Re: [squid-users] 3 ISPs: Routing problem

From: jeff donovan <donovan_at_beth.k12.pa.us>
Date: Mon, 18 May 2009 13:11:40 -0400

On May 18, 2009, at 11:17 AM, RSCL Mumbai wrote:

> On Sun, May 17, 2009 at 11:37 AM, Amos Jeffries
> <squid3_at_treenet.co.nz> wrote:
>> RSCL Mumbai wrote:
>>>
>>> On Fri, May 15, 2009 at 10:38 AM, Amos Jeffries <squid3_at_treenet.co.nz
>>> >
>>> wrote:
>>>>
>>>> RSCL Mumbai wrote:
>>>>>
>>>>> On Thu, May 14, 2009 at 4:33 PM, Jeff Pang <pangj_at_arcor.de> wrote:
>>>>>>
>>>>>> RSCL Mumbai:
>>>>>>
>>>>>>> What would like to configure is setup "specific G/ws for
>>>>>>> specific
>>>>>>> clients".
>>>>>>>
>>>>>>> 192.168.1.100 to use G/w 192.168.1.1
>>>>>>> 192.168.1.101 to use G/w 192.168.1.1
>>>>>>> 192.168.1.102 to use G/w 192.168.1.2
>>>>>>> 192.168.1.103 to use G/w 192.168.1.2
>>>>>>> 192.168.1.104 to use G/w 192.168.1.2
>>>>>>> 192.168.1.105 to use G/w 192.168.1.3
>>>>>>> 192.168.1.106 to use G/w 192.168.1.3
>>>>>>>
>>>>>
>>>>>
>>>>> I just found out that squid is removing the marking on the packet:
>>>>> This is what I am doing:
>>>>>
>>>>> (1) I marked packets coming from 10.0.0.120 to port 80, with
>>>>> "mark1"
>>>>> (mark1 corresponds to isp1)
>>>>> (2) I added a route rule which says that all packets having mark 1
>>>>> will be routed through ISP 1
>>>>>
>>>>> But the packets are not routing via ISP1
>>>>>
>>>>> When I disable squid redirection rule in IPTables (post 80
>>>>> redirection
>>>>> to 3128 squid), the markings are maintained and packets route via
>>>>> ISP1.
>>>>>
>>>>> Now the big question is why is squid removing the marking ??
>>>>
>>>> Because the packets STOP at their destination software.
>>>> Normally the destination is a web server. When you NAT (redirect) a
>>>> packet
>>>> to Squid it STOPS there and gets read by Squid instead of passing
>>>> on to
>>>> the
>>>> web server.
>>>>
>>>> IF Squid needs to fetch the HTTP object requested from the
>>>> network a
>>>> brand
>>>> new TCP connection will be created only from Squid to the web
>>>> server.
>>>>
>>>>> And how can this be prevented ??
>>>>
>>>> By not intercepting packets. As you already noticed.
>>>>
>>>>
>>>> Squid offers alternatives, tcp_outgoing_address has already been
>>>> mentioned.
>>>> tcp_outgoing_tos is an alternative that allows you to mark packets
>>>> leaving
>>>> Squid.
>>>
>>> I tried " tcp_outgoing_address " by adding the following to
>>> squid.conf
>>>
>>> acl ip1 myip 10.0.0.120
>>> acl ip2 myip 10.0.0.121
>>> acl ip3 myip 10.0.0.122
>>> tcp_outgoing_address 10.0.0.120 ip1
>>> tcp_outgoing_address 10.0.0.121 ip2
>>> tcp_outgoing_address 10.0.0.122 ip3
>>>
>>> Restarted squid, but no help.
>>>
>>> Pls help how I can get the route rules to work.
>>>
>>> Simple requirement:
>>> If packets comes from src=10.0.0.120, forward it via ISP-1
>>> If packets comes from src=10.0.0.121, forward it via ISP-2
>>> If packets comes from src=10.0.0.122, forward it via ISP-3
>>> And so forth.
>>>
>>> Thx in advance.
>>> Vai
>>
>> To prevent the first (default) one being used you may need to do:
>>
>> tcp_outgoing_address 10.0.0.120 ip1 !ip2 !ip3
>> tcp_outgoing_address 10.0.0.121 ip2 !ip1 !ip3
>> tcp_outgoing_address 10.0.0.122 ip3 !ip1 !ip2
>
>
> I do not have 5 real interfaces for 5 ISPs.
> And I believe virtual interfaces will not work in this scenario.
>
> Any other option pls ??
>
> Thx & regards,
> Vai
>

hello Val,
look to your routers to make this decision. You can handout default
gateway info to your clients or routers
if you don't have 3 squid boxes[ my recommendation] then
i would try 3 nics
if thats not available then you need 3 vlans.
-j
Received on Mon May 18 2009 - 17:11:52 MDT

This archive was generated by hypermail 2.2.0 : Mon May 18 2009 - 12:00:02 MDT