[RESOLVED]direct internet access(outbound nat) too slow



  • Hello everyone,
    PF verison 1.2.3

    Before installing SQUID+SQUIDGUARD  we were using outbound nat for users internet access,
    after installing SQUID+SQUIDGUARD most of users are using proxy service with user and password(non transparent) with great success

    But now we got another problem .We have users which have to direct access to internet as old times (without squid+squidguard).

    They access internet, but slowly .Nothing changed in configuration ,only squid+squidguard installed.

    any experience about this subject?any idea?



  • very slow access is usually a sign of misconfigured proxies. double check that you have the proper configuration. not sure if squidguard acts as a separate proxy from squid. If so, make sure you have forwarding proxy properly set up.



  • This is my squid.conf

    Users who are using non transparent proxy surfing very well,any problem.

    But direct access users have speed problem when accessing web sites,any idea?

    /usr/local/etc/squid/squid.conf

    Do not edit manually !

    http_port 192.168.0.1:8080
    icp_port 0

    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/Turkish
    icon_directory /usr/local/etc/squid/icons
    visible_hostname proxy.local
    cache_mgr XXX@xxx.com
    access_log /var/squid/log/access.log
    cache_log /var/squid/log/cache.log
    cache_store_log none
    logfile_rotate 30
    shutdown_lifetime 3 seconds

    Allow local network(s) on interface(s)

    acl localnet src 192.168.0.0/255.255.255.0
    uri_whitespace strip

    cache_mem 512 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir aufs /var/squid/cache 10000 16 256
    minimum_object_size 0 KB
    maximum_object_size 512000 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95

    No redirector configured

    Setup some default acls

    acl all src 0.0.0.0/0.0.0.0
    acl localhost src 127.0.0.1/255.255.255.255
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 1025-65535
    acl sslports port 443 563
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin ?
    acl allowed_subnets src 192.168.0.0/24 192.168.50.0/24
    acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
    cache deny dynamic
    http_access allow manager localhost

    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    http_access allow localhost

    quick_abort_min 0 KB
    quick_abort_max 0 KB
    request_body_max_size 0 KB
    reply_body_max_size 0 allow all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100

    Throttle extensions matched in the url

    acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
    delay_access 1 allow throttle_exts
    delay_access 1 deny all

    These hosts do not have any restrictions

    http_access allow unrestricted_hosts
    auth_param basic program /usr/local/libexec/squid/ncsa_auth /var/etc/squid.passwd
    auth_param basic children 5
    auth_param basic realm Please enter your credentials to access the proxy
    auth_param basic credentialsttl 10 minutes
    acl password proxy_auth REQUIRED
    http_access allow unrestricted_hosts
    http_access allow password localnet
    http_access allow password allowed_subnets

    Custom options

    http_port 192.168.50.1:8080
    redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    redirector_bypass on
    redirect_children 3

    Default block all to be sure

    http_access deny all



  • Problem solved by addding local direct access ip addresses to services>proxy server>access control>Unrestricted IPs


Log in to reply