How will transparent proxying (DNAT) affect traffic flows?
Posted: Fri Nov 26, 2010 10:55 am
I have a transparent web proxy set up, using dstnat to redirect any port 80 traffic to the local web proxy. This proxy in turn forwards traffic to a parent proxy (although I don't think that detail is relevant).
My question is, how will this affect the information that is logged by traffic flows? What was originally requested as one flow has been transparently turned into two.
If my reading of the logs is correct, what's actually happening is that two flows are logged, but not quite the two I expect. I'm seeing a flow from client to *remote* proxy (port 8080), and another from the Routerboard to remote proxy (port 8080 again). As I understand it, the second leg of the flow is being reported twice. I might have expected the two flows to be client to routerboard and routerboard to remote proxy.
As long as I can confirm that my interpretation of the logs is correct, there's no problem here. The reason I'm asking is that I'm writing code to analyse stats and I want to be sure that I'm not over- or under-counting traffic.
My question is, how will this affect the information that is logged by traffic flows? What was originally requested as one flow has been transparently turned into two.
If my reading of the logs is correct, what's actually happening is that two flows are logged, but not quite the two I expect. I'm seeing a flow from client to *remote* proxy (port 8080), and another from the Routerboard to remote proxy (port 8080 again). As I understand it, the second leg of the flow is being reported twice. I might have expected the two flows to be client to routerboard and routerboard to remote proxy.
As long as I can confirm that my interpretation of the logs is correct, there's no problem here. The reason I'm asking is that I'm writing code to analyse stats and I want to be sure that I'm not over- or under-counting traffic.