ipfw - natd - squid - 3 Nic's - 1 FBSD 5.1 server and routingquestion

[fbsdquestions]

I could sure use an idea for solving the following.  We have a perfectly
functional but saturated ds0 with our telco that is very expensive.  We
have squid running with transparent proxy for our LAN that consists of
about 10-15 users.  [ fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 ]
It works fine but still not enough bandwidth so we contracted a connection
with a cable company that we plan to use for all outgoing requests for
port 80 from squid.  The problem is that I can't get the outgoing requests
from squid to use the nic that is connected to the cable company.

Squid is setup to use the Cable companies IP
  tcp_outgoing_address  10.24.194.163
but since the default gateway is to the telco interface, the request is sent
to the telco.

I'm not sure how to make this work.  Our three nic's are set up as follows

rl1
192.168.5.0/24   ---
Internal Network \
  \rl0 [TelCo]
   --  200.79.x.0/28--- INTERNET
  /natd-ipfw-squid
rl2  / routing: default 200.79.x.1
10.24.194.163/20 ---
Cable Network

Our firewall configuration has been reduced to the following until we can
get this to work.

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80
65100 divert 8668 ip from any to any via rl0
65500 allow ip from any to any
65535 allow ip from any to any

Everything works great with rl1 - rl0 but rl2 is basically useless.
I have tried many different approaches and none have worked.  I'm probably
complicating it too much.

Any help or suggestions will be appreciated.

Ed

--


-

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw - natd - squid - 3 Nic's - 1 FBSD 5.1 server and routingquestion

[Matthew Seaman]

On Mon, Aug 04, 2003 at 06:24:42AM -0700, [EMAIL PROTECTED] wrote:
 I could sure use an idea for solving the following.  We have a perfectly
 functional but saturated ds0 with our telco that is very expensive.  We
 have squid running with transparent proxy for our LAN that consists of
 about 10-15 users.  [ fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 ]
 It works fine but still not enough bandwidth so we contracted a connection
 with a cable company that we plan to use for all outgoing requests for
 port 80 from squid.  The problem is that I can't get the outgoing requests
 from squid to use the nic that is connected to the cable company.
 
 Squid is setup to use the Cable companies IP
   tcp_outgoing_address  10.24.194.163
 but since the default gateway is to the telco interface, the request is sent
 to the telco.
 
 I'm not sure how to make this work.  Our three nic's are set up as follows
 
 rl1
 192.168.5.0/24   ---
 Internal Network \
   \rl0 [TelCo]
--  200.79.x.0/28--- INTERNET
   /natd-ipfw-squid
 rl2  / routing: default 200.79.x.1
 10.24.194.163/20 ---
 Cable Network
 
 Our firewall configuration has been reduced to the following until we can
 get this to work.
 
 00100 allow ip from any to any via lo0
 00200 deny ip from any to 127.0.0.0/8
 00300 deny ip from 127.0.0.0/8 to any
 00400 fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80
 65100 divert 8668 ip from any to any via rl0
 65500 allow ip from any to any
 65535 allow ip from any to any
 
 Everything works great with rl1 - rl0 but rl2 is basically useless.
 I have tried many different approaches and none have worked.  I'm probably
 complicating it too much.
 
 Any help or suggestions will be appreciated.

This sounds to me like a policy based routing problem -- googling for
policy based routing FreeBSD in Google Groups should prove
informative.

However, the mechanism is basically the same as you've used to
implement your transparent proxy.  All you need to do is insert
another rule to trap the port 80 traffic coming out of Squid and send
the packets to the next-hop gateway on your rl2 interface.  That
presumably has it's default route set via the cable network.

Something like:

00500 fwd 10.24.207.254 tcp from me to any 80

(assuming that 10.24.207.254 is the router address in the cable
companies' network.)  Since your Squid is already using a Cable
Co. address as the source address on any outgoing packets this should
cause all in- and out-going HTTP traffic to pass via the Cable
Co. network.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgp0.pgp
Description: PGP signature