Cisco 2820 wccpv2 и FreeBSD squid. Не хотят дружить

[b1te]

Есть роутер Cisco 2820 и squid на FreeBSD 7.2
общая идея - резать сквидом доступ к сайтам из внутренней сети по айпишникам (squidguard).
сам squid рабочий, то-есть при настройке в браузере через прокси-сервер - нормально. без этого не работает
перекопал кучу инфы, перепробовал разных настроек, но дальше текущего результата ни в какую.
насколько я понимаю, циска редиректит на фрю, там вроде как срабатывает ipfw fwd на порт squid-а, а вот дальше - непонятно. в access.log сквида - пусто.

подскажите пожалуйста, где дров наломал, или хоть в какую сторону дальше копать

Конфиги и логи.
{CISCO_ROUTER_IP_OUTSIDE} - внешний адрес Cisco 2820
{FREEBSD_IP_OUTSIDE} - внешний адрес FreeBSD 7.2

Cisco 2820:

Код: Выделить всё

c2620#show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.3(20), RELEASE SOFTWARE (fc2)
Compiled Tue 08-Aug-06 20:50 by kesnyder
Image text-base: 0x80008098, data-base: 0x81A3DC1C

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-J1S3-M), Version 12.3(20), RELEASE SOFTWARE (fc2)

c2620 uptime is 9 weeks, 3 days, 4 hours, 18 minutes
System returned to ROM by power-on
System image file is "flash:c2600-j1s3-mz.123-20.bin"

cisco 2620 (MPC860) processor (revision 0x102) with 61440K/4096K bytes of memory.
Processor board ID JAD04430NXQ (3222136920)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
TN3270 Emulation software.
1 FastEthernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Код: Выделить всё

c2620#show run
Building configuration...
Current configuration : 2028 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname c2620
!
boot-start-marker
boot-end-marker
!
enable secret 5 ****************************
!
aaa new-model
!
!
aaa authentication username-prompt "Login: "
aaa session-id common
ip subnet-zero
no ip source-route
ip wccp web-cache redirect-list WCCP_Redirect
!
!
!
no ip cef
!
!
!
!
!
!
!
!
!
!
!
username ***** password 7 ****************
username ***** password 7 ****************
!
!
!
!
interface Tunnel0
 ip address 192.168.254.253 255.255.255.252
 ip mtu 1500
 tunnel source FastEthernet0/0.30
 tunnel destination XX.XXX.XXX.XXX
!
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/0.10
 description LAN
 encapsulation dot1Q 10
 ip address 192.168.0.254 255.255.255.0
 ip access-group 2000 in
 ip nat inside
 ip wccp web-cache redirect in
!
interface FastEthernet0/0.20
 description LAN with real IP
 encapsulation dot1Q 20
 ip address {CISCO_ROUTER_IP_OUTSIDE} 255.255.255.248
!
interface FastEthernet0/0.30
 description WAN
 encapsulation dot1Q 30
 ip address {CISCO_ROUTER_IP_OUTSIDE2} 255.255.255.252
 ip nat outside
!
ip default-gateway XXX.XXX.XXX.XXX
ip nat inside source list 150 interface FastEthernet0/0.30 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
ip route 192.168.1.0 255.255.255.0 192.168.254.254
!
!
!
ip access-list extended WCCP_Redirect
 deny   ip host 192.168.0.30 any
 permit ip any any
access-list 150 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 2000 permit tcp host 192.168.0.1 any eq smtp
access-list 2000 deny   tcp 192.168.0.0 0.0.0.255 any eq smtp log
access-list 2000 permit ip any any log
!
!
!
!
!
gateway
!
!
line con 0
 escape-character NONE
line aux 0
 transport input telnet
 escape-character NONE
line vty 0 4
 exec-timeout 0 0
 history size 256
!
!
end

Код: Выделить всё

c2620#show ip wccp web-cache view
    WCCP Routers Informed of:
        {CISCO_ROUTER_IP_OUTSIDE}

    WCCP Cache Engines Visible:
        {FREEBSD_IP_OUTSIDE}

    WCCP Cache Engines NOT Visible:
        -none-
------------------------------------------------------------------------------------
c2620#show ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   {CISCO_ROUTER_IP_OUTSIDE}
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            1145
        Redirect access-list:                WCCP_Redirect
        Total Packets Denied Redirect:       8
        Total Packets Unassigned:            17
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
------------------------------------------------------------------------------------
c2620#show ip wccp web-cache detail
WCCP Cache-Engine information:
        Web Cache ID:          {FREEBSD_IP_OUTSIDE}
        Protocol Version:      2.0
        State:                 Usable
        Initial Hash Info:     00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info:    FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:        256 (100.00%)
        Packets Redirected:    253
        Connect Time:          00:14:17

FreeBSD 7.2:

Код: Выделить всё

freebsd# squid -v
Squid Cache: Version 2.7.STABLE9
configure options:  '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic digest negotiate ntlm' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB YP' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-helpers=SMB' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--with-pthreads' '--enable-storeio=ufs diskd null aufs' '--enable-delay-pools' '--enable-snmp' '--disable-carp' '--enable-ssl' '--with-openssl=/usr' '--enable-icmp' '--enable-htcp' '--enable-cache-digests' '--enable-wccpv2' '--enable-arp-acl' '--enable-ipf-transparent' '--enable-err-languages=Armenian Azerbaijani Bulgarian Catalan Czech Danish  Dutch English Estonian Finnish French German Greek  Hebrew Hungarian Italian Japanese Korean Lithuanian  Polish Portuguese Romanian Russian-1251 Russian-koi8-r  Serbian Simplify_Chinese Slovak Spanish Swedish  Traditional_Chinese Turkish Ukrainian-1251  Ukrainian-koi8-u Ukrainian-utf8' '--enable-default-err-language=English' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd7.2' 'build_alias=i386-portbld-freebsd7.2' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe  -I/usr/include' 'LDFLAGS= -rpath=/usr/lib:/usr/local/lib -L/usr/lib' 'CPPFLAGS='

Код: Выделить всё

freebsd# cat /usr/local/etc/squid/squid.conf
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
maximum_object_size_in_memory 128 KB
cache_dir aufs /data/squid/cache 4096 16 256
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/log/squid/squid.pid
netdb_filename /var/log/squid/netdb.state
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf
redirector_bypass on
refresh_pattern ^ftp:		1440	20%	4320
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	2160
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_effective_user squid
cache_effective_group squid
visible_hostname freebsd.example.ua
wccp2_router {CISCO_ROUTER_IP_OUTSIDE}
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0
coredump_dir /data/squid/cache

Код: Выделить всё

freebsd# cat /etc/rc.conf
keymap="ru.koi8-r"
ifconfig_em0="inet 192.168.0.30  netmask 255.255.255.0"
ifconfig_em1="inet {FREEBSD_IP_OUTSIDE} netmask 255.255.255.248"
defaultrouter="{CISCO_ROUTER_IP_OUTSIDE}"
static_routes="net1"
route_net1="-net 192.168.1.0/24 192.168.0.254"
hostname="freebsd.example.ua"
sshd_enable="YES"
firewall_enable="YES"
firewall_type="/etc/firewall.conf"
mysql_dbdir="/data/mysql"
mysql_enable="YES"
apache22_enable="YES"
vsftpd_enable="YES"
samba_enable="YES"
dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="em0"
dhcpd_withumask="022"
sendmail_enable="YES"
sendmail_flags="-bd"
radiusd_enable="YES"
gateway_enable="YES"
squid_enable="YES"
squid_chdir="/data/squid"
/sbin/ifconfig gre0 plumb
/sbin/ifconfig gre0 link2
/sbin/ifconfig gre0 tunnel {FREEBSD_IP_OUTSIDE} {CISCO_ROUTER_IP_OUTSIDE}
/sbin/ifconfig gre0 inet 1.1.1.1 1.1.1.2

Код: Выделить всё

freebsd# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:e0:81:2a:bf:48
        inet 192.168.0.30 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:e0:81:2a:bf:49
        inet {FREEBSD_IP_OUTSIDE} netmask 0xfffffff8 broadcast 193.254.217.55
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:e0:81:2a:81:d4
        media: Ethernet autoselect (none)
        status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
gre0: flags=d051<UP,POINTOPOINT,RUNNING,LINK0,LINK2,MULTICAST> metric 0 mtu 1476
        tunnel inet {FREEBSD_IP_OUTSIDE} --> {CISCO_ROUTER_IP_OUTSIDE}
        inet6 fe80::2e0:81ff:fe2a:bf48%gre0 prefixlen 64 scopeid 0x5
        inet 1.1.1.1 --> 1.1.1.2 netmask 0xff000000
------------------------------------------------------------------------------------
freebsd# ipfw show
00100 169411 85122124 allow ip from any to any via lo0
00200      0        0 deny ip from any to 127.0.0.0/8
00300      0        0 deny ip from 127.0.0.0/8 to any
00400      0        0 allow ip from any to any via lo0
00500    560    70956 allow tcp from any to me dst-port 20,21,22,49000-65535 keep-state
00600      0        0 allow tcp from any to me dst-port 3128
00700      0        0 allow gre from any to any via em0
00800    110     9368 allow gre from any to any via em1
00900    110     6288 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 recv gre0
01000   9634  5030306 allow tcp from any to me dst-port 80,443 setup limit src-addr 200
01100    184    19298 allow tcp from me to any keep-state
01200    338    39029 allow udp from me to any keep-state
01300      3      172 allow icmp from me to any keep-state
01400      1       60 allow icmp from any to me
01500    338    28241 allow ip from 192.168.0.0/24 to 192.168.0.0/24
01600      0        0 allow ip from 192.168.1.0/24 to me
01700      0        0 allow ip from me to 192.168.1.0/24
01800      0        0 allow tcp from 192.168.0.37,192.168.1.37,XX.XXX.XX.XXX to me dst-port 3306 keep-state
01900      0        0 allow tcp from 127.0.0.1,192.168.0.30,XXX.XXX.XXX.XX to me dst-port 25
02000      0        0 allow tcp from any to me dst-port 1194
02100      0        0 allow udp from any to me dst-port 1194
02200      0        0 allow udp from 192.168.0.0/24 to 192.168.0.0/24 dst-port 137,138 in via em0
02300      0        0 allow udp from 192.168.1.0/24 to 192.168.1.0/24 dst-port 137,138 in via em0
02400    155     8714 deny log logamount 100 ip from any to any
65535      1       72 deny ip from any to any
------------------------------------------------------------------------------------
freebsd# tcpdump -i gre0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gre0, link-type NULL (BSD loopback), capture size 96 bytes
21:01:03.008670 IP client.example.com.ua.3951 > hb-in-f104.1e100.net.http: S 3841700:3841700(0) win 65535 <mss 1460,nop,nop,sackOK>
21:01:05.960428 IP client.example.com.ua.3951 > hb-in-f104.1e100.net.http: S 3841700:3841700(0) win 65535 <mss 1460,nop,nop,sackOK>
21:01:11.976309 IP client.example.com.ua.3951 > hb-in-f104.1e100.net.http: S 3841700:3841700(0) win 65535 <mss 1460,nop,nop,sackOK>
21:02:34.226187 IP client.example.com.ua.3962 > eos.apache.org.http: S 994791061:994791061(0) win 65535 <mss 1460,nop,nop,sackOK>
------------------------------------------------------------------------------------
freebsd# cat /var/log/squid/cache.log
2010/10/27 21:11:52| Starting Squid Cache version 2.7.STABLE9 for i386-portbld-freebsd7.2...
2010/10/27 21:11:52| Process ID 895
2010/10/27 21:11:52| With 11095 file descriptors available
2010/10/27 21:11:52| Using kqueue for the IO loop
2010/10/27 21:11:52| DNS Socket created at 0.0.0.0, port 52990, FD 6
2010/10/27 21:11:52| Adding domain example.ua from /etc/resolv.conf
2010/10/27 21:11:52| Adding nameserver 192.168.0.1 from /etc/resolv.conf
2010/10/27 21:11:52| helperOpenServers: Starting 5 'squidGuard' processes
2010/10/27 21:11:52| logfileOpen: opening log /var/log/squid/access.log
2010/10/27 21:11:52| Unlinkd pipe opened on FD 16
2010/10/27 21:11:52| Swap maxSize 4194304 + 8192 KB, estimated 323268 objects
2010/10/27 21:11:52| Target number of buckets: 16163
2010/10/27 21:11:52| Using 16384 Store buckets
2010/10/27 21:11:52| Max Mem  size: 8192 KB
2010/10/27 21:11:52| Max Swap size: 4194304 KB
2010/10/27 21:11:52| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2010/10/27 21:11:52| logfileOpen: opening log /var/log/squid/store.log
2010/10/27 21:11:52| Rebuilding storage in /data/squid/cache (CLEAN)
2010/10/27 21:11:52| Using Least Load store dir selection
2010/10/27 21:11:52| Set Current Directory to /data/squid/cache
2010/10/27 21:11:52| Loaded Icons.
2010/10/27 21:11:53| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 20.
2010/10/27 21:11:53| Accepting ICP messages at 0.0.0.0, port 3130, FD 21.
2010/10/27 21:11:53| Accepting HTCP messages on port 4827, FD 22.
2010/10/27 21:11:53| Accepting SNMP messages on port 3401, FD 23.
2010/10/27 21:11:53| WCCP Disabled.
2010/10/27 21:11:53| Accepting WCCPv2 messages on port 2048, FD 24.
2010/10/27 21:11:53| Initialising all WCCPv2 lists
2010/10/27 21:11:53| Pinger socket opened on FD 26
2010/10/27 21:11:53| Ready to serve requests.
2010/10/27 21:11:53| Done reading /data/squid/cache swaplog (299 entries)
2010/10/27 21:11:53| Finished rebuilding storage from disk.
2010/10/27 21:11:53|       299 Entries scanned
2010/10/27 21:11:53|         0 Invalid entries.
2010/10/27 21:11:53|         0 With invalid flags.
2010/10/27 21:11:53|       299 Objects loaded.
2010/10/27 21:11:53|         0 Objects expired.
2010/10/27 21:11:53|         0 Objects cancelled.
2010/10/27 21:11:53|         0 Duplicate URLs purged.
2010/10/27 21:11:53|         0 Swapfile clashes avoided.
2010/10/27 21:11:53|   Took 1.7 seconds ( 176.0 objects/sec).
2010/10/27 21:11:53| Beginning Validation Procedure
2010/10/27 21:11:53|   Completed Validation Procedure
2010/10/27 21:11:53|   Validated 299 Entries
2010/10/27 21:11:53|   store_swap_size = 6384k
2010/10/27 21:11:54| storeLateRelease: released 0 objects

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[Alex Keda]

нифига не понял...
чё и через кого лезет?

[b1te]

cisco 2620 смотрит в инет FastEthernet0/0.30 (вход инет от провайдера)
0/0.10 - внутренняя сетка 192.168.0.0/24 (ip - 192.168.0.254)
0/0.20 - внешняя сетка с реальными ip-шниками xxx.xxx.xxx.xxx/29 (ip - {CISCO_ROUTER_IP_OUTSIDE}).
она же выступает шлюзом как для внутренней сети, так и для сети c реальными айпи.

freebsd смотрит в внутреннюю сеть на интерфейсе em0 (ip - 192.168.0.30)
в инет на em1 (ip - {FREEBSD_IP_OUTSIDE}) , в одной внешней подсети с 0/0.20 циски
gre0 - туннель gre для приема wccp запросов (настраивал по http://wiki.squid-cache.org/ConfigExamp ... p2Receiver)

что и через кого лезет, к примеру, 192.168.0.5 (client.example.com.ua) пытается зайти на сайт apache.org:
1. на c2620 в интерфейсе 0/0.10 натыкается на "ip wccp web-cache redirect in"
2. циска перебрасывает запрос на wccp cache engine, то-есть на {FREEBSD_IP_OUTSIDE}
3. freebsd ловит запрос на интерфейсе gre0 :

Код: Выделить всё

freebsd# tcpdump -i gre0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gre0, link-type NULL (BSD loopback), capture size 96 bytes
21:02:34.226187 IP client.example.com.ua.3962 > eos.apache.org.http: S 994791061:994791061(0) win 65535 <mss 1460,nop,nop,sackOK>

4. на freebsd срабатывает ipfw fwd на порт сквида :

Код: Выделить всё

00900    110     6288 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 recv gre0

а дальше судя по абсолютно пустому access логу сквида, вообще ничего не происходит...
надеюсь, внятно расписал, как я себе представляю весь этот процесс.