Date: Tue, 04 Feb 2003 12:04:59 +0200 From: Maxim Sobolev <sobomax@portaone.com> To: Alexandr Kovalenko <never@nevermind.kiev.ua> Cc: sobomax@FreeBSD.ORG, Faried Nawaz <fn@hungry.org>, freebsd-isp@FreeBSD.ORG, freebsd-net@FreeBSD.ORG, Gokhan ERYOL <eryol@metu.edu>, freebsd@freebsddiary.org.ua Subject: Re: Fwd: pseudo-device gre and wccp/squid Message-ID: <3E3F904B.70E91234@portaone.com> References: <20030203185739.GA33669@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
It works here like a charm, but with ipfw(8), not ipfilter(8), so that
it might be where the problem is. The setup is as follows:
/etc/rc.firewall:
[...]
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.0/28 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.16/30 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.28/30 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.32/29 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.48/30 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.52/30 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.68/30 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.72/30 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.76/30 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.80/29 to any 80
via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.100/30 to any
80 via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.160/29 to any
80 via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.168/29 to any
80 via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.208/29 to any
80 via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.232/30 to any
80 via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.236/30 to any
80 via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.240/30 to any
80 via gre0 in
${fwcmd} add fwd 127.0.0.1,3128 tcp from A.B.C.244/30 to any
80 via gre0 in
[...]
/etc/start_if.gre:
ifconfig gre0 create
ifconfig gre0 A.B.C.196 10.20.30.40 netmask 255.255.255.255 link1
tunnel A.B.C.196 A.B.C.197 up
Here A.B.C.196 is address of host with squid running, A.B.C.197 is
address of Cisco router. We use fake address for configuring other
side of tunnel on FreeBSD (10.20.30.40) because gre driver has certain
problems when source and destination tunnel addresses are on the same
ethernet segment. This is irrelevant because tunnel in this case is
unidirectional and packets are only transmitted from the router to
FreeBSD.
-Maxim
Alexandr Kovalenko wrote:
>
> ----- Forwarded message from Faried Nawaz <fn@hungry.org> -----
>
> Date: Sat, 1 Feb 2003 15:49:23 -0800
> From: Faried Nawaz <fn@hungry.org>
> To: freebsd-isp@FreeBSD.ORG
> Cc: freebsd-net@FreeBSD.ORG
> Subject: pseudo-device gre and wccp/squid
>
> Hello,
>
> Is anyone using the gre pseudo-device with squid for WCCP? Try as I might
> I can't get it to work for me.
>
> I'm using FreeBSD 4.7-STABLE, using ipfilter's ipnat to redirect packets.
> I've done
>
> ifconfig gre0 create
> ifconfig gre0 aaa.bbb.ccc.ddd fff.ggg.hhh.iii netmask 255.255.255.255 link0 up
> ifconfig gre0 tunnel aaa.bbb.ccc.ddd fff.ggg.hhh.iii
>
> aaa.bbb.ccc.ddd is the web proxy's ip, fff.ggg.hhh.iii is the router's.
>
> ipnat.rules has
>
> rdr gre0 0.0.0.0/0 port 80 aaa.bbb.ccc.ddd port 8080 tcp
>
> ipfilter is set to pass through all traffic, and there are no firewall rules
> defined.
>
> tcpdump on my ethernet interface shows gre packets coming in.
>
> 04:07:39.093205 fff.ggg.hhh.iii > aaa.bbb.ccc.ddd: gre gre-proto-0x883E
>
> tcpdump on my gre0 interface shows incoming connections from the users, and
> ipnat -l shows lots of redirects.
>
> proxy1# ipnat -l | head
> List of active MAP/Redirect filters:
> rdr gre0 0.0.0.0/0 port 80 -> aaa.bbb.ccc.ddd port 8080 tcp
>
> List of active sessions:
> RDR aaa.bbb.ccc.ddd 8080 <- -> 207.44.178.61 80 [203.215.178.61 4122]
> RDR aaa.bbb.ccc.ddd 8080 <- -> 205.188.250.25 80 [203.215.178.19 1612]
> RDR aaa.bbb.ccc.ddd 8080 <- -> 66.51.99.157 80 [66.206.32.180 3769]
> RDR aaa.bbb.ccc.ddd 8080 <- -> 64.94.89.238 80 [203.215.177.248 1172]
> RDR aaa.bbb.ccc.ddd 8080 <- -> 207.46.104.20 80 [66.206.33.7 1601]
> proxy1#
>
> However, none of them get to squid.
>
> Everything worked fine before the upgrade, but I was using the gre patch
> from squid's web site to do the work. The new pseudo-device appears to
> have WCCP-specific code in it, but it's not working.
>
> Does anyone have this working? Anyone at all? I'm willing to break
> down and switch to ipfw if that'll help, but I can't upgrade my machines
> to 4.7 (and higher) properly without a fix. Surely someone has used this
> since the code was commited.
>
> (A hack would be to comment out all code related to the pseudo-device so
> I can use the wccp-specific gre.c.)
>
> Faried.
> --
> The Great GNU has arrived, infidels, behold his wrath !
> "If a MOO runs on a port no one accesses, does it run?"
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
>
> ----- End forwarded message -----
> ----- Forwarded message from Gokhan ERYOL <eryol@metu.edu> -----
>
> Date: Sun, 02 Feb 2003 14:43:26 +0200
> From: Gokhan ERYOL <eryol@metu.edu>
> To: Faried Nawaz <fn@hungry.org>
> Cc: freebsd-isp@FreeBSD.ORG, freebsd-net@FreeBSD.ORG
> Subject: Re: pseudo-device gre and wccp/squid
>
> Actually, since "A gre(4) driver, which can encapsulate IP packets
> using GRE (RFC 1701) or minimal IP encapsulation for Mobile IP (RFC
> 2004), has been added", WCCP over GRE has not been working on FreeBSD
> Stable systems, because there is no WCCP support in new GRE driver. I
> tried the same things as you did. I e-mailed this situation several
> times to lists since 12/11/2002, but there is no action.
>
> Henrik Nordstom from squid-cache.org, said that adding WCCP support to
> an existing GRE module is in most cases trivial as the packet format is
> identical to plain IP over GRE except for the protocol type, and that
> GRE is only used in one direction (Router -> Proxy) not as a
> bidirectional tunnel.
>
> Regards
> Gokhan ERYOL
>
> Faried Nawaz wrote:
>
> >Hello,
> >
> >Is anyone using the gre pseudo-device with squid for WCCP? Try as I might
> >I can't get it to work for me.
> >
> >I'm using FreeBSD 4.7-STABLE, using ipfilter's ipnat to redirect packets.
> >I've done
> >
> >ifconfig gre0 create
> >ifconfig gre0 aaa.bbb.ccc.ddd fff.ggg.hhh.iii netmask 255.255.255.255 link0
> >up
> >ifconfig gre0 tunnel aaa.bbb.ccc.ddd fff.ggg.hhh.iii
> >
> >aaa.bbb.ccc.ddd is the web proxy's ip, fff.ggg.hhh.iii is the router's.
> >
> >ipnat.rules has
> >
> >rdr gre0 0.0.0.0/0 port 80 aaa.bbb.ccc.ddd port 8080 tcp
> >
> >ipfilter is set to pass through all traffic, and there are no firewall rules
> >defined.
> >
> >tcpdump on my ethernet interface shows gre packets coming in.
> >
> >04:07:39.093205 fff.ggg.hhh.iii > aaa.bbb.ccc.ddd: gre gre-proto-0x883E
> >
> >tcpdump on my gre0 interface shows incoming connections from the users, and
> >ipnat -l shows lots of redirects.
> >
> >proxy1# ipnat -l | head
> >List of active MAP/Redirect filters:
> >rdr gre0 0.0.0.0/0 port 80 -> aaa.bbb.ccc.ddd port 8080 tcp
> >
> >List of active sessions:
> >RDR aaa.bbb.ccc.ddd 8080 <- -> 207.44.178.61 80 [203.215.178.61
> >4122]
> >RDR aaa.bbb.ccc.ddd 8080 <- -> 205.188.250.25 80 [203.215.178.19
> >1612]
> >RDR aaa.bbb.ccc.ddd 8080 <- -> 66.51.99.157 80 [66.206.32.180 3769]
> >RDR aaa.bbb.ccc.ddd 8080 <- -> 64.94.89.238 80 [203.215.177.248
> >1172]
> >RDR aaa.bbb.ccc.ddd 8080 <- -> 207.46.104.20 80 [66.206.33.7 1601]
> >proxy1#
> >
> >However, none of them get to squid.
> >
> >Everything worked fine before the upgrade, but I was using the gre patch
> >from squid's web site to do the work. The new pseudo-device appears to
> >have WCCP-specific code in it, but it's not working.
> >
> >Does anyone have this working? Anyone at all? I'm willing to break
> >down and switch to ipfw if that'll help, but I can't upgrade my machines
> >to 4.7 (and higher) properly without a fix. Surely someone has used this
> >since the code was commited.
> >
> >(A hack would be to comment out all code related to the pseudo-device so
> >I can use the wccp-specific gre.c.)
> >
> >
> >Faried.
> >
> >
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
>
> ----- End forwarded message -----
>
> --
> NEVE-RIPE, will build world for food
> Ukrainian FreeBSD User Group
> http://uafug.org.ua/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E3F904B.70E91234>