Hi Peter, You can configure squid to use two gateways. The rest I would say, use group policies to set which proxy IP address will be used for your range of IP addresses.
Proxy IP 1 -- allow connections from 192.168.0.0/24 Proxy IP 2 -- allow connections from 172.16.0.0/24 This can be enforced in a group policy to ensure that a given range of IP addresses is configured to use a given proxy IP address. You could also configure this within Squid using ACL's. Proxy IP 1 should only allow connections from range A and so on. Regards, Mike On 23 July 2011 14:57, Peter C. Ndikuwera <[email protected]> wrote: > Thanks for all the replies. > > Just to clarify. > > 1) This is only for http traffic. > > 2) Authentication happens at proxy level (already done with squid's ntlm) > > 3) AFTER authentication, we need to: > a) send management (determined by an IP range or Active Directory > group (whichever is easier)) through ISP #1 - the fast one > b) send wanainchi through ISP #2 - the slow one > > 4) If either of ISP #1 or ISP #2 fail, then all traffic has to go > through the "alive" ISP. > > For policy reasons, this all has to be done in software for now. I've > already advised link load balancers and dual wan routers - and they > will be looked at in the future, but they need a "for now" solution > using Squid. > > Thanks all! > > P. > > On 22/07/2011, Reinier Battenberg <[email protected]> > wrote: > > Hi, > > > > If long is an issue maybe this is an alternative: > > > > - install ipcop > > - add the advanced proxy module > > - enable windows authentication > > > > done > > > > > > ? > > reinier > > > > > >> danr maybe that post was too long :) > >> > >> On Fri, Jul 22, 2011 at 9:26 AM, sanga collins > > <[email protected]>wrote: > >> > >> > I use squid + dansguardian for my clients and was able to successfully > >> > configure it with Dual WAN support. The key to accomplishing this in > my > >> > network is policy based routing (PBR) on juniper netscreen devices. > Here > >> > > > are > >> > the basics. You can of course do simliar setups with cisco or > sonicwall > >> > routers if you understand the basics. > >> > > >> > 1. configure squid and dansguardian server. > >> > Dansguardian is listening on port 8080 and redirecting to squid port > >> > 3129. > >> > iptables is redirecting port 80 to port 8080 for easy config of > >> > workstations and juniper router. > >> > Server has 2 NICs so instead of using transparent mode i configure the > 2 > >> > NICs with different IPs so that they can be on different LANs as i > will > >> > explain later. > >> > > >> > 2. configure router > >> > I use policy based routing that allows me to define source IP/port > >> > destination IP/port and transport protocol to define several rules > such > >> > as > >> > the ones below. > >> > > >> > if source is ip from workstation pool redirect all port 80 traffic to > > squid > >> > server port 8080 > >> > if source is ip is from local server pool do not redirect any port 80 > >> > traffic (allows servers to skip proxy) > >> > if destination ip is an intranet webserver or company webserver do not > >> > redirect traffic > >> > through the proxy and allow direct communication. > >> > > >> > 3. configure dual wan for fail-over and selective redirection. > >> > On juniper routers you can have more than one virtual router. This > >> > allows > >> > me to have two active default gateways on the same device. So this is > >> > what > > i > >> > do > >> > > >> > Virtual router 1 contains the default LAN and the default WAN > interface > > and > >> > gateway. virtual router 2 contains the backup WAN interface and > gateway > > and > >> > secondary LAN. > >> > > >> > The trick to setting up both connections is route statements. on VR1 > >> > (virtual router 1) i have the following. > >> > > >> > 0.0.0.0/0 -> GW-ip ->GW-interface metric=0 > >> > 0.0.0.0/0 -> virtual router 2 metric=10 > >> > lan2-ip -> virtual router 2 > >> > > >> > virtual router 2 has the following. > >> > 0.0.0.0/0 -> GW-ip -> GW-interface metric=0 > >> > 0.0.0.0/0 -> virtual router 1 metric=10 > >> > lan1-ip -> virtual router 1 > >> > > >> > I know this is a very stripped down routing table but this is > basically > >> > what happens. Since there are 2 routes in each vr 0.0.0.0/0 the > metric > >> > determines which one is active and which is not. Higher metric = lower > >> > priority so by metric 10 routes are inactive if metric 0 route is > >> > active > >> > > >> > When ISP 1 or 2 goes down. the first default route fails and the 2nd > >> > default route with metric 10 now becomes active redirecting all > traffic > >> > to > >> > the other virtual router where it can make its way to the internet. > >> > > >> > to force certain local workstations to use either ISP1 or 2 i would > use > > the > >> > fact that i have the squid server with 2 NICs one in the LAN1 and the > > other > >> > NIC in LAN2. > >> > By default all traffic in LAN1 goes to squid server NIC1 then back to > >> > LAN1 > >> > to go out to the internet. To force some computer to use the slow > > internet. > >> > All i need to do is use a source based route > >> > > >> > source ip/subnet mask -> virtual router 2 > >> > > >> > This means traffic from this ip is pushed to VR2 where policy based > > routing > >> > checks against its rules and determines whether to send to internet on > > slow > >> > connection. Or whether to send through proxy on LAN2 then to internet > on > >> > slow connection. > >> > > >> > Lastly when one internet connection goes down all traffic is > redicrected > >> > > > to > >> > the other virtual router where squid rules still apply and failover is > >> > almost instantaneous :) > >> > > >> > > >> > On Fri, Jul 22, 2011 at 8:31 AM, Peter C. Ndikuwera > > <[email protected]>wrote: > >> > > >> >> Hi, > >> >> > >> >> Anyone have experience with using squid with multiple outgoing > >> >> connections? > >> >> > >> >> Some conditions: > >> >> - squid cannot be in transparent mode > >> >> - some IPs must be set to use conn #1 (the faster one) > >> >> - if either conn #1 or #2 go down, squid should always use the active > >> >> connection. > >> >> > >> >> Ideas? > >> >> > >> >> Peter > >> >> > >> >> -- > >> >> Evolution (n): A hypothetical process whereby infinitely improbable > > events > >> >> occur with alarming frequency, order arises from chaos, and no one is > > given > >> >> credit. > >> >> > >> >> > >> >> _______________________________________________ > >> >> The Uganda Linux User Group: http://linux.or.ug > >> >> > >> >> Send messages to this mailing list by addressing e-mails to: > >> >> [email protected] > >> >> Mailing list archives: http://www.mail-archive.com/[email protected]/ > >> >> Mailing list settings: http://kym.net/mailman/listinfo/lug > >> >> To unsubscribe: http://kym.net/mailman/options/lug > >> >> > >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: > >> >> http://www.infocom.co.ug/ > >> >> > >> >> The above comments and data are owned by whoever posted them > (including > >> >> attachments if any). The mailing list host is not responsible for > them > >> >> in > >> >> any way. > >> >> > >> > > >> > > >> > > >> > -- > >> > Sanga M. Collins > >> > Network Engineering > >> > ~~~~~~~~~~~~~~~~~~~~~~~ > >> > Google Voice: (954) 324-1365 > >> > E- fax: (435) 578 7411 > >> > > >> > >> > >> > >> -- > >> Sanga M. Collins > >> Network Engineering > >> ~~~~~~~~~~~~~~~~~~~~~~~ > >> Google Voice: (954) 324-1365 > >> E- fax: (435) 578 7411 > >> > > -- > > rgds, > > > > Reinier Battenberg > > Director > > Mountbatten Ltd. > > +256 758 801 749 > > www.mountbatten.net > > http://twitter.com/batje > > http://twitter.com/mapuganda > > > > > > _______________________________________________ > > The Uganda Linux User Group: http://linux.or.ug > > > > Send messages to this mailing list by addressing e-mails to: > [email protected] > > Mailing list archives: http://www.mail-archive.com/[email protected]/ > > Mailing list settings: http://kym.net/mailman/listinfo/lug > > To unsubscribe: http://kym.net/mailman/options/lug > > > > The Uganda LUG mailing list is generously hosted by INFOCOM: > > http://www.infocom.co.ug/ > > > > The above comments and data are owned by whoever posted them (including > > attachments if any). The mailing list host is not responsible for them in > > any way. > > > > > -- > -- > Evolution (n): A hypothetical process whereby infinitely improbable events > occur with alarming frequency, order arises from chaos, and no one is given > credit. > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. > -- Mike Of course, you might discount this possibility, but remember that one in a million chances happen 99% of the time. ------------------------------------------------------------
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
