Tuc at T-B-O-H wrote: >> It still looks like, though, nothing is coming over the >> wccp0 link. I do a tcpdump and get nothing. >> >> wccp0 Link encap:UNSPEC HWaddr >> D0-2D-F7-EC-00-00-00-00-00-00-00-00-00-00-00-00 >> inet addr:2.3.4.236 P-t-P:2.3.4.236 Mask:255.255.255.255 >> UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 >> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:0 >> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) >> > I was running a tcpdump looking for the gre data, and accidentally > didn't specify the wccp0 interface, so it defaulted to my eth0 interface. > It appears I'm getting the GRE packets over eth0, NOT wccp0! When I decode > them, they are all SYN's to port 80 at various websites. > > I go back to wondering if the highest IP on the router, which is > also the default route for the cache box, is causing it to ignore the tunnel > and just send it locally.. > > Thanks, Tuc
Others on the list my correct me, as I've only ever done this once. I don't know if my setup was "right" or not, but it did work. I found that: the client sends a SYN to the remote site, which is sent down the GRE tunnel by cisco. sniffing eth0 should show the GRE packets. sniffing wccp0 should show the contents of those packets, which should be syns to port 80 on various boxes. your firewall (on the linux host) should accept these and redirect them to squid 3128, which knows how to handle them squid reads the contents of the redirected packet and makes a regular TCP request to the site in question squid makes a regular tcp response (SYN/ACK) to the client, spoofing it's from address to be that of the remote website the client thinks it's talking directly to the site. the site thinks it's talking directly to the proxy (well, it really is doing that) the CISCO gear WILL DROP an incoming SYN/ACK on an interface different from the one the SYN was seen on. This means that the squid proxy and the clients must be on the same interface of the firewall. If you try to make a dmz with the proxy, and use wccp on the firewall between the dmz and the clients, it won't work. If any of this is wrong I'd love to know as well, as these are my working understandings of the system. -- Daniel Rose National Library of Australia
