Hi all,

after lots of searching, i finally come to ask YOU for a solution:

I have 3 Internet connections, WAN1 to WAN3. I have a Loadbalancer, which distributes the Internet access of my network equally to those 3 lines. Now I want to set up a proxy for Microsoft, Adobe, Apple and other Updates ( IP-COP with Update Accelerator), because those updates (Microsoft Windows most) use lots of bandwith i would like to use in other ways.

I came to the conclusion, that routing all http-requests to the domains of *.microsoft.*, *.apple.* and so on through the ipcop would be the best way to get things going.
I cannot put the proxy behind the loadbalancer and all Users behind the proxy, because proxy only works with NAT enabled, so loadbalancer would only see one ip (the one of proxy) accessing the internet. As PFSENSE (my Loadbalancer) is configured to use sticky connections (meaning, a single IP-address in his LAN network will only use one of the three Internet connections to avoid changeing Source IP's for the User (seen from the view of the webservers in the internet)) .

From reading in the forums, i got the idea that a Layer 7 filter (for each domain preferreably, easier to construct with regex and easier to add new domains later) could do the trick.

Would anyone be so kind as to give me one example how to tell the Layer7 filter that "anything.microsoft.something" is L7 name "Microsoft" and has to be routed (perhaps with routing mark?) to gateway 1.2.3.4 (or WAN3)?

I have a Routerboard 600 that i could use as router or transparent bridge to do this L7 and routing stuff, please advise what's better, routing or bridgeing?

Thanks in advance

Sincerely

Schnulch

You simply cannot use L7 filters like that. L7 filters cannot determine the domain portion of the HTTP request until the HTTP request has been made. At that point you've at least already completed the TCP three way handshake and are tied to a gateway because NAT happens on the first packets of a connection. You can only make this work via a proxy as the proxy consumes the entire HTTP request before building its outbound connection (if it needs to) and can then make a decision. Look at Squid's transparent proxy option to leave the source IP address intact.

Alternatively you could just build an update server for all the clients to use. A WSUS isn't too hard to implement and probably covers the majority of update bandwidth for you. You can download upgrade packages from Apple and distribute them, too.

Thanks for your reply,

but WSUS is not an option in this network, as we do not have a AD Domain, it's a little WISP network (100 customers atm). So no way to get them to use the wsus server...
as for the transparent proxy, I was going to use that anyway, but IPCOP is limited (out of the box, that is) to have NAT mandatory, so no way to leave source ip intact, even with transparent proxy (well, no way for me, as I'm a Microsoft but not (yet) linux, unix bsd specialist.)

Sincerley

Schnulch

as for the transparent proxy, I was going to use that anyway, but IPCOP is limited (out of the box, that is) to have NAT mandatory, so no way to leave source ip intact, even with transparent proxy (well, no way for me, as I'm a Microsoft but not (yet) linux, unix bsd specialist.)

search for Squid + TProxy in squid's docs

you could use L7 to add the destination address to an address list, then use the address list to route packets.

you could use L7 to add the destination address to an address list, then use the address list to route packets.

If you know the exact domain name (ex. update.microsoft.com) you could use a DNS / IP lookup script to create address lists based on domain.