Those are some very good ideas guys. I'll update you all when I've tried them out.
P. -- Evolution (n): A hypothetical process whereby infinitely improbable events occur with alarming frequency, order arises from chaos, and no one is given credit. On 23 July 2011 18:08, sanga collins <[email protected]> wrote: > Another note. I think the failover solution should be complete independant > from the proxy solution. This may simplify things instead of attempting to > to them in one massive config. > > Also was thinking of simple way to split traffic without relying on > external equipment. Its saturday so i am short on my 'weekday' level of > detail. But couldnt you using a squid server with 2 NICs on 2 different LANs > send some traffic to NIC1 based on AD groups that you seem to have already > implemented. and send the rest of the traffic out of NIC1 as the default > path through the 'slow' network? > > Expanding on this you could also implement a failover situation in the > squid server for http traffic. Alot of details will need to be sorted out > coz traffic like DNS, SMTP and so on will need to failover successfully > along with HTTP > > :) > > > On Sat, Jul 23, 2011 at 9:46 AM, Kyle Spencer <[email protected]> wrote: > >> Hi Peter, >> >> Just a shot in the dark: >> >> 1) Bond the two WAN links outside of Squid (i.e. make one large virtual >> link out of two physical links). >> >> 2) Bridge the LAN and newly created (bonded) WAN interfaces. Configure >> Squid to transparently intercept traffic traveling across the bridge. >> >> 3) Configure Squid "delay pools" to manage user bandwidth according to >> which LDAP group they're in by using Squid ACLs (access control lists). >> Give more bandwidth to users in the "management" group and less to users in >> the "staff" group. >> >> More on bonding (LACP) in Debian (or Ubuntu): >> http://backdrift.org/howtonetworkbonding >> >> More on transparent Squid bridges: >> >> http://freshmeat.net/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables >> >> More on Squid delay pools: >> http://wiki.squid-cache.org/Features/DelayPools >> >> More on Squid ACLs + LDAP: >> >> http://www.cyberciti.biz/tips/howto-configure-squid-ldap-authentication.html >> >> I can't personally attest to the accuracy of the above links but they >> should provide enough information to get you started. >> >> Regards, >> Kyle Spencer >> >> >> ----- Original message ----- >> > Thanks for all the replies. >> > >> > Just to clarify. >> > >> > 1) This is only for http traffic. >> > >> > 2) Authentication happens at proxy level (already done with squid's >> ntlm) >> > >> > 3) AFTER authentication, we need to: >> > a) send management (determined by an IP range or Active Directory >> > group (whichever is easier)) through ISP #1 - the fast one >> > b) send wanainchi through ISP #2 - the slow one >> > >> > 4) If either of ISP #1 or ISP #2 fail, then all traffic has to go >> > through the "alive" ISP. >> > >> > For policy reasons, this all has to be done in software for now. I've >> > already advised link load balancers and dual wan routers - and they >> > will be looked at in the future, but they need a "for now" solution >> > using Squid. >> > >> > Thanks all! >> > >> > P. >> > >> > On 22/07/2011, Reinier Battenberg <[email protected]> >> > wrote: >> > > Hi, >> > > >> > > If long is an issue maybe this is an alternative: >> > > >> > > - install ipcop >> > > - add the advanced proxy module >> > > - enable windows authentication >> > > >> > > done >> > > >> > > >> > > ? >> > > reinier >> > > >> > > >> > > > danr maybe that post was too long :) >> > > > >> > > > On Fri, Jul 22, 2011 at 9:26 AM, sanga collins >> > > <[email protected]>wrote: >> > > > >> > > > > I use squid + dansguardian for my clients and was able to >> > > > > successfully configure it with Dual WAN support. The key to >> > > > > accomplishing this in my network is policy based routing (PBR) on >> > > > > juniper netscreen devices. Here >> > > > > >> > > are >> > > > > the basics. You can of course do simliar setups with cisco or >> > > > > sonicwall routers if you understand the basics. >> > > > > >> > > > > 1. configure squid and dansguardian server. >> > > > > Dansguardian is listening on port 8080 and redirecting to squid >> > > > > port 3129. >> > > > > iptables is redirecting port 80 to port 8080 for easy config of >> > > > > workstations and juniper router. >> > > > > Server has 2 NICs so instead of using transparent mode i configure >> > > > > the 2 NICs with different IPs so that they can be on different >> > > > > LANs as i will explain later. >> > > > > >> > > > > 2. configure router >> > > > > I use policy based routing that allows me to define source IP/port >> > > > > destination IP/port and transport protocol to define several rules >> > > > > such as >> > > > > the ones below. >> > > > > >> > > > > if source is ip from workstation pool redirect all port 80 traffic >> > > > > to >> > > squid >> > > > > server port 8080 >> > > > > if source is ip is from local server pool do not redirect any port >> > > > > 80 traffic (allows servers to skip proxy) >> > > > > if destination ip is an intranet webserver or company webserver do >> > > > > not redirect traffic >> > > > > through the proxy and allow direct communication. >> > > > > >> > > > > 3. configure dual wan for fail-over and selective redirection. >> > > > > On juniper routers you can have more than one virtual router. This >> > > > > allows >> > > > > me to have two active default gateways on the same device. So this >> > > > > is what >> > > i >> > > > > do >> > > > > >> > > > > Virtual router 1 contains the default LAN and the default WAN >> > > > > interface >> > > and >> > > > > gateway. virtual router 2 contains the backup WAN interface and >> > > > > gateway >> > > and >> > > > > secondary LAN. >> > > > > >> > > > > The trick to setting up both connections is route statements. on >> > > > > VR1 (virtual router 1) i have the following. >> > > > > >> > > > > 0.0.0.0/0 -> GW-ip ->GW-interface metric=0 >> > > > > 0.0.0.0/0 -> virtual router 2 metric=10 >> > > > > lan2-ip -> virtual router 2 >> > > > > >> > > > > virtual router 2 has the following. >> > > > > 0.0.0.0/0 -> GW-ip -> GW-interface metric=0 >> > > > > 0.0.0.0/0 -> virtual router 1 metric=10 >> > > > > lan1-ip -> virtual router 1 >> > > > > >> > > > > I know this is a very stripped down routing table but this is >> > > > > basically what happens. Since there are 2 routes in each vr >> > > > > 0.0.0.0/0 the metric determines which one is active and which is >> > > > > not. Higher metric = lower priority so by metric 10 routes are >> > > > > inactive if metric 0 route is active >> > > > > >> > > > > When ISP 1 or 2 goes down. the first default route fails and the >> > > > > 2nd default route with metric 10 now becomes active redirecting >> > > > > all traffic to >> > > > > the other virtual router where it can make its way to the >> internet. >> > > > > >> > > > > to force certain local workstations to use either ISP1 or 2 i >> > > > > would use >> > > the >> > > > > fact that i have the squid server with 2 NICs one in the LAN1 and >> > > > > the >> > > other >> > > > > NIC in LAN2. >> > > > > By default all traffic in LAN1 goes to squid server NIC1 then back >> > > > > to LAN1 >> > > > > to go out to the internet. To force some computer to use the slow >> > > internet. >> > > > > All i need to do is use a source based route >> > > > > >> > > > > source ip/subnet mask -> virtual router 2 >> > > > > >> > > > > This means traffic from this ip is pushed to VR2 where policy >> based >> > > routing >> > > > > checks against its rules and determines whether to send to >> > > > > internet on >> > > slow >> > > > > connection. Or whether to send through proxy on LAN2 then to >> > > > > internet on slow connection. >> > > > > >> > > > > Lastly when one internet connection goes down all traffic is >> > > > > redicrected >> > > > > >> > > to >> > > > > the other virtual router where squid rules still apply and >> > > > > failover is almost instantaneous :) >> > > > > >> > > > > >> > > > > On Fri, Jul 22, 2011 at 8:31 AM, Peter C. Ndikuwera >> > > <[email protected]>wrote: >> > > > > >> > > > > > Hi, >> > > > > > >> > > > > > Anyone have experience with using squid with multiple outgoing >> > > > > > connections? >> > > > > > >> > > > > > Some conditions: >> > > > > > - squid cannot be in transparent mode >> > > > > > - some IPs must be set to use conn #1 (the faster one) >> > > > > > - if either conn #1 or #2 go down, squid should always use the >> > > > > > active connection. >> > > > > > >> > > > > > Ideas? >> > > > > > >> > > > > > Peter >> > > > > > >> > > > > > -- >> > > > > > Evolution (n): A hypothetical process whereby infinitely >> > > > > > improbable >> > > events >> > > > > > occur with alarming frequency, order arises from chaos, and no >> > > > > > one is >> > > given >> > > > > > credit. >> > > > > > >> > > > > > >> > > > > > _______________________________________________ >> > > > > > The Uganda Linux User Group: http://linux.or.ug >> > > > > > >> > > > > > Send messages to this mailing list by addressing e-mails to: >> > > > > > [email protected] >> > > > > > Mailing list archives: >> > > > > > http://www.mail-archive.com/[email protected]/ Mailing list >> > > > > > settings: http://kym.net/mailman/listinfo/lug To unsubscribe: >> > > > > > http://kym.net/mailman/options/lug >> > > > > > >> > > > > > The Uganda LUG mailing list is generously hosted by INFOCOM: >> > > > > > http://www.infocom.co.ug/ >> > > > > > >> > > > > > The above comments and data are owned by whoever posted them >> > > > > > (including attachments if any). The mailing list host is not >> > > > > > responsible for them in >> > > > > > any way. >> > > > > > >> > > > > >> > > > > >> > > > > >> > > > > -- >> > > > > Sanga M. Collins >> > > > > Network Engineering >> > > > > ~~~~~~~~~~~~~~~~~~~~~~~ >> > > > > Google Voice: (954) 324-1365 >> > > > > E- fax: (435) 578 7411 >> > > > > >> > > > >> > > > >> > > > >> > > > -- >> > > > Sanga M. Collins >> > > > Network Engineering >> > > > ~~~~~~~~~~~~~~~~~~~~~~~ >> > > > Google Voice: (954) 324-1365 >> > > > E- fax: (435) 578 7411 >> > > > >> > > -- >> > > rgds, >> > > >> > > Reinier Battenberg >> > > Director >> > > Mountbatten Ltd. >> > > +256 758 801 749 >> > > www.mountbatten.net >> > > http://twitter.com/batje >> > > http://twitter.com/mapuganda >> > > >> > > >> > > _______________________________________________ >> > > The Uganda Linux User Group: http://linux.or.ug >> > > >> > > Send messages to this mailing list by addressing e-mails to: >> > > [email protected] Mailing list archives: >> > > http://www.mail-archive.com/[email protected]/ Mailing list settings: >> > > http://kym.net/mailman/listinfo/lug To unsubscribe: >> > > http://kym.net/mailman/options/lug >> > > >> > > The Uganda LUG mailing list is generously hosted by INFOCOM: >> > > http://www.infocom.co.ug/ >> > > >> > > The above comments and data are owned by whoever posted them >> (including >> > > attachments if any). The mailing list host is not responsible for them >> > > in any way. >> > > >> > >> > >> > -- >> > -- >> > Evolution (n): A hypothetical process whereby infinitely improbable >> > events occur with alarming frequency, order arises from chaos, and no >> > one is given credit. >> > _______________________________________________ >> > The Uganda Linux User Group: http://linux.or.ug >> > >> > Send messages to this mailing list by addressing e-mails to: >> > [email protected] Mailing list archives: >> > http://www.mail-archive.com/[email protected]/ Mailing list settings: >> > http://kym.net/mailman/listinfo/lug To unsubscribe: >> > http://kym.net/mailman/options/lug >> > >> > The Uganda LUG mailing list is generously hosted by INFOCOM: >> > http://www.infocom.co.ug/ >> > >> > The above comments and data are owned by whoever posted them (including >> > attachments if any). The mailing list host is not responsible for them >> > in any way. >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including >> attachments if any). The mailing list host is not responsible for them in >> any way. >> > > > > -- > Sanga M. Collins > Network Engineering > ~~~~~~~~~~~~~~~~~~~~~~~ > Google Voice: (954) 324-1365 > E- fax: (435) 578 7411 > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. >
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
