Squid dont care about Outbound NAT IP?



  • Hi Guys,

    when i activate Squid, my outbound IP is not shown correct to the www.

    I have an outbound rule that says "everything from LAN to WAN NAT my Address to my second Public IP 87.199.9.9"..

    Thats working fine.. But when i enable Squid, this rule is ignored and my "Normal public IP" is shown to the www..
    (Squid is running in transparent Mode, not sure if it makes a difference for that?!)

    When i open "wieistmeineip.de" without squid it says 87.199.9.9 (correct)

    When i open "wieistmeineip.de" with squid enabled it says "23.894.22.28" (my Public IP which the PPPoe interface gets from my ISP)..

    My second Public IP that my ISP assigned to me is configured as "Other" under the Virtual IP Tab.
    Just as said, working fine without squid.

    I read about the solution to put in a "custom config" tcp_outgoing_address 87.199.9.9 ..
    But then i get the squid errorpage when trying to load a webpage "Server replied [No Error]"?

    Does anybody has a solution for that problem?

    (Running 2.3.1-RELEASE with latest squid package available from repo)

    Greets,
    Alex


  • Rebel Alliance Developer Netgate

    When traffic goes to squid, squid makes its own outbound connection from the firewall itself. This will always come from the interface IP address on the firewall. It would not be matched by NAT like you show, because the source of the traffic from squid would not be the LAN address, not the way that the firewall sees it.

    You can change the outgoing address in squid using some advanced options, search around a bit for "tcp_outgoing_address" and you'll find the syntax for it. Set that outgoing address to the external IP address you want to see. Though the IP address you use has to be an IP Alias or CARP type VIP.



  • Hi jimp,

    thanks for your reply. :)

    I tried to give Squid the Custom config
    tcp_outgoing_address 87.199.9.9
    in the field "Custom ACLS (After Auth)".
    But the IP did not change.. The "WAN Address" is still shown to the public.

    If i put that line in "Custom ACLS (Before Auth)" i am getting the squid error page while loading a website "The System answered [No Error]".
    I also get the error page when i put the line in the "Integrations" field.

    The IPs are configured as IP Alias.
    Any more hints? :)

    Greets


Log in to reply