Date: Thu, 19 Jun 2003 12:07:49 +1000 From: "Hugh Blandford" <hugh@island.net.au> To: "apellido jr., wilfredo p" <hazecast@yahoo.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Tranparent Proxy Message-ID: <005301c33607$960b4da0$7bdea8c0@island.net.au> References: <20030618132211.91795.qmail@web40402.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I had a bit of sweat and tears over this but it turned out to be easy in the
end.
To create the gre tunnels you will need to have:
pseudo-device gre
in your kernel along with:
options IPFIREWALL
options IPFIREWALL_FORWARD
assuming that your proxy server is 192.168.1.37 and the routers interface is
192.168.1.34 I setup the following entries in rc.local. The main thing that
caused me problems was that some GRE packets come from a loopback interface
and some come from the LAN interface facing the proxy server. This is why I
had to create two GRE tunnels and two ipfw rules. Assume the loopback is
10.11.44.254
You can either run tcpdump to find out what GRE traffic is being sent to
your proxy or alternatively you could find it being used by sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 10.11.44.254
Protocol Version: 1.0
ifconfig gre0 create
ifconfig gre0 192.168.1.37 10.20.30.40 netmask 255.255.255.255 link1 tunnel
192.168.1.37 10.11.44.254 up
ifconfig gre1 create
ifconfig gre1 192.168.1.37 10.20.30.41 netmask 255.255.255.255 link1 tunnel
192.168.1.37 192.168.1.34 up
the 10.20.30.40 & 10.20.30.41 addresses are dummies to avoid problems with
GRE endpoints being on the same network. Since the GRE traffic is just one
way from the router to the proxy it doesn't matter what address you put in
there.
Lastly I setup the following IP firewall rules (I have configured squid as
per the FAQ Ch 17? and have squid listening on port 80)
allow ip from 192.168.1.37 to any
fwd 127.0.0.1 tcp from any to any 80 in recv gre0
fwd 127.0.0.1 tcp from any to any 80 in recv gre1
allow ip from any to any
Hope that helps, feel free to contact me if you need more help.
Hugh
----- Original Message -----
From: "apellido jr., wilfredo p" <hazecast@yahoo.com>
To: <freebsd-isp@freebsd.org>
Sent: Wednesday, June 18, 2003 11:22 PM
Subject: Tranparent Proxy
> does anyone tried to configure Tranparent proxy using
> gre tunneling between CISCO router <---WCCP--->
> FreeBSD 4.8?
>
> =====
> If you can't hear me, it's because i'm in parentheses. [ apellido jr.,
wilfredo p. ]
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005301c33607$960b4da0$7bdea8c0>