Difference between Squid and MT Proxy and opinions

GuJack20 · Fri May 18, 2007 7:30 pm

Hi guys.

I have used Squid integrated on 2.9X versions of Mikrotik for quite a while now. Yesterday i downloaded and tested version 3beta7 that has the new Proxy server of MT. It seemed nice but i don't know how will it react in a production environment. Does any of you have opinions??
I'am more familiar with squid and i needed to know if there is a way to stick with squid in the newer relases..
And the last question, is there any way to have access in the squid.conf of the SquidCache in Mikrotik ???

Thanks

bushy · Sat May 19, 2007 1:38 am

It would be nice to be able to edit the squid.conf for all the little tricks you can do with it, but i suppose it could become a weakness .

fatonk · Sat May 19, 2007 3:36 pm

I'm using SQUID on Linux server and not in MT router, it is much faster than web proxy in MT, you can edit squid.conf etc etc. I'm using Mikrotik just for routing and wireless solutions.

Regards.

Faton

GuJack20 · Sat May 19, 2007 5:03 pm

Thanks Faton

I'm also using Squid in a stand alone box in average size LANs but it would be nice to be able to tune better the squid in MT, for using in small lans. What do u think??

samsoft08 · Sat May 19, 2007 7:45 pm

on what distribution of linux server may i ask fatonk ??

fatonk · Sat May 19, 2007 8:52 pm

samsoft08
I'm using gentoo and in some cases fedora, with gentoo I'm very much satisfied. I'm using only the CLI mode no webmin or any other web interface. I had a bad experience with webmin and one version of SQUID they didn't had a good relationship.

GuJack20
I agree it would be very good to be able to tweak and tune SQUID in Mikrotik, but that depends on Mikrotik developers and other constrains.

Regards.

Faton

samsoft08 · Sat May 19, 2007 9:11 pm

thanks for reply fatonk , i will use fedora , and i wonder is it ok to use a GUI ( i'm new in linux ) ..

bushy · Sun May 20, 2007 12:51 am

You really don't need a GUI for what you will be using the box for , if anything it will make it harder to use/understand.

Once its up and going , if you want to change something , you just have to edit config files . Even if you use a GUI , you'll still have to edit them anyway usually. Pico is an easy to use editor if you're not used to stuff.

Say you wanted to change somethign in Squids config file , this is all you'd have to do ....

#cd ( wherever your squid.conf is )

#pico squid.conf

Edit the part you want to , save & quit

# squid -k recofigure

job done.

GuJack20 · Sun May 20, 2007 7:46 pm

Im using CentOS for my cache.Goes nice :)

maroon · Sun May 20, 2007 11:25 pm

can anybody post his/her squid conf? lets share it over here and fine-tune it

my squid conf!!!

 --------------------------------------------------- 
squid.conf 
--------------------------------------------------- 
http_port 8080 


hierarchy_stoplist cgi-bin ? .pl .cgi .php .php3 .php4 .shtml 
acl QUERY urlpath_regex cgi-bin \? .pl .cgi .php .php3 .php4 .shtml 
no_cache deny QUERY 

cache_mem 256 MB 
cache_swap_low 90 
cache_swap_high 95 
maximum_object_size 4096 KB 
minimum_object_size 0 KB 
maximum_object_size_in_memory 8 KB 



cache_dir ufs /cache1  24 256 
cache_dir ufs /cache2  24 256 
cache_access_log none 
cache_log none 
cache_store_log none 
pid_filename none 


refresh_pattern -i .(class|pdf|rtf|doc|wp|wp5|ps|prn)$ 1440 90% 1440 override-lastmod override-expire reload-into-ims ignore-reload 
refresh_pattern -i .(mov|avi|mpg|wav|au|mid|mp3)$ 1440 100% 1440 override-lastmod override-expire reload-into-ims ignore-reload 
refresh_pattern -i .(zip|gz|arj|lha|lzh|rar|tgz|tar|Z)$ 1440 80% 1440 override-lastmod override-expire reload-into-ims ignore-reload 
refresh_pattern -i .(jpg|gif|jpeg|png|css|js)$ 1440 19000% 1440 override-lastmod override-expire reload-into-ims ignore-reload 
refresh_pattern -i .(bmp|tif|tiff|xbm)$ 1440 17000% 1440 override-lastmod override-expire reload-into-ims ignore-reload 
refresh_pattern -i .(png|swf)$ 1440 18000% 1440 override-lastmod override-expire reload-into-ims ignore-reload 
refresh_pattern ^ftp: 1440 20% 10080 
refresh_pattern ^gopher: 1440 0% 1440 
refresh_pattern . 0 20% 4320 


acl all src 0.0.0.0/0.0.0.0 
acl manager proto cache_object 
acl localhost src 127.0.0.1/255.255.255.255 
acl localnet src 192.168.0.0/255.255.255.0 
acl SSL_ports port 443 563 
acl Safe_ports port 21 70 80 210 280 443 563 488 591 777 1025-65535 
acl CONNECT method CONNECT 
http_access allow manager localhost 
http_access deny manager 
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 
http_access allow localhost 

http_access allow localnet 
http_access allow all 


cache_mgr Administrator 
cache_effective_user squid 
cache_effective_group squid 
visible_hostname Siamcafe@net 


reload_into_ims on 


ie_refresh on 
emulate_httpd_log on 
httpd_accel_host virtual 
httpd_accel_port 80 
httpd_accel_with_proxy on 
httpd_accel_uses_host_header on 
query_icmp off 
buffered_logs on

samsoft08 · Mon May 21, 2007 1:30 am

well , thanks for all this usefull information guys .. it seems i need a SQUID manual !!!! to configure it ..

one question please ...... how to connect the squid server to the network ? i mean connect it to the main switch which is connected to MT local interface ? or by connecting it between the MT and the switch ? or any other way ...

GuJack20 · Mon May 21, 2007 2:20 am

samsoft. Squid is easy to configure.It gets a little trickier if you want to tune it for maximum performance. I, for example haven't tuned it at all it seems.Anyway it goes really nice.
You can connect the PC running squid in many ways. The most simple way is to connect it inside your LAN, like any other PC.

Maroon, for how many clients r u using the squid shown here?? and how much cache size r u using?

samsoft08 · Mon May 21, 2007 2:52 am

so nice ...

ok , its only connecting a SQUID server to my lan , now , how to redirect the http request to it ?

GuJack20 · Mon May 21, 2007 2:58 am

than you should configure the browsers of the clients to connect to the internet through squid.

In Mozilla Firefox -> Tools -> Options -> Connections

Internet explorer -> Tools -> Internet Options -> Connections -> LAN Settings

Mon May 21, 2007 9:37 am

guys, did you read the ORIGINAL POST? RouterOS does NOT use squid in later versions

janisk · Mon May 21, 2007 9:45 am

so nice ...

ok , its only connecting a SQUID server to my lan , now , how to redirect the http request to it ?

if you want to redirect HTTP to your proxy, then set up MT parent proxy feature pointing to your squid.

also - you could check out keywords like "transparent proxy" in forum search.

GuJack20 · Mon May 21, 2007 12:16 pm

Guys, whats the reason that MT isn't using squid anymore..? What are the improvements?

Mon May 21, 2007 12:31 pm

so we can fix the problems ourselves, and not rely on somebody else. improvements are speed and features

R1CH · Mon May 21, 2007 1:50 pm

What are you using if not Squid? Also, Squid is open source... it would seem to make a lot more sense to use a working, compliant cache than to write one from the ground up and encounter all the intricacies of the HTTP specification. No offense but I really don't think MT will be able to come up with a caching HTTP proxy that is anywhere near the level of performance and compliance as Squid, not without blatantly disregarding the HTTP specifications regarding caching at least...

Speaking of which, you should never use refresh_patterns like maroon posted... overriding the origin server is not something to be taken lightly and WILL cause problems for your users when they are unable to receive updated content. Only in the most dire of circumstances (dialup backhaul for your 100 customers) should you be overriding the cache policies of origin servers.

Mon May 21, 2007 1:55 pm

What are you using if not Squid? Also, Squid is open source... it would seem to make a lot more sense to use a working, compliant cache than to write one from the ground up and encounter all the intricacies of the HTTP specification. No offense but I really don't think MT will be able to come up with a caching HTTP proxy that is anywhere near the level of performance and compliance as Squid, not without blatantly disregarding the HTTP specifications regarding caching at least...

Speaking of which, you should never use refresh_patterns like maroon posted... overriding the origin server is not something to be taken lightly and WILL cause problems for your users when they are unable to receive updated content. Only in the most dire of circumstances (dialup backhaul for your 100 customers) should you be overriding the cache policies of origin servers.

we made one for ourselves, it's not based on anything. right now it works really well. remember that we are not trying to make another squid - RouterOS is for routers, so we made something that suits our needs.

R1CH · Mon May 21, 2007 2:57 pm

It seems a fully HTTP compliant proxy is a huge undertaking, it will be interesting to see just how well it works in the real world as well as being compliant with caching specifications. Look forward to testing it sometime

.

GuJack20 · Mon May 21, 2007 3:14 pm

I'll repeat the question..Would we have the chance to chose between Squid and the MT Proxy in the newer versions?? It would be realy nice..

To build a cache from scratch is a brave thing. Good Luck :wink:

Mon May 21, 2007 4:09 pm

it's already possible. either use `/ip proxy` (new one) or `/ip web-proxy`. this is in all 2.9 versions where both the `web-proxy` and `webproxy-test` packages are installed.

samsoft08 · Mon May 21, 2007 7:23 pm

to normis building a cache from scratch , i wonder why ? while you are saying Router Os is only for routing !!!
what we expect in the next releases .. 3.xx ??
* bug fixed in http cache !!!
later
*cache speed improved !!!
and so on ....

i say its a brave thing to build your own cach , and good luck , but myself i prefer to use the famous SQUID server ..

to janisk , what's transparent ? how much transparency % ? is it like transparency in photoshop ?? i

to GuJack20 , why modifying the user browser while we can choose transparent proxy in MT web-proxy ?

GuJack20 · Mon May 21, 2007 10:03 pm

I'm more familiar with user's browser modifying...thats why :oops:

hci · Fri May 25, 2007 2:49 am

Is there anything wrong with using Squid this way?

chain=dstnat in-interface=local protocol=tcp dst-port=80 action=dst-nat to-addresses=172.0.0.2 to-ports=3128

We use this to NAT all port 80 traffic to a box running Squid. This serves hundreds of user accounts and about 6mbps of constant traffic.

Using Mikrotik's built in cache, both the Squid version and there own home written version, seemed to result in a number of issues for us.

First off CPU load was massive. When we switched to DST-NATing requests to an outside box running Squid 2.6STABLE CPU load on the Mikrotik router dropped way way down. What was also strange is the Squid box ran at usually less then 2 percent CPU load.

Second off certain websites that used NTLM for authentication would not work. Frontpage extensions that use NTLM would fail also. Some shopping carts failed to work right also. This all went away when we used an external Squid with latest STABLE release.

I really, really wish Mikrotik supported WCCP to transfer the http requests to an external Squid box. This would likely be better then just NATing.

Matt

maroon · Tue May 29, 2007 12:15 pm

RICH Said:
Speaking of which, you should never use refresh_patterns like maroon posted... overriding the origin server is not something to be taken lightly and WILL cause problems for your users when they are unable to receive updated content. Only in the most dire of circumstances (dialup backhaul for your 100 customers) should you be overriding the cache policies of origin servers.

but we should fine-tune the squid to get the best performance by using the refresh-patterns and so, otherwise SQUID never mentioned/published such things for improving things...

and by the way, would you please RICH post your SQUID Conf. and where do u stand on the SQUID config to get the best performace (other than SCSI hdd, 2GB ram n above etc...)

OOPS! is a v. good proxy server as an acceleration and performance wise... but its still crashing sometimes!

Regards,

maroon · Tue May 29, 2007 12:31 pm

NORMIS you are concerned to help me (if you please - no offense at all) but I searched and searched and did lots of researches about how to do auto-failover 2 Gateways. And I still didn't find any script...

I have 2 wan connections and 1 lan connections.. I don't need to do a loadbalancing since WAN1 is limited by qouta and I will keep WAN1 for failover/backup link in case WAN2 is down...

all I need is to create a script and tell the script to ping google.com every 5 seconds through WAN2 (Primary n not limited) and if there is no reply from google (ISP's international link is down, or the microwarve provider service is down etc...) tell the other GW (WAN1 and limited by qouta) to take place and start serving the lan. furthermore I want WAN2 retry pinging google.com till google replies and than WAN2(primary and unlimited) takes back the lead in serving LAN.

I got this script and I think it needs some fine tunning so could you please advise me

/system script add name=backup-link source={
/ip route set [/ip route find comment=primary] disabled=yes
/ip route set [/ip route find comment=backup] disabled=no
/tool netwatch set [/tool netwatch find comment=ping-primary-google] disabled=yes
/tool netwatch set [/tool netwatch find comment=ping-primary-gtw] disabled=no
}



/tool netwatch add host=66.249.93.104 interval=5s down-script=backup-link coment=ping-primary-google

/tool netwatch add host=192.168.1.1 interval=5s up-script=primary-link down-script= comment=ping-primary-gtw


/system script add name=primary-link source={
/ip route set [/ip route find comment=primary] disabled=no
/ip route set [/ip route find comment=backup] disabled=yes
/tool netwatch set [/tool netwatch find comment=ping-primary-google] disabled=no
/tool netwatch set [/tool netwatch find comment=ping-primary-gtw] disabled=yes
}

thank you in advance

Regards,

samsoft08 · Wed May 30, 2007 1:10 am

well guys , i tried to use squid on fedora , didnt work till now !!!!

MT NAT :
;;; Squid Proxy
chain=dstnat in-interface=bridge1 protocol=tcp dst-port=80 action=dst-nat
to-addresses=192.168.1.182 to-ports=3128
192.168.1.182 is fedora box IP ..

the squid port is 3128
and :
acl all src 192.168.1.0/255.255.255.0
http_access allow all

so , whts the problem ??

samsoft08 · Wed May 30, 2007 8:42 pm

OK i succeded only by assign the parent address / port in web-proxy setting , but it still counting increasing in cache size ? ist still using the MT hard disk ?
why its not working with just redirecting the port 80 request to squid IP/port ??

R1CH · Wed May 30, 2007 10:32 pm

but we should fine-tune the squid to get the best performance by using the refresh-patterns and so, otherwise SQUID never mentioned/published such things for improving things...

No, you shouldn't... those options are only exposed if you really need to save every byte of bandwidth (dialup, satellite, etc). In your squid.conf you are overriding the origin servers cache policies. Things like CAPTCHA images and dynamic signatures often rely on a dynamic .jpg or other image file which will likely break when running under your config since you force it to be cached when it should be changing every request. If you read the Squid documentation it says that using such features violates the HTTP protocol and makes your cache non-compliant. I would rather have a working compliant cache than have my customers unable to access content properly due to the cache.

I have made no performance tweaks to my squid.conf, all port 80 traffic is redirected using netfilter to Squid which acts as a transparent proxy. It runs on a Opteron 148 Linux box with 1 GB RAM and the load is barely noticable. I would never even think of running a cache, Squid or otherwise, on an embedded device like a routerboard, there simply isn't the CPU or I/O throughput that a cache needs. Let the routerboard do what it's good at, routing/wireless and leave the heavy lifting for something else. Even an old Pentium works fine for Squid, I used to run one for a high school on a 32mb RAM Linux 2.0 VIA CPU system.

samsoft08 · Wed May 30, 2007 11:31 pm

again , i dont want to run web-proxy on MT , so i'm redirecting port 80 to the external squid .. the error page to the client is :

The requested URL could not be retrieved
--------------------------------------------------------------------------------
While trying to retrieve the URL: NONE://

The following error was encountered:

Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is root.
--------------------------------------------------------------------------------
Generated Wed, 30 May 2007 20:35:16 GMT by localhost.localdomain (squid/2.5.STABLE3)

GuJack20 · Wed May 30, 2007 11:41 pm

samsoft.
check the acls of squid.conf

samsoft08 · Wed May 30, 2007 11:56 pm

acl all src 192.168.1.0/255.255.255.0
http_access allow all

GuJack20 · Thu May 31, 2007 12:01 am

i'm lost. is the squid box accesing the internet correctly??

samsoft08 · Thu May 31, 2007 12:26 am

yes and smoothly , i found somthing else .. when i use the parent proxy in the web - proxy , its working .. ok .. i open a site .. its ok .. then i changed the way to the firewall dst-nat to the proxy server IP/port .. no site will open EXEPT the one i opened by the parent-proxy way .. i think its somthing with TCP_MISS and TCP_HIT issue .. dont you think so ?? please i need help so urgent ..

GuJack20 · Thu May 31, 2007 12:41 am

yeah maybe that's the issue, but it seems so strange to me. When i setuped a squid box as parent i haven't got this type of problem. I don't know if it'll help you but there are some great howto's at http://www.howtoforge.com

samsoft08 · Thu May 31, 2007 12:51 am

thanks so much friend ..

can you tell me whts the right way to connect the squid box in the network , i'm connecting it to a dedicated interface in my MT , with IP 192.168.2.200 , while the rest clients are in a different interface , with IP 192.168.1.1/24 .. is this right ??

GuJack20 · Thu May 31, 2007 1:03 am

that's your problem. try connecting it directly to your switch with a given IP 192.168.1.x

samsoft08 · Thu May 31, 2007 1:19 am

cannot display page .. its not the same error but no page displayed ..

only when using parent proxy / port in the web-proxy .. its working .. which i dont want to use ..

note : i'm using masqurade action to NAT my lan IP's to one public IP ..

GuJack20 · Thu May 31, 2007 3:54 pm

GuJack20 · Thu May 31, 2007 3:55 pm

i don't know what doesn't work for you.
One of my setups:

LAN Ips are in range 192.168.1.x
MT has internal ip 192.168.1.1 and using masquerading to give internet access to the LAN Pcs
Squid (centos box) has IP: 192.168.1.100 and is serving cache on port 8080
All the clients are configured to see internet through Squid.

It works fine.

janisk · Thu May 31, 2007 4:10 pm

parent proxy feature was introduced to make proxying easier for users, if you do not want to chache on your router, just set up parent proxy, enable proxy and off you go, everything works, and no caching happens on your router. (set cache to ram and cache to disk to 0)

GuJack20 · Fri Jun 01, 2007 12:42 pm

Samsoft08. I tried that too

MT NAT :
;;; Squid Proxy
chain=dstnat in-interface=bridge1 protocol=tcp dst-port=80 action=dst-nat
to-addresses=192.168.1.182 to-ports=3128
192.168.1.182 is fedora box IP ..

the squid port is 3128
and :
acl all src 192.168.1.0/255.255.255.0
http_access allow all

so , whts the problem ??

and i got the same problem.
Did you found the solution?? I have fully understood your goal now. So, how can we redirect all TCP traffic in port 80 to the proxy in the internal LAN...

Does anyone have the solution??

maroon · Fri Jun 01, 2007 1:14 pm

enable transparent proxy on mikrotik ..

set max-cahe disk to none
set max ram cache siez to none

add parent proxy: SQUID's IP & Port

done!

GuJack20 · Fri Jun 01, 2007 1:26 pm

can u explain better? I've done all this but i can see that my traffic isn't running through the Squid Box..
Through the Squid is going only the traffic from hosts that have proxy configured in the browser settings.
I want to make hosts go through Squid box despite they have or not have proxy configured in the browser.

neeraj_k · Sat Jun 02, 2007 11:16 am

hi
please rename ur acl to some other name. As squid has 0.0.0.0/0 assigned to acl named all.
remember after allow deny to everyone
http_access allow aclname

e:g
acl mynet src 192.168.0.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
http_access allow mynet
http_access deny all
regards

samsoft08 · Sat Jun 02, 2007 3:53 pm

OK its working , by setting parent proxy IP / port in the MT web-proxy and by setting RAM and disk cache to ZERO .. its working so good ..

i still wonder , just for knowledge , why we can't redirect the traffic by NAT to the squid proxy ? what's wrong with it ? theoritaclly it has to be done by NAT .. but it doesn't ..

hci · Sat Jun 02, 2007 6:08 pm

i still wonder , just for knowledge , why we can't redirect the traffic by NAT to the squid proxy ? what's wrong with it ? theoritaclly it has to be done by NAT .. but it doesn't ..

I am NAT'ing to an outside proxy.

//chain=dstnat in-interface=local protocol=tcp dst-port=80 action=dst-nat to-addresses=172.0.0.2 to-ports=3128

My users are not NAT'ed themselves though. You also must make sure your proxy is NOT in the same subnet as your users.

I have found that the latest release of Squid performs better then the Mikrotik proxies have. Latest Squid also has more work arounds for certain websites that do not like dealing with transparent proxies. Seems to me anyway.

Matt

samsoft08 · Sat Jun 02, 2007 7:05 pm

well , i'm using the same rule in the NAT .. but it doesnt work , it replys with error =
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
the same setting in the squid , changing the way to Parent-proxy IP:port , its working ..

hci · Sat Jun 02, 2007 8:29 pm

Here is what I am using in squid.conf.

#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl our_networks src 10.0.0.0/16 {my subnets here}
http_access allow our_networks

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

# And finally deny all other access to this proxy
http_access deny all

Where you see {my subnets here} you need to add the subnets you want allowed access.

Matt

mac86 · Mon Jun 04, 2007 4:31 am

Don't you have proble with this ?

 
reload_into_ims on

imnlfn · Mon Jun 11, 2007 7:15 am

I have a problem that's making me feel really stupid:

My RB150 has the webproxy-test package, but no web-proxy package.

I had an earlier version of RouterOS and I thought maybe upgrading to the current version would remedy this, so I uploaded the routeros-rb500-2.9.43.npk file, but that didn't make any difference.

I then downloaded all_packages_2.9.43-ns.zip from the MikroTik site, but there's no web-proxy-2.9.43-ns.npk in there, either.

Am I missing something obvious? How do I get the web-proxy file?

Thanks,
-M

hci · Mon Jun 11, 2007 7:03 pm

Don't you have proble with this ?
Code: Select all
 
reload_into_ims on 

Why would that cause a problem? It simply modifys a forced refresh into a "if modified since". Downloads header and checks to see if whats in the cache is the same as on server and if so serves the cached copy.

Matt

ahmedramze · Wed Jun 13, 2007 12:00 am

This is My config work for 50 online client

http_port 8080
icp_port 0
cache_mem 300 MB
maximum_object_size 160386 KB
maximum_object_size_in_memory 3200 KB
memory_replacement_policy lru
cache_dir aufs /usr/local/squid/cache 30000 32 512
reference_age 1 month
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443 563	# https, snews
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
acl subnet-1	src	<network-address>/<netmask>
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow subnet-1
http_access deny all
icp_access allow all
cache_mgr you@net.net
cache_effective_user nobody
cache_effective_group nobody
visible_hostname proxy.net
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
dns_testnames netscape.com internic.net nlanr.net microsoft.com
logfile_rotate 10
append_domain .net.net
forwarded_for off
ie_refresh on

hci · Wed Jun 13, 2007 3:47 am

Since we are doing transparent caching why would you allow anything but port 80 for http?

imnlfn · Mon Jul 09, 2007 2:34 am

Well, I finally found out that transparent proxying isn't an option for me because the Routerboard 150 device doesn't have the webproxy package available.

So, I'd still really like to know why it's not possible to do something like this:

chain=dstnat in-interface=local protocol=tcp dst-port=80 src-address-list=filtered action=dst-nat to-addresses=192.168.1.5 to-ports=8080

Did the one person here who had success doing this only succeed because his clients aren't going through NAT otherwise?

Argh!

-M

tgrand · Mon Jul 09, 2007 11:54 pm

I will try posting in this thread as I have been unable to get reply in the past.

Web-Proxy when enabled 2.9.43 and above or the 3.0 beta, and installed on a gateway router (PC),
does not allow POP3 and SMTP packets to traverse the gateway. And HTTPS is hit and miss.

No Nat rules for transparency are configured, just simply enabling the Web-Proxy.

Is this normal behaviour?

tgrand · Tue Jul 10, 2007 1:36 pm

Stil no answer...
Go figure!!

Nothing changes around here

imnlfn · Thu Jul 12, 2007 7:40 am

I will try posting in this thread as I have been unable to get reply in the past.

Web-Proxy when enabled 2.9.43 and above or the 3.0 beta, and installed on a gateway router (PC),
does not allow POP3 and SMTP packets to traverse the gateway. And HTTPS is hit and miss.

No Nat rules for transparency are configured, just simply enabling the Web-Proxy.

Is this normal behaviour?

Since the documentation for the webproxy package only mentions the HTTP and FTP protocols (though whether it really handles the latter is unknown to me), what would make you think it's going to handle POP3 and SMTP?

-M

tgrand · Thu Jul 12, 2007 5:33 pm

I never said it did.

All I have done is enabled the Proxy on my gateway router, and suddenly pop3 and smtp do not work.
As well some HTTPS site refuse to load.

Disable the proxy and everything works fine again.

Happens the same on V2.9.43, V2.9.44, V3Beta 9 and 10.

epproach_lyle · Sat Jul 14, 2007 2:33 am

at least you can check your mail.. all my ports are blocked (even ping) when i login.. i even took out all my firewall settings

Difference between Squid and MT Proxy and opinions

Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

OUT OF PROXY TOPIC! but it's really urgent...

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re:

Re: Difference between Squid and MT Proxy and opinions

Re: Re:

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Re: Difference between Squid and MT Proxy and opinions

Who is online