of the New York squid box?
Yes
This will confirm whether you already have routing setup for LAN to LAN over the MPLS link.
Yes. We have LAN to LAN connectivity between both data centers
In such a. Case, configuring the cache_perr on the Chicago squid to send requests to the NY squid via the LAN IP should do the trick of addressing browsing from your Chicago LAN through the MPLS to NY squid....
a. How can you configure a cache_peer in chicago
b. Can it work without an internet connection
Then configuring squid to allow these non standard ports, and then setting the proxy settings on the client to secure all ports through the local squid proxy.
How can we do this
On the by squid, you would need to make similar changes to allow these non-standard ports to pass through it.
How to do this
Windows Server > Proxy settings NY Internal IP Port 3128 > NY Internet
The servers in Chicago can fully see the NY Local Network and NY Local Network can fully see Chicago.
Do you control the router? What do you control?
We have control only to the servers. The vendor control that routers and chicago network
Routing table on the router in Chicago to mark the preferred path out is through the MPLS to my.
I can speak to the vendor and get the routing table.
Chicago server default route is pointing to the chicago isp
The windows proxy settings are pointing to the Internal IP of the NY Squid Server at port 3128
NY has a LAN as does Chicago, do you use the LAN side Ips from New York in your reference, or the public Ips for NY?
We use the LAN Side IPs in Chicago and NY
Are you able to access the squid in New York using the LAN ip of the New York squid box?
Yes
This will confirm whether you already have routing setup for LAN to LAN over the MPLS link.
Yes. We have LAN to LAN connectivity between both data centers
In such a. Case, configuring the cache_perr on the Chicago squid to send requests to the NY squid via the LAN IP should do the trick of addressing browsing from your Chicago LAN through the MPLS to NY squid....
a. How can you configure a cache_peer in chicago
b. Can it work without an internet connection
Then configuring squid to allow these non standard ports, and then setting the proxy settings on the client to secure all ports through the local squid proxy.
How can we do this
On the by squid, you would need to make similar changes to allow these non-standard ports to pass through it.
How to do this
ASKER
If we configure a cache peer in chicago. We would be able to forward all internet traffic to the ny proxy
Do we still need to modify the policy route or mess around with the default route of the server
Do we still need to modify the policy route or mess around with the default route of the server
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi Arnold,
Port 22, 80 and 443 are working via the NY squid proxy. I haven't added a cache peer yet. I waiting for the vendor to provide me the config.
Port 22, 80 and 443 are working via the NY squid proxy. I haven't added a cache peer yet. I waiting for the vendor to provide me the config.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: arnold (https:#a42441429)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
frankhelk
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: arnold (https:#a42441429)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
frankhelk
Experts-Exchange Cleanup Volunteer
http://www.squid-cache.org/Doc/config/cache_peer/
Your VPN between the two location might have a higher preference than the routed vi the dedicated line.
Or the issue deals with IP address that is in DNS.....
Such that the NY location refers a public IP while the route points to the outside versus to the dedicated...
Is the NY Chicago path dynamic or static, I.e. You define which networks are accessible via this path or ospf, rip2 is being used...