# squid ipfw



## pdono (Aug 15, 2011)

Hi, I was wondering how http traffic on the gateway can be caught and redirected with ipfw/nat.
my setup is as follows:


```
if2                                              if1
lan ------->(rl0 192.168.1.0) freebsd gateway(sis0 76.0.0.0) --------> internet                    
                                        |
                                        |
                                        |
                                        |
                                      192.168.1.110 ---------------> internet
                                      squid server
```
on the gateway outside interface i have:

```
natd:
interface sis0
use_sockets yes
same_ports yes
```
 
I have a second instance of natd on rl0.

```
natd -v -n rl0 -p 8669 -redirect_address 192.168.1.110 0.0.0.0
```

the ipfw rules are:

```
divert 8668 ip from any to any via sis0
allow all from any to any via sis0
divert 8669 tcp from 192.168.1.0/24 to any dst-port 80 via rl0
```

tcpdump shows the gateway forwarding to the destination and not to squid.

does anyone have any idea where this is going wrong?


----------



## phoenix (Aug 16, 2011)

You *fwd* packets to Squid, you don't *divert* them.


----------



## pdono (Aug 16, 2011)

yes, at my first attempt i had

```
ipfw add fwd 192.168.1.110,5128 tcp from 192.168.1.0:255.255.255.0 to any 80
```
( i have squid on port 5128)

tcpdump shows the gateway forwarding the packets to the destination.
tcpdump on the squid machine doesn't show the packets arriving at all.

at first i figured the ipfw fwd would work and it did on the gateway with squid listening on a third interface. after reading around a bit, i seen an article on the freebsd site that mentioned nat and thought perhaps that may work.
but im doing something wrong and isn't working for me for sure


----------



## pdono (Aug 16, 2011)

```
tcpdump shows the gateway forwarding the packets to the destination.
```

edit: tcpdump shows the gateway forwarding the packets to the destination web address not to the squid server.


----------



## phoenix (Aug 16, 2011)

Your squid server is a separate box from your firewall?  And it's plugged into the same switch as the firewall and the rest of the LAN systems?  Meaning, you only have 2 interfaces in your firewall.  Correct?


----------



## pdono (Aug 17, 2011)

Yes phoenix, that is correct. The gateway/firewall and the squid server are two separate units that are both connected to the same switch. 
The gateway has two nics, one public and one private.


----------



## phoenix (Aug 17, 2011)

OK.  All that's missing, then, is to configure a gre(4) interface on the FreeBSD router and the Squid box, and to forward the traffic through that interface.  When setting up the *gre0* interface, you configure it as a WCCP (web cache control protocol, or something like that) transport.

I've never done that, personally.  But there are several guides on doing so on the Squid FAQ, and around the Internet.

Just search for "freebsd ipfw wccp squid" for the details.


----------



## pdono (Aug 17, 2011)

yes, that seems to be exactly what i need. I will read up on this and post back my results.
many thanks


----------



## pdono (Aug 18, 2011)

ok, that worked out well.

i created a (another) private alias on the lan side interface of my gateway machine.

```
ifconfig rl1 alias 10.0.0.2
```

since gre was already compiled into the kernel it was just a matter of

```
ifconfig gre0 create
           ifconfig gre0 10.0.0.2 10.0.0.1 link1
           ifconfig gre0 tunnel 192.168.1.114 192.168.1.110
           route add -net 10.0.0 -netmask 255.255.255.0 10.0.0.1
```

added the rule to ipfw

```
ipfw add 100 fwd 10.0.0.1,5128 tcp from any to any 80
```
5128 is the port i have squid on.

it was the same thing on the squid server side.
set squid to listen on 10.0.0.1

set the alias

```
ifconfig bge1 alias 10.0.0.1
```
and created gre0

```
ifconfig gre0 create
           ifconfig gre0 10.0.0.1 10.0.0.2 link1
           ifconfig gre0 tunnel 192.168.1.110 192.168.1.114
           route add -net 10.0.0 -netmask 255.255.255.0 10.0.0.2
```

and tcpdump now shows traffic being passed and hitting squid.

I have a couple access errors that squid is throwing back but i met my goal.
The man page as always really helps out.


----------



## phoenix (Aug 18, 2011)

Good to hear.  Thanks for posting your results for the archives.


----------

