Showing results for 
Search instead for 
Did you mean: 


squid3 transparent proxy using wccp

Lately I've been trying to get a squid server to work with WCCP on our network so that client traffic transparently goes through the proxy. The problem is, having very little experience with squid, I've hit a brick wall and despite spending days searching the web and reading through tons of material, I can't seem to move past it. Maybe you guys can spot the problem. Here's what I have so far.

Network Diagram -

squid problem.png

I'm pretty sure my Cisco router is configured properly. The Cisco router ACL is NOT blocking anything coming from or going to the squid server. The linux firewall (iptables) is also NOT blocking anything. 'show ip wccp' on the router shows that squid registers with the router, and wireshark on the squid server shows that the GRE tunnel is receiving packets. The iptables rule that is meant to redirect all traffic from the GRE tunnel to the squid port shows that it's getting hits (iptables -t nat -nvL PREROUTING). The thing is - squid logs don't show that it's receiving any kind of requests. The client machine (the only machine that WCCP should be sending HTTP traffic to squid from) basically can't load any web page once the squid daemon is started on the squid server - it just times out. Is there something wrong with the iptables rule? Could it be something else? I have a feeling it's just one simple thing I'm missing somewhere. Here are the different sections:


ip wccp web-cache redirect-list 120 group-list 10

interface GigabitEthernet0/2

ip address

ip wccp web-cache redirect in

ip access-list standard 10


ip access-list extended 120

  deny   ip host any

  permit tcp host any eq www

  deny   ip any any

Squid server:

iptunnel add gre1 mode gre remote [external IP of router] local dev eth0

ip addr add dev gre1

ip link set gre1 up

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter

iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j DNAT --to-destination


acl manager proto cache_object

acl localhost src ::1

acl to_localhost dst ::1

acl localnet src

acl SSL_ports port 443

acl Safe_ports port 80        # http

acl Safe_ports port 21        # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70        # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http


http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access allow localhost

http_access deny all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .        0    20%    4320


wccp_version 4

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0


Anyone? Perhaps I'm missing commands on the Cisco to setup the GRE tunnel? Could it be that I'm missing something like this?


Wow! After weeks of trying to get this to work (on and off), and reading every howto on google relating to wccp and squid, I finally came across a line on some website that read:

"For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client..."

As soon as I made this happen, everything finally started working.

hi ,

congratulations  ,

but i want to ask u ,

how can we enable ipv6 to work with squid cache 3

have u tried it ??


  1. No idea
  2. Your grammar is terrible. English is my second language and I would never write like that - even online. Please take some lessons in grammar - unless of course you write bad on purpose, in which case, please stop.
  3. Your question has very little to do with the topic of this thread
  4. This thread has been dead for almost 6 months (assuming that one guy talking to himself could be considered alive in the first place). You may want to start a new topic for your question

hi ,

thanks for your reply ,

i think that talking about squid cache in all fourms in the internet will dead the post , i dont know why .

it may be most of people dont like to deal with

anyway , i would like to ask you special questions about only squid  operation in linux .

can i ask you ??


If you have a squid question for me that has nothing to do with this topic, you might want to send me a private message instead of continuing to post here. Also, I'm not a squid expert, and you might be better off trying the squid mailing lists where the real experts are:

They are always active, and always happy to answer squid questions.

Recognize Your Peers
Content for Community-Ad