Link to home
Start Free TrialLog in
Avatar of mshaikh22
mshaikh22

asked on

Forward non standard ports to the internet via Squid

Dear Experts,

We have two data centers, one is in New York and the second is in Chicago. Our vendor in the Chicago Data Center is ceasing the ISP Services. We have a circuit between both data center. We have deployed squid proxy on a Ubuntu 16.04 Server in the New York Data Center and are planning forward the internet traffic from the servers in the Chicago Data Center using the Squid Proxy.

We are able to forward the standard internet port i.e 80, 443, but we are unable to forward non standard internet ports e.g. 11002, 55005 that we might use for other data services.

When I run a sniffer from our main office firewall to check the incoming traffic coming from the Chicago data center via 11002 and its is coming via the Chicago ISP instead of the New York Squid Proxy Server.

Any help will be appreciated

Thank you,
M


 

Please find diagram attached. Please let
Squid.png
Avatar of arnold
arnold
Flag of United States of America image

What you are looking for is to set your NY squid as the proxy peer for your Chicago location.

http://www.squid-cache.org/Doc/config/cache_peer/

Your VPN between the two location might have a higher preference than the routed vi the dedicated line.
Or the issue deals with IP address that is in DNS.....
Such that the NY location refers a public IP while the route points to the outside versus to the dedicated...

Is the NY Chicago path dynamic or static, I.e. You define which networks are accessible via this path or ospf, rip2 is being used...
Avatar of mshaikh22
mshaikh22

ASKER

We have a layer 3 mpls link between chicago and new york data center. we are using ibgp between both sites.
I tried putting the new york squid proxy in internet explorer settings. I am able to browse using the NY proxy  from the chicago server on port 80. But when I try connecting to a sftp site. its still using the chicago internet or if I telnet to the main office over the internet using port 11002 or port 22 or port 5000 its still using the chicago internet.

not sure how we can run a squid in chicago when we wont have any internet connection in a few months and we have a
static route between both sites
thank you for your help arnold
It sounds that your bgp route for mpks is secondary to the ISP feed,
Show ip Route on yourchicago route which is preferred.
You can enable policy based routing and direct access attempts based ports to have the my side of the MPLS as the next hop.

Squid peer will feed all requests it gets through the peer.
Chicago
Internet <=> rourer <=> squid peer NY lan ip squid
                            ^
                           ||mpls link
NY.                      v
Internet <=> router <=> squid

Your non standard ports have to ve forwarded/refirected by the rourer on the Chicago side.
Oh, your ibgp peering between my and Chicago, does my push 0.0.0.0 0.0.0.0 as a viable path (all traffic)

A proxy setting on a system  can be configured to forward all ports, you then have to modify acceptable ports to be permitted.
I.e. Add your non-standard ports to the SSL_PORTS which will mean that a pass through connect will be made, the only concern with such an approach, your access restriction if any to the end device will have to be changed since they will be seen as coming from the Chicago proxy ip.
Yes, the default route is going via the server's gateway and hence the traffic is going through the router. I will remove the gateway from the server and will try the non ssl ports.

I will add a static route also to be able to reach the ny squid proxy server

so I just need to mention the non ssl ports in squid.conf in this section

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 11002       # test stunnel port
acl Safe_ports port 11005       # test stunnel port


Thanks Arnold.
Instead of removing the gateway from the server, add a route on the rputer to point the traffic to this destination to the ny side by redirecting it ....

X.y.z.a 255.255.255.0 ny_side ip.
u mean to add another default static route on the CHI Servers

route add 0.0.0.0 mask 0.0.0.0 ny ip metric 1
The default route to ny will be needed when the ISP connection terminates.

You could use two default with the ny path with a lower preference higher metric value to automatically transition when the ISP connection drops.
Pushing through the ibgp that the path to ny is a viable path to the outside.

I would encourage you to make changes in the Chicago router versus on the servers. Default gateway should point to the local router.
Not sure setting the NY ip as the gateway will work since the system has no path to the ny segment.

Once the ip drops, will the router go away?
The router is not gonna go. The vendor controls the network in Chicago.  We only have servers hosted there. I just remembered that I need to enable  port 25 also.
Your network topology and access. You can not on the server mitigate an issue related an external feed drop

Do you control the router? What do you control?

Routing table on the router in Chicago to mark the preferred path out is through the MPLS to my.

NY has a LAN as does Chicago, do you use the LAN side Ips from New York in your reference, or the public Ips for NY?
Are you able to access the squid in New York using the LAN ip of the New York squid box?
This will confirm whether you already have routing setup for LAN to LAN over the MPLS link.

In such a. Case, configuring the cache_perr on the Chicago squid to send requests to the NY squid via the LAN IP should do the trick of addressing browsing from your Chicago LAN through the MPLS to NY squid....

Then configuring squid to allow these non standard ports, and then setting the proxy settings on the client to secure all ports through the local squid proxy.

On the by squid, you would need to make similar changes to allow these non-standard ports to pass through it.
Your network topology and access. You can not on the server mitigate an issue related an external feed drop

Windows Server > Proxy settings NY Internal IP Port 3128 > NY Internet

The servers in Chicago can fully see the NY Local Network and NY Local Network can fully see Chicago.

Do you control the router? What do you control?

We have control only to the servers. The vendor control that routers and chicago network

Routing table on the router in Chicago to mark the preferred path out is through the MPLS to my.

I can speak to the vendor and get the routing table.

Chicago server default route is pointing to the chicago isp

The windows proxy settings are pointing to the Internal IP of the NY Squid Server at port 3128


NY has a LAN as does Chicago, do you use the LAN side Ips from New York in your reference, or the public Ips for NY?

We use the LAN Side IPs in Chicago and NY

Are you able to access the squid in New York using the LAN ip of the New York squid box?

Yes

This will confirm whether you already have routing setup for LAN to LAN over the MPLS link.

Yes. We have LAN to LAN connectivity between both data centers


In such a. Case, configuring the cache_perr on the Chicago squid to send requests to the NY squid via the LAN IP should do the trick of addressing browsing from your Chicago LAN through the MPLS to NY squid....

a. How can you configure a cache_peer in chicago
b. Can it work without an internet connection

Then configuring squid to allow these non standard ports, and then setting the proxy settings on the client to secure all ports through the local squid proxy.

How can we do this

On the by squid, you would need to make similar changes to allow these non-standard ports to pass through it.

How to do this
If we configure a cache peer in chicago. We would be able to forward all internet traffic to the ny proxy

Do we still need to modify the policy route or mess around with the default route of the server
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Arnold,

Port 22, 80 and 443 are working via the NY squid proxy. I haven't added a cache peer yet. I waiting for the vendor to provide me the config.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: arnold (https:#a42441429)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer