Squid and CARP



  • Hi all,

    I have squid configured in transparent mode and it works well.  It is bound to the LAN interface and the default gateway for the internal LAN is the internal CARP VIP.  I have hit a problem though - anything passed to squid seems to bypass the outbound NAT rule that SNATs packets to the public VIP.

    In short, with squidout installed outbound http traffic comes from VIP, whereas with squid installed outbound http traffic comes from whatever the physical IP of the interface is.

    I assumed it was simply a matter of adding a NAT rule for traffic originating from 127.0.0.0/8 passing through the WAN interface for destination port 80 to SNAT to the VIP, but it has had no effect.

    The rules I have in place are as follows:

    
    WAN  	| X.X.0.0/21	| *	   |*	   |*	         |WANVIP	 |*	                |NO	|Rule for LAN to WAN VIP 
    WAN  	| 127.0.0.0/8	| tcp/* |*	   |tcp/80	 |WANVIP	 |*	                |NO	|Rule for Proxy to WAN VIP 
    WAN  	| 127.0.0.0/8	| *	   |*	   |*	         |*	        |1024:65535	|NO	|Auto created rule for localhost to WAN 
    WAN  	| 127.0.0.0/8	| *	   |*	   |*	         |*	         |1024:65535	|NO	|Auto created rule for localhost to WAN 
    
    

    I'd welcome any help with this.  I can only imagine there's something wrong with my assumption that squid traffic originates from localhost on the firewall.

    Regards,

    sgb



  • Use squid tcp outgoing address directive to specify it.

    There is a field on squid gui for custom options. Place it there.



  • Excellent, thank you.

    Simon


Locked