I had a similar setup and couldnt get it to do what i needed. Took years until juniper add PBR as a feature of their routing platforms. Ever since ive been re designing my networks to take squid out of the network path and have it sit next to the network instead.
i never like pushing everything through squid especially if its not http traffic so that was my main motivation. Keep regular traffic out of the squid trap! :) On Fri, Jul 22, 2011 at 9:39 AM, Peter C. Ndikuwera <[email protected]>wrote: > Thanks. I'll look at it in more details but from first glance it wont' work > because... > > Unfortunately, all traffic in my setup goes through squid first and must be > authenticated against AD before anything else happens. > > I've been looking at the (poorly documented) squid's cache_peers & > sourcehash options (too long to post) > > P. > > -- > Evolution (n): A hypothetical process whereby infinitely improbable events > occur with alarming frequency, order arises from chaos, and no one is given > credit. > > > > On 22 July 2011 16:30, sanga collins <[email protected]> wrote: > >> danr maybe that post was too long :) >> >> >> On Fri, Jul 22, 2011 at 9:26 AM, sanga collins >> <[email protected]>wrote: >> >>> I use squid + dansguardian for my clients and was able to successfully >>> configure it with Dual WAN support. The key to accomplishing this in my >>> network is policy based routing (PBR) on juniper netscreen devices. Here are >>> the basics. You can of course do simliar setups with cisco or sonicwall >>> routers if you understand the basics. >>> >>> 1. configure squid and dansguardian server. >>> Dansguardian is listening on port 8080 and redirecting to squid port >>> 3129. >>> iptables is redirecting port 80 to port 8080 for easy config of >>> workstations and juniper router. >>> Server has 2 NICs so instead of using transparent mode i configure the 2 >>> NICs with different IPs so that they can be on different LANs as i will >>> explain later. >>> >>> 2. configure router >>> I use policy based routing that allows me to define source IP/port >>> destination IP/port and transport protocol to define several rules such as >>> the ones below. >>> >>> if source is ip from workstation pool redirect all port 80 traffic to >>> squid server port 8080 >>> if source is ip is from local server pool do not redirect any port 80 >>> traffic (allows servers to skip proxy) >>> if destination ip is an intranet webserver or company webserver do not >>> redirect traffic >>> through the proxy and allow direct communication. >>> >>> 3. configure dual wan for fail-over and selective redirection. >>> On juniper routers you can have more than one virtual router. This allows >>> me to have two active default gateways on the same device. So this is what i >>> do >>> >>> Virtual router 1 contains the default LAN and the default WAN interface >>> and gateway. virtual router 2 contains the backup WAN interface and gateway >>> and secondary LAN. >>> >>> The trick to setting up both connections is route statements. on VR1 >>> (virtual router 1) i have the following. >>> >>> 0.0.0.0/0 -> GW-ip ->GW-interface metric=0 >>> 0.0.0.0/0 -> virtual router 2 metric=10 >>> lan2-ip -> virtual router 2 >>> >>> virtual router 2 has the following. >>> 0.0.0.0/0 -> GW-ip -> GW-interface metric=0 >>> 0.0.0.0/0 -> virtual router 1 metric=10 >>> lan1-ip -> virtual router 1 >>> >>> I know this is a very stripped down routing table but this is basically >>> what happens. Since there are 2 routes in each vr 0.0.0.0/0 the metric >>> determines which one is active and which is not. Higher metric = lower >>> priority so by metric 10 routes are inactive if metric 0 route is active >>> >>> When ISP 1 or 2 goes down. the first default route fails and the 2nd >>> default route with metric 10 now becomes active redirecting all traffic to >>> the other virtual router where it can make its way to the internet. >>> >>> to force certain local workstations to use either ISP1 or 2 i would use >>> the fact that i have the squid server with 2 NICs one in the LAN1 and the >>> other NIC in LAN2. >>> By default all traffic in LAN1 goes to squid server NIC1 then back to >>> LAN1 to go out to the internet. To force some computer to use the slow >>> internet. All i need to do is use a source based route >>> >>> source ip/subnet mask -> virtual router 2 >>> >>> This means traffic from this ip is pushed to VR2 where policy based >>> routing checks against its rules and determines whether to send to internet >>> on slow connection. Or whether to send through proxy on LAN2 then to >>> internet on slow connection. >>> >>> Lastly when one internet connection goes down all traffic is redicrected >>> to the other virtual router where squid rules still apply and failover is >>> almost instantaneous :) >>> >>> >>> On Fri, Jul 22, 2011 at 8:31 AM, Peter C. Ndikuwera <[email protected]>wrote: >>> >>>> Hi, >>>> >>>> Anyone have experience with using squid with multiple outgoing >>>> connections? >>>> >>>> Some conditions: >>>> - squid cannot be in transparent mode >>>> - some IPs must be set to use conn #1 (the faster one) >>>> - if either conn #1 or #2 go down, squid should always use the active >>>> connection. >>>> >>>> Ideas? >>>> >>>> Peter >>>> >>>> -- >>>> Evolution (n): A hypothetical process whereby infinitely improbable >>>> events occur with alarming frequency, order arises from chaos, and no one >>>> is >>>> given credit. >>>> >>>> >>>> _______________________________________________ >>>> The Uganda Linux User Group: http://linux.or.ug >>>> >>>> Send messages to this mailing list by addressing e-mails to: >>>> [email protected] >>>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>> To unsubscribe: http://kym.net/mailman/options/lug >>>> >>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>> http://www.infocom.co.ug/ >>>> >>>> The above comments and data are owned by whoever posted them (including >>>> attachments if any). The mailing list host is not responsible for them in >>>> any way. >>>> >>> >>> >>> >>> -- >>> Sanga M. Collins >>> Network Engineering >>> ~~~~~~~~~~~~~~~~~~~~~~~ >>> Google Voice: (954) 324-1365 >>> E- fax: (435) 578 7411 >>> >> >> >> >> -- >> Sanga M. Collins >> Network Engineering >> ~~~~~~~~~~~~~~~~~~~~~~~ >> Google Voice: (954) 324-1365 >> E- fax: (435) 578 7411 >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including >> attachments if any). The mailing list host is not responsible for them in >> any way. >> > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. > -- Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ Google Voice: (954) 324-1365 E- fax: (435) 578 7411
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
