Ada apa dg lusca saya?



  • om-om semua, mau tanya dong.
    saya sudah set lusca, squidGuard dan lightsquid di pfSense 2.0-RC3. seting transparent proxy di squid dan limitasi waktu dan url di squidguard. user akses ke internet fine-fine saja. tapi trafik WAN saya kemakan banyak padahal trafik LAN-nya gak sebesar WAN. detailnya bisa lihat di attachment.
    ada apa dg lusca saya?  ??? ??? ???

    bw-01.png adalah IIX.
    bw-02.png adalah International.

















  • UPDATE:
    menggunakan RRDgraph built-in pfSense.
    trafik incoming ke WAN interface jauh lebih besar dibanding outgoing from LAN interface.

    squid.conf:

    
    # Do not edit manually !
    http_port 172.16.1.254:3128 transparent 
    http_port 127.0.0.1:80 transparent 
    icp_port 0
    
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/English
    icon_directory /usr/local/etc/squid/icons
    visible_hostname firewall2.xxx.co.id
    cache_mgr admin@xxx.co.id
    access_log /var/squid/log/access.log
    cache_log /var/squid/log/cache.log
    cache_store_log none
    logfile_rotate 15
    shutdown_lifetime 0 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  172.16.0.0/255.255.0.0
    forwarded_for transparent
    httpd_suppress_version_string on
    uri_whitespace strip
    dns_nameservers 202.159.32.2 202.159.33.2 202.158.3.7 202.169.33.220 
    
    cache_mem 128 MB
    maximum_object_size_in_memory 4 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    
    cache_dir aufs /var/squid/cache 50000 16 256
    minimum_object_size 2 KB
    maximum_object_size 128 MB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    acl donotcache dstdomain '/var/squid/acl/donotcache.acl'
    cache deny donotcache
    # No redirector configured
    
    # Setup some default acls
    acl all src 0.0.0.0/0.0.0.0
    acl localhost src 127.0.0.1/255.255.255.255
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 1025-65535
    acl sslports port 443 563 8080
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl partialcontent_req req_header Range .*
    #acl dynamic urlpath_regex cgi-bin ?
    include /usr/local/etc/squid/include.conf
    #cache deny dynamic
    http_access allow manager localhost
    
    # Allow external cache managers
    acl ext_manager_1 src 192.168.1.1 
    http_access allow manager ext_manager_1
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    http_access allow localhost
    
    quick_abort_min 32 KB
    quick_abort_max 128 KB
    quick_abort_pct 75
    range_offset_limit 0 MB
    request_body_max_size 0 allow all
    reply_body_max_size 0 deny all
    
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    # Throttle extensions matched in the url
    acl throttle_exts urlpath_regex -i '/var/squid/acl/throttle_exts.acl'
    delay_access 1 allow throttle_exts
    delay_access 1 deny all
    
    # Custom options
    refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims
    refresh_pattern ([^.]+.|)avg.com/.*.(bin) 4320 100% 43200 reload-into-ims
    refresh_pattern ([^.]+.|)symantecliveupdate.com/.*.(zip|exe|jdb|xdb) 43200 100% 43200 reload-into-ims
    refresh_pattern ([^.]+.|)avast.com/.*.(vpu|vpaa|vpx) 4320 100% 43200 reload-into-ims
    refresh_pattern ([^.]+.|)avira.de/.*.(vdf|ivdf|zip) 4320 100% 43200 reload-into-ims
    refresh_pattern ([^.]+.|)adobe.com/.*.(exe|msi) 4320 100% 43200 reload-into-ims
    range_offset_limit -1
    
    redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    redirector_bypass on
    redirect_children 3
    
    # Allow local network(s) on interface(s)
    http_access allow localnet
    
    # Default block all to be sure
    http_access deny all
    
    

    squidguard.conf:

    
    # ============================================================
    # SquidGuard configuration file
    # This file generated automaticly with SquidGuard configurator
    # (C)2006 Serg Dvoriancev
    # email: dv_serg@mail.ru
    # ============================================================
    
    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard
    
    # 
    time OFFICE_HOUR {
    	weekly mon 08:15-11:45
    	weekly mon 13:15-17:15
    	weekly tue 08:15-11:45
    	weekly tue 13:15-17:15
    	weekly wed 08:15-11:45
    	weekly wed 13:15-17:15
    	weekly thu 08:15-11:45
    	weekly thu 13:15-17:15
    	weekly fri 08:15-11:30
    	weekly fri 13:15-17:15
    	weekly sat 08:15-11:15
    }
    
    # 
    src LOCALHOST {
    	ip     127.0.0.1
    	ip     172.16.1.254
    }
    
    # 
    src SERVER_GGW {
    	ip     172.16.1.30-172.16.1.39
    	ip     172.16.1.40-172.16.1.49
    }
    
    # 
    src INT_OFFICE_TIME {
    	ip     172.16.1.101-172.16.1.220
    	ip     172.16.4.101-172.16.4.240
    	ip     172.16.8.0/24
    }
    
    # 
    src INT_FB_TW {
    	ip     172.16.0.0/16
    }
    
    # 
    dest FB_TW_GAMES {
    	domainlist FB_TW_GAMES/domains
    	urllist FB_TW_GAMES/urls
    	log block.log
    }
    
    # 
    dest XXX_WHITELIST {
    	domainlist XXX_WHITELIST/domains
    	expressionlist XXX_WHITELIST/expressions
    	urllist XXX_WHITELIST/urls
    	log block.log
    }
    
    # 
    dest GGW_WHITELIST {
    	domainlist GGW_WHITELIST/domains
    	expressionlist GGW_WHITELIST/expressions
    	urllist GGW_WHITELIST/urls
    	log block.log
    }
    
    # 
    dest XXX_BLACKLIST {
    	domainlist XXX_BLACKLIST/domains
    }
    
    # 
    rew safesearch {
    	s@(google..*/search?.*q=.*)@&safe=active@i
    	s@(google..*/images.*q=.*)@&safe=active@i
    	s@(google..*/groups.*q=.*)@&safe=active@i
    	s@(google..*/news.*q=.*)@&safe=active@i
    	s@(yandex..*/yandsearch?.*text=.*)@&fyandex=1@i
    	s@(search.yahoo..*/search.*p=.*)@&vm=r&v=1@i
    	s@(search.live..*/.*q=.*)@&adlt=strict@i
    	s@(search.msn..*/.*q=.*)@&adlt=strict@i
    	s@(.bing..*/.*q=.*)@&adlt=strict@i
    	log block.log
    }
    
    # 
    acl  {
    	# 
    	LOCALHOST  {
    		pass all
    	}
    	# 
    	SERVER_GGW  {
    		pass GGW_WHITELIST !FB_TW_GAMES !XXX_WHITELIST !XXX_BLACKLIST none
    		redirect http://172.16.1.254:8080/sgerror.php?url=403%20Anda%20hanya%20diperbolehkan%20mengakses%20website%20tertentu%20yang%20sudah%20diset%20oleh%20Administrator%20%21&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    	}
    	# 
    	INT_OFFICE_TIME  within OFFICE_HOUR {
    		pass XXX_WHITELIST none
    		redirect http://172.16.1.254:8080/sgerror.php?url=403%20Anda%20hanya%20diperbolehkan%20mengakses%20website%20tertentu%20yang%20sudah%20diset%20oleh%20Administrator%20%21&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    		rewrite safesearch
    		} else {
    		pass all
    		redirect http://172.16.1.254:8080/sgerror.php?url=403%20Anda%20hanya%20diperbolehkan%20mengakses%20website%20tertentu%20yang%20sudah%20diset%20oleh%20Administrator%20%21&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    		rewrite safesearch
    	}
    	# 
    	INT_FB_TW  within OFFICE_HOUR {
    		pass !FB_TW_GAMES !XXX_BLACKLIST all
    		redirect http://172.16.1.254:8080/sgerror.php?url=403%20Dilarang%20mengakses%20facebook%2C%20twitter%2C%20video%20streaming%20dan%20games%20online%20pada%20saat%20jam%20kerja%20%21%21%21&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    		} else {
    		pass !XXX_BLACKLIST all
    		redirect http://172.16.1.254:8080/sgerror.php?url=403%20Dilarang%20mengakses%20facebook%2C%20twitter%2C%20video%20streaming%20dan%20games%20online%20pada%20saat%20jam%20kerja%20%21%21%21&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    	}
    	# 
    	default  {
    		pass none
    		redirect http://172.16.1.254:8080/sgerror.php?url=403%20Mohon%20maaf%2C%20koneksi%20internet%20sedang%20dalam%20perbaikan.&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    		log block.log
    	}
    }
    
    






  • coba dibeber dimari squid.conf nya
    om terawang itu berasal dari sana …

    nilai byte bit menjadi negatif itu pasti ada sebabnya
    kalau tidak salah ada catatan web yg menjelaskan itu
    di forum ini pernah ada linknya ...

    request diselesaikan sampai tuntas padahal request tsb sudah di abort atau cancel
    duh ... susah banget nulis maksud yg dikepala
    kira2 begitu lah  ;D



  • kalau ndak salah nilai min itu maksudnya adalah http request dari client diselesaikan oleh si squid, padahal si client sudah cancel httpd request.
    apakah hal ini disebabkan oleh squidguard? soalnya ada limitasi waktu browsing utk user biasa.
    kalau dilihat tren-nya, memang lebih banyak squid http request mulai jam 8 sampai jam 5 sore dibanding client http request.
    ada saran? soalnya bikin b/w jadi habis padahal niat awalnya mau dihemat oleh si lusca.

    @serangku:

    coba dibeber dimari squid.conf nya
    om terawang itu berasal dari sana …

    nilai byte bit menjadi negatif itu pasti ada sebabnya
    kalau tidak salah ada catatan web yg menjelaskan itu
    di forum ini pernah ada linknya ...

    request diselesaikan sampai tuntas padahal request tsb sudah di abort atau cancel
    duh ... susah banget nulis maksud yg dikepala
    kira2 begitu lah  ;D



  • tadi squid.conf dituning di bagian quick_abort:

    quick_abort_min 8 KB
    quick_abort_max 16 KB
    quick_abort_pct 95
    range_offset_limit 0 MB
    request_body_max_size 0 allow all
    reply_body_max_size 0 deny all
    

    dan setelah dicek dengan seksama, ada satu PC yg donlot windows update.

    1310456149.769  13304 172.16.4.244 TCP_MISS/206 500 GET http://au.download.windowsupdate.com/msdownload/update/software/svpk/2011/02/windows6.1-kb976933-x64-neutral_8a7fcdd8a721b2549af52ee4662418ad54928856.psf - DIRECT/65.54.82.138 application/octet-stream
    1310456159.490   9715 172.16.4.244 TCP_MISS/206 1139 GET http://au.download.windowsupdate.com/msdownload/update/software/svpk/2011/02/windows6.1-kb976933-x64-neutral_8a7fcdd8a721b2549af52ee4662418ad54928856.psf - DIRECT/65.54.82.143 application/octet-stream
    1310456170.478  10982 172.16.4.244 TCP_MISS/206 443 GET http://au.download.windowsupdate.com/msdownload/update/software/svpk/2011/02/windows6.1-kb976933-x64-neutral_8a7fcdd8a721b2549af52ee4662418ad54928856.psf - DIRECT/65.54.82.138 application/octet-stream
    1310456470.506 299559 172.16.4.244 TCP_MISS/206 447 GET http://au.download.windowsupdate.com/msdownload/update/software/ftpk/2010/10/wlsetup-all_ce5287396485f886a3051ac552cbdb2f08681033.exe - DIRECT/65.54.82.143 application/octet-stream
    
    

    hal ini mungkin berhubungan dg opsi refresh patern pada squid.conf.

    refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims
    

    kira-kira harus tuning dimana lagi yah?



  • menggali lebih dalam lagi dari squid.conf, ternyata ada fitur ini: range_offset_limit.
    http://www.squid-cache.org/Versions/v2/2.7/cfgman/range_offset_limit.html

    referensinya: http://wiki.squid-cache.org/SquidFaq/InnerWorkings#Why_do_I_see_negative_byte_hit_ratio.3F

    seting awal adalah -1. skrg dijadiin 0 saja.
    tinggal lihat hasilnya beberapa hari ke depan.  ;)



  • SEEEPPPPP …

    ;) ;D

    -1 vs 0


Log in to reply