03-05-2023 12:28 PM
Hello team.
I really want to understand and configure proxying certain sites through my VPS in another country, but unfortunately I am failing.
I have a cisco router 1100 series and vps + squid.
I have tried a large number of configurations in this regard using wccp and pbr
Can someone suggest a working config on the router side using PBR and squid
I have tried this config on router:
ip access-list extended PROXY-ACL
permit tcp any host <vps-ip-address> eq 80
permit tcp any host <vps-ip-address> eq 443
ip access-list extended BYPASS-ACL
deny ip any host <vps-ip-address>
permit ip any any any
route-map TRAFFIC-RMAP permit 10
match ip address BYPASS-ACL
set ip next-hop <next-hop-ip-address-to-gateway-my-isp>
!
route-map TRAFFIC-RMAP permit 20
match ip address PROXY-ACL
set ip next-hop <squid-ip-address>
interface <inside-interface>
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface GigabitEthernet0/0/0
description ISP1
ip address dhcp
ip nat outside
ip policy route-map TRAFFIC-RMAP
ip nat inside source list PROXY-ACL interface gi0/0/0 overload
ip route 0.0.0.0.0.0 <next-hop-ip-address>
When I use this command on interface gi0/0/0, ip policy route-map TRAFFIC-RMAP I lose internet.
Config for squid:
http_port 3128
acl localnet src 10.10.0.1/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
http_port MY_PUB_IP_VPS:8080 intercept
acl proxy_domains dstdomain "/etc/squid/proxy_domains"
acl proxy_sites dstdomain "/etc/squid/proxy_sites"
http_access allow proxy_domains proxy_sites
03-05-2023 12:39 PM
ip policy route-map TRAFFIC-RMAP <<- apply this command under LAN interface
interface <inside-interface>
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip policy route-map TRAFFIC-RMAP
03-05-2023 01:12 PM
Just applied this policy to the vlan, the pages of sites I check just take a long time to load and show an error that "cannot open this page".
I think I made a mistake somewhere, but I can't figure it out. What I need to change?
Now my config loks like this:
ip access-list extended PROXY-ACL
10 permit tcp any host 90.90.90.90 eq www
20 permit tcp any host 90.90.90.90 eq 443
ip access-list extended BYPASS-ACL
deny ip any host 90.90.90.90
permit ip any any
route-map TRAFFIC-RMAP permit 10
match ip address BYPASS-ACL
set ip next-hop 130.130.130.1
!
route-map TRAFFIC-RMAP permit 20
match ip address PROXY-ACL
set ip next-hop 90.90.90.90
interface Vlan10
description WIRED
ip address 10.1.100.254 255.255.255.0
ip nat inside
ip policy route-map TRAFFIC-RMAP
ip virtual-reassembly
interface GigabitEthernet0/0/0
description ISP1
ip address dhcp
ip nat outside
negotiation auto
no cdp enable
ip virtual-reassembly
03-05-2023 01:21 PM
We use PBR when we have multi-input point and TWO output Point
here I see only one interface connect to SP g0/0/0 so why PBR ?
and if there is other WAN interface you must config NAT to be aware about the next-hop of traffic.
03-06-2023 03:24 AM
There is no other wan channel, I thought this problem is solved only with PBR or WCCP.
If I have one wan channel, a couple of vlan and a squid server on the remote side, what can help me solve this problem?
03-06-2023 03:28 AM
what problem which you think will be solve by PBR ?
03-06-2023 05:10 AM
Initially, I planned to proxy certain subnets based on PBR, on which external sites hang in the direction of squid. Some solutions on the Internet describe such a scenario, but the information is vague, so I decided to experiment and sketched such a conf.
03-06-2023 05:37 AM
Hmmm, that need some kind of deep think.
I will update you soon
03-06-2023 07:09 AM
Sure! Thx a lot
03-15-2023 05:00 AM
Hi, I just wanted to ask how it's going. Did any of the options work out?
03-15-2023 07:13 AM
Couple of things need clarification :
1. how is your network diagram - show us how Router and Squid proxy and users Lan connected ?
2. you have localnet 10.10.0.1/24 ? (which i do not see on your Router config ?) Squid only allow these subnet source come from ? if any source coming from will be denied from squid.
3. are you looking to Lan side redirect traffic to proxy, or After nat Outside ?
03-19-2023 07:22 AM
Of course, I have this kind of scheme.
Let's say there are two countries, one is ISR 1111 and the other is SQUID.
I need to make it so that when certain sites are requested, the traffic goes exactly to country 2 and out through Squid.
I also want to ask, is there any way to make it work for only certain sites?
I know I can configure the IPSEC tunnel and put the networks I need on it to make the traffic from those networks go to the squid, but I need to know which sites have which subnets and domain names to ask the system to send me to the squid.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide