Squid and Traffic Shaping possible work around?



  • I found this older post, but it was so old, I thought it worth starting a new thread.  Its a work around that had been previously implemented to make squid work with traffic shaping.

    Leoandru
    Sr. Member


    Offline Offline

    Posts: 104

    View Profile Personal Message (Offline)

    Transparent Squid and Traffic Shaping!!
    « on: February 28, 2006, 06:37:21 pm »

    I have been trying to get squid (in transparent mode) to work with traffic shaping for a while now, and was successful today.
    Not that its doesn't completely work but if you have squid and traffic shaping enabled and have setup priority for http traffic it doesn't work with squid as all traffic coming from squid gets pushed into the default queue (qLanDef). It was very annoying cause at peak p2p and other traffic browsing will be sluggish and pages timeout. It wasn't possible to change the priority on the default queue as most traffic gets pushed there by default. It was hard to lower the priority of p2p apps cause most users changed the standard p2p ports.

    Why its doesnt work?

    filter.inc generates a few rules for squid, first the redirect rule.

    rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> 127.0.0.1 port 3128

    and passed:

    pass in quick on {$lanif} inet proto tcp from any to 127.0.0.1 port 3128 flags S/SA keep state label
    this rule completely bypass the traffic shaping rules for http.

    How to get it to work?

    Hack /ect/inc/filter.inc !!
    Change the squid redirect rule (unfortunately assigning a specify interface from the webgui for squid to use doesn't work)
    change            rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> 127.0.0.1 port 3128
    to                  rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> {$lanip} port 3128

    this will change the redirect rule to reassign http packets to the lan ip address. This will make it bypass the default pass rule for squid. However that is not the end of it. If you got anti web lockout turned on in System -> Advance. it will generate a rule:
    (mine look like this:)
    pass in quick from 192.168.1.0/26 to 192.168.1.1 keep state label "anti-lockout web rule"

    will still make squid redirects bypass the shaper rules once more since the packets were translated to the lan ip address in the redirect.

    You got 3 choices:
    1. Disable AntiLock out from (System -> Advance), but make sure you got the default lan -> any rule in Firewall -> Rules -> Lan.
    2. Again disable antilockout, but create specfic rules for webgui and ssh (if enabled). Make sure you use the port numbers in the rules.
    3. Hack filter.inc to create a more specific rule for antilockout (rather than a general pass for lan, uses the admin ports).

    Well I modified filter.inc cause I was afraid to make a specify rule for webgui & ssh only to forget about it, accidentally changed the ports and lock myself out. here is the change if your interested.

    Code:

    if (!isset($config['system']['webgui']['noantilockout'])) {

    if($lansa and $lansn) {
    $webgui_port = $config['system']['webgui']['port'];
    $ssh_port = $config['system']['ssh']['port'];

    if (isset($webgui_port) && ($webgui_port !== "")) {
    $a_port = $webgui_port;
    unset($webgui_port);
    }
    else {
    $admin_protocol = $config['system']['webgui']['protocol'];
    switch ($admin_protocol) {
    case "http";
    $a_port = '80';
    break;
    case "https";
    $a_port = '443';
    break;
    default;
    $a_port = '80';
    }
    unset($admin_protocol);
    }

    if (isset($ssh_port) && ($ssh_port !== "")) {
    $a_port .= ',' . $ssh_port;
    unset($ssh_port);
    }
    else { $a_port .= ',22'; }

    $ipfrules .= << <eod<br># make sure the user cannot lock himself out of the webGUI or SSH
    anchor "anti-lockout"
    pass in quick proto tcp from {$lansa}/{$lansn} to $lanip port {{$a_port}} keep state label "anti-lockout web rule"

    EOD;

    heres my generated rule after the mod:
    pass in quick proto tcp from 192.168.1.0/26 to 192.168.1.1 port {445,22} keep state label "anti-lockout web rule"
    It works everytime I change the ports in System -> Advance.

    be sure to use non standard ports for webgui !(80 or 443) as antilock out will still bypass the shaper rules.
    use the wizard to priotorize http traffic and it works. I created specfic queus for each ip on my lan and it this works also.
    If there are no shaper rules for squid, squid redirects still gets passed by the default lan to any rule.

    Only sad thing is I'll have to chnage filter.inc ever time I upgrade!!

    non the less hope I helped someone.</eod<br>

    I tried to implement this under the new squid installation, I found the line referenced:

    rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> 127.0.0.1 port 3128

    actually in usr/local/pkg/squid.inc, but !{$lanip} is now !{$iface}.  Needless to say I wasn't able to get it to work without crashing squid and cause all web browsing to cease.  Anyone else have a workaround to make the two get along?



  • I had a quick look at what you did, so I don't know what causing squid to crash, but what I said before, squid has been changed for transparent proxying.


Locked