Transparent Squid and Traffic Shaping!!
-
I have been trying to get squid (in transparent mode) to work with traffic shaping for a while now, and was successful today.
Not that its doesn't completely work but if you have squid and traffic shaping enabled and have setup priority for http traffic it doesn't work with squid as all traffic coming from squid gets pushed into the default queue (qLanDef). It was very annoying cause at peak p2p and other traffic browsing will be sluggish and pages timeout. It wasn't possible to change the priority on the default queue as most traffic gets pushed there by default. It was hard to lower the priority of p2p apps cause most users changed the standard p2p ports.Why its doesnt work?
filter.inc generates a few rules for squid, first the redirect rule.
rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> 127.0.0.1 port 3128
and passed:
pass in quick on {$lanif} inet proto tcp from any to 127.0.0.1 port 3128 flags S/SA keep state label
this rule completely bypass the traffic shaping rules for http.How to get it to work?
Hack /ect/inc/filter.inc !!
Change the squid redirect rule (unfortunately assigning a specify interface from the webgui for squid to use doesn't work)
change rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> 127.0.0.1 port 3128
to rdr on {$lanif} inet proto tcp from any to !{$lanip} port www -> {$lanip} port 3128this will change the redirect rule to reassign http packets to the lan ip address. This will make it bypass the default pass rule for squid. However that is not the end of it. If you got anti web lockout turned on in System -> Advance. it will generate a rule:
(mine look like this:)
pass in quick from 192.168.1.0/26 to 192.168.1.1 keep state label "anti-lockout web rule"will still make squid redirects bypass the shaper rules once more since the packets were translated to the lan ip address in the redirect.
You got 3 choices:
1. Disable AntiLock out from (System -> Advance), but make sure you got the default lan -> any rule in Firewall -> Rules -> Lan.
2. Again disable antilockout, but create specfic rules for webgui and ssh (if enabled). Make sure you use the port numbers in the rules.
3. Hack filter.inc to create a more specific rule for antilockout (rather than a general pass for lan, uses the admin ports).Well I modified filter.inc cause I was afraid to make a specify rule for webgui & ssh only to forget about it, accidentally changed the ports and lock myself out. here is the change if your interested.
if (!isset($config['system']['webgui']['noantilockout'])) { if($lansa and $lansn) { $webgui_port = $config['system']['webgui']['port']; $ssh_port = $config['system']['ssh']['port']; if (isset($webgui_port) && ($webgui_port !== "")) { $a_port = $webgui_port; unset($webgui_port); } else { $admin_protocol = $config['system']['webgui']['protocol']; switch ($admin_protocol) { case "http"; $a_port = '80'; break; case "https"; $a_port = '443'; break; default; $a_port = '80'; } unset($admin_protocol); } if (isset($ssh_port) && ($ssh_port !== "")) { $a_port .= ',' . $ssh_port; unset($ssh_port); } else { $a_port .= ',22'; } $ipfrules .= << <eod<br># make sure the user cannot lock himself out of the webGUI or SSH anchor "anti-lockout" pass in quick proto tcp from {$lansa}/{$lansn} to $lanip port {{$a_port}} keep state label "anti-lockout web rule" EOD;</eod<br>heres my generated rule after the mod:
pass in quick proto tcp from 192.168.1.0/26 to 192.168.1.1 port {445,22} keep state label "anti-lockout web rule"
It works everytime I change the ports in System -> Advance.be sure to use non standard ports for webgui !(80 or 443) as antilock out will still bypass the shaper rules.
use the wizard to priotorize http traffic and it works. I created specfic queus for each ip on my lan and it this works also.
If there are no shaper rules for squid, squid redirects still gets passed by the default lan to any rule.Only sad thing is I'll have to chnage filter.inc ever time I upgrade!!
non the less hope I helped someone.
-
Bravo! Thats awesome!