Squid + Virtual IP
-
If I want to use squid with a virtual IP, what interface should the IP be on, and what interface should squid be setup to listen on?
(I want to be able to use squid on multiple interfaces using the same virtual IP)(And this should be an alias IP, right?)
-
That sounds complicated. Instead of cooking up a virtual IP that you want all networks to connect to, why can't you just allow those other networks access to the proxy directly via firewall rules? Everyone still accesses the proxy using its LAN IP, regardless of which subnets they're from.
-
@KOM:
That sounds complicated. Instead of cooking up a virtual IP that you want all networks to connect to, why can't you just allow those other networks access to the proxy directly via firewall rules? Everyone still accesses the proxy using its LAN IP, regardless of which subnets they're from.
In this case, I don't want a specific segment having access to ANY other segment. If the proxy is running on LAN, for example, that would still be giving RESTRICTED (on of my other segments) access to at least one LAN IP even if it's just a single port. That's what I do not want to do.
-
But you're basically doing that already by using virtual IPs. You're still giving access to that network, server and port, just indirectly through obfuscation.
-
@KOM:
But you're basically doing that already by using virtual IPs. You're still giving access to that network, server and port, just indirectly through obfuscation.
How? The entire basis of my question was how to set it up so that's NOT the case.
what interface should the IP be on, and what interface should squid be setup to listen on
I was hoping to use the virtual IP as more of a virtual interface rather than just an alias, but I don't think that's possible
EDIT: I'm thinking the best option might be to create a vlan that doesn't actually pass through the switch, assign that to a new interface, and then have the proxy listen on that interface and put in rules to allow talk to that.
-
A virtual IP is used in conjunction with a NAT rule & firewall rule to allow access to the virtual IP to be translated to an internal IP. Imagine you have networks A, B, C and D. You want them to get access to a server in network E, but you don't want them to be able to talk to network E, so you create an alias F and have them talk to that. Alias F is just a NAT to the server in network E. You're still giving access to the server in network E, but you're just doing it via the virtual IP. Also like saying you want to give them access to the living room, but you don't like people coming in through the front door so you let them in the back door. They're still coming into the living room. Does it really matter which door they use?
-
Which is why I asked.
I was hoping there was an option akin to a Virtual Interface rather than just an alias over an existing IP.So it looks like for what I want, the vlan method I mentioned would be the only real option, or is there another I'm not seeing?
-
Nope, it's just an alias. I don't have any other suggestions.
-
Well, I'll try setting it up that way (the vlan) tonight and see if it works.
