Think I finally figured it out... It was internal routing as I had expected. Remember, eth0 (inside), eth1(admin), eth2(inet)...
The issue was that i had two interfaces on the same network 192.168.1.x... (br0 and eth1) One being the bridge (br0) and the other being the Admin interface I was using (addr. via DHCP). Because the it was the first entry in the route table to the network, linux wasn't sending packets from squid into the bridge. This works: 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.88 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.91 default via 192.168.1.254 dev eth1 default via 192.168.1.254 dev br0 This doesn't: 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.91 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.88 default via 192.168.1.254 dev br0 default via 192.168.1.254 dev eth1 My simple solution was to release the ip addr of eth1 (dhcp -r eth1) and then assign dhcp to br0 and then re-dhcp eth1. Have to think about if I can craft a policy to do the right thing regardless of order without having to release eth1. Till then it works fine. You might want to update the twiki On Mar 16, 2011, at 4:25 AM, Amos Jeffries wrote: > On 16/03/11 22:03, Jim Binder wrote: >> Amos, >> >> Back at it again tonight -- So, when you did this (and I'm assuming you have >> -- maybe incorrectly ); ) how many nics did you have enabled. >> > > I've only had login with one client machine briefly that was doing it. Worked > perfectly. The rest, including coding has been completely done on theory with > others doing the hands-on tests. Sorry :( > > The easy setups have 2 NICs to keep the client->Squid and Squid->Internet > packets physically separated. The netfilter guys came up with some MAC-based > rules that can work for one NIC on the Squid box when its hanging directly > off a border router (which then needs 3 NICs). > >> Also, for grins, I just to ubuntu 11.04 with same config and tested with >> both 2.7Stable9 and 3.HEAD and still get it to work. >> > > ? "still get it to work"? you missing the words "could not" there? > > I know 10.10 lacks libcap2 and has some funky customizations in the kernel > which break it. Those probs were supposed to be fixed in 11.04 though. > > Say what exact version of libcap-2.* do you have compiled into Squid? > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.11 > Beta testers wanted for 3.2.0.5 James S. Binder Vice President, Engineering [email protected] 408.761.1403 (cell) This information contained in this e-mail message and any attachments thereto, is intended only for the personal and confidential use of the recipient(s) named above. This message may be under the terms of a Mutual Non-Disclosure Agreement communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify use immediately by e-mail and delete this original message.
