danr maybe that post was too long :) On Fri, Jul 22, 2011 at 9:26 AM, sanga collins <[email protected]>wrote:
> I use squid + dansguardian for my clients and was able to successfully > configure it with Dual WAN support. The key to accomplishing this in my > network is policy based routing (PBR) on juniper netscreen devices. Here are > the basics. You can of course do simliar setups with cisco or sonicwall > routers if you understand the basics. > > 1. configure squid and dansguardian server. > Dansguardian is listening on port 8080 and redirecting to squid port 3129. > iptables is redirecting port 80 to port 8080 for easy config of > workstations and juniper router. > Server has 2 NICs so instead of using transparent mode i configure the 2 > NICs with different IPs so that they can be on different LANs as i will > explain later. > > 2. configure router > I use policy based routing that allows me to define source IP/port > destination IP/port and transport protocol to define several rules such as > the ones below. > > if source is ip from workstation pool redirect all port 80 traffic to squid > server port 8080 > if source is ip is from local server pool do not redirect any port 80 > traffic (allows servers to skip proxy) > if destination ip is an intranet webserver or company webserver do not > redirect traffic > through the proxy and allow direct communication. > > 3. configure dual wan for fail-over and selective redirection. > On juniper routers you can have more than one virtual router. This allows > me to have two active default gateways on the same device. So this is what i > do > > Virtual router 1 contains the default LAN and the default WAN interface and > gateway. virtual router 2 contains the backup WAN interface and gateway and > secondary LAN. > > The trick to setting up both connections is route statements. on VR1 > (virtual router 1) i have the following. > > 0.0.0.0/0 -> GW-ip ->GW-interface metric=0 > 0.0.0.0/0 -> virtual router 2 metric=10 > lan2-ip -> virtual router 2 > > virtual router 2 has the following. > 0.0.0.0/0 -> GW-ip -> GW-interface metric=0 > 0.0.0.0/0 -> virtual router 1 metric=10 > lan1-ip -> virtual router 1 > > I know this is a very stripped down routing table but this is basically > what happens. Since there are 2 routes in each vr 0.0.0.0/0 the metric > determines which one is active and which is not. Higher metric = lower > priority so by metric 10 routes are inactive if metric 0 route is active > > When ISP 1 or 2 goes down. the first default route fails and the 2nd > default route with metric 10 now becomes active redirecting all traffic to > the other virtual router where it can make its way to the internet. > > to force certain local workstations to use either ISP1 or 2 i would use the > fact that i have the squid server with 2 NICs one in the LAN1 and the other > NIC in LAN2. > By default all traffic in LAN1 goes to squid server NIC1 then back to LAN1 > to go out to the internet. To force some computer to use the slow internet. > All i need to do is use a source based route > > source ip/subnet mask -> virtual router 2 > > This means traffic from this ip is pushed to VR2 where policy based routing > checks against its rules and determines whether to send to internet on slow > connection. Or whether to send through proxy on LAN2 then to internet on > slow connection. > > Lastly when one internet connection goes down all traffic is redicrected to > the other virtual router where squid rules still apply and failover is > almost instantaneous :) > > > On Fri, Jul 22, 2011 at 8:31 AM, Peter C. Ndikuwera <[email protected]>wrote: > >> Hi, >> >> Anyone have experience with using squid with multiple outgoing >> connections? >> >> Some conditions: >> - squid cannot be in transparent mode >> - some IPs must be set to use conn #1 (the faster one) >> - if either conn #1 or #2 go down, squid should always use the active >> connection. >> >> Ideas? >> >> Peter >> >> -- >> Evolution (n): A hypothetical process whereby infinitely improbable events >> occur with alarming frequency, order arises from chaos, and no one is given >> credit. >> >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including >> attachments if any). The mailing list host is not responsible for them in >> any way. >> > > > > -- > Sanga M. Collins > Network Engineering > ~~~~~~~~~~~~~~~~~~~~~~~ > Google Voice: (954) 324-1365 > E- fax: (435) 578 7411 > -- Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ Google Voice: (954) 324-1365 E- fax: (435) 578 7411
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
