Thursday, January 8, 2009

FreeBSD TPROXY works!

The FreeBSD TPROXY support (with a patched FreeBSD kernel for now) works just fine in testing.

I'm going to commit the changes to FreeBSD in the next couple of days. I'll then bring in the TPROXY4 support from Squid-3, and hopefully get functioning TPROXY2, TPROXY4 and FreeBSD TPROXY support into the upcoming Cacheboy-1.6 release.

13 comments:

AR said...

Hello Adrian,

I have bookmarked your Adrain's Cache information Page, for quick reference.
I tried to find answeres to the following problem but in vain. Thought of leaving you a comment.

I am using squid-2.7Stable5 as Transparent Prxoy with WCCP (Cisco 2800 router, IOS - 12.4 13(b)). It works perfectly fine.

But when I changed Transparent to TProxy, internet just doesnt work.

Request:
client --> router --> squid (tproxy) --> router --> Web server (Everythings fine)

Reply:
Web server --> Router xx(data not sent to) xx> Squid ??? (not working)

What would be the reason?

Thanks in advance.
AR

Adrian said...

Squid-2.7 doesn't support tproxy mode for FreeBSD. I think it supports the "tproxy2" stuff for linux, but not the newer "tproxy4" stuff.

Cacheboy-1.6 supports the freebsd-current stuff (and the patches available at http://tproxy.no-ip.org/) along with tproxy2 and tproxy4.

AR said...

Thanks for the prompt reply.

I am sorry I missed to tell you that I am using Fedora 8.

Fedora 8 + Squid 2.7 Stable 5 + Tproxy works fine without wccp. But with wccp, internet just doesn't work.

what would be the reason...

AR said...

Fedora 8 + Squid + transparent proxy works great with or without WCCP.

But with tproxy...I just cann't get it right..

AR said...

We did some debuging. We use tproxy2 (cttproxy).

1. The requests are redirected to squid on the router
2. Squid-box forwards the requests and IP is spoofed as that of the actual client IP.

3. Reaches webserver.

4. The tcp reply from the webserver is NOT redirected to squid.

My question here is how does the router know the reply packets, it has to redirect back to squid. Does the packets have some marking.

Adrian said...

You should really ask the Squid users list about this.

You need to configure up WCCP rules on the Squid box to request both the relevant source and destination traffic, and rules on the router to redirect traffic in both directions.

It sounds like you've setup WCCP fine for normal transparent operation (redirecting packets from client -> server ===> squid) but you need to add a second rule to redirect packets from server -> client ===> squid, and this means a different WCCP config.

Read the config guide entries on it - http://wiki.squid-cache.org/ConfigExamples/ .

AR said...

Thanks Adrian... We had asked enough in the squid users group, but in vain. We had asked so many people around the world and other networks.. but no result...

ARVIND said...

Hello Developers,

Tproxy-4 patch for squid 2.7 STABLE6 is released.
Please review the patch and share your views. Based on your comments we will also be working on a patch for squid 2.HEAD.

The patch is available at
http://www.visolve.com/squid/squid-tproxy.php
Squid TproxyThanks
Arvind.B

Unknown said...
This comment has been removed by the author.
AR said...

Hi Adrian,

Is there a tproxy patch for FreeBSD to support squid.

Unknown said...
This comment has been removed by the author.
Unknown said...
This comment has been removed by the author.
akustik said...

hello,
why If i use patch ip bindany my ip localbind ( use by tproxy) doesnt recognice, i got this error :
y=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -Werror ../../../netinet/in_pcb.c
../../../netinet/in_pcb.c: In function 'in_pcbbind_setup':
../../../netinet/in_pcb.c:338: error: 'INP_NONLOCALOK' undeclared (first use in this function)
../../../netinet/in_pcb.c:338: error: (Each undeclared identifier is reported only once
../../../netinet/in_pcb.c:338: error: for each function it appears in.)
*** Error code 1

Stop in /usr/src/sys/i386/compile/Tproxy.

how to resolve this problem?

thx