Hi, Had the same problem with WCCP/FreeBSD. I use route maps now and all is working 100%. It apparently has to do with the IOS version you use.
I spoke to the guys at cacheflow as I tested there product and they gave me that answer. There is also a white paper on there site explaining this problem. I have not changed the IOS yet so cant tell you if it works or not. Doron -----Original Message----- From: Clive Cleland [mailto:[EMAIL PROTECTED] Sent: 16 November 2003 03:50 AM To: [EMAIL PROTECTED] Subject: RE: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with Yahoo/Hotmail login Raphael Try setting MSS = 1400 for TCP connections from your clients (use this number if your normal MSS is 1500/1476). This is done on the squid server, not the client machines, as it is negotiated during TCP connection setup. Under iptables, it is done using the following command: -A OUTPUT -d 1.2.3.0/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 I'm sorry I can't help with FreeBSD/ipfw. If you use 'ip route' to setup routing, I believe it can also be done on a per-route basis. The problem is that some sites use very large cookies. When the HTTP request exceeds the size of one packet, the addition of the GRE header makes the first packet too large, so it is dropped by the WCCP router. By telling clients to limit their packet size, the addition of the GRE overhead still results in legal packets. The smaller size should make negligible difference in network performance, but perhaps you can tune this to your needs? Also, you might be able to further restrict this to just port 80 traffic? Hopefully this at least gives you somewhere to look. Clive -----Original Message----- From: Raphael Maseko [mailto:[EMAIL PROTECTED] Sent: Sunday, 16 November 2003 4:02 AM To: [EMAIL PROTECTED] Subject: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with Yahoo/Hotmail login Hi Fellow Listers, I have been running squid-2.5.STABLE4 with transparent proxying using WCCP V1 on FreeBSD 4.6.2 without any problems. I have now installed the same version on FreeBSD 4.9. Unlike in the previous version where I had to apply patches and hacks to get the gre packets stripped by my BSD box, I used the "pseudo-device gre" option in the kernel and set up the tunnel using the following: ifconfig gre0 create ifconfig gre0 My_Squid_IP 10.20.30.1 netmask 255.255.255.255 link1 tunnel My_Squid_IP My_Router_IP up and the following IPFW rules: ipfw add 49 allow tcp from My_Squid_IP to any ipfw add 50 fwd 127.0.0.1,3128 tcp from any to any 80 via gre0 in (The ipfw is set to default to accept) Here is a sample from the ipfw -a sh command: 00049 29586 2886034 allow tcp from My_Squid_IP to any 00050 29592 2493277 fwd 127.0.0.1,3128 tcp from any to any 80 in recv gre0 65535 101631 65282581 allow ip from any to any The transparent proxy is working fine except when it comes to logging into sites like yahoo and hotmail and reading webmail. The main page is accessed but stalls and eventually fails on authentication. I suspect that this has something to do with the gre tunnel and the way packets that are not supposed to be cached are being treated. Has anyone run into this problem and if so how did you deal with it? Please help. Thanks in advance. Ralph
