Transparent Squid and traffic control

Michael Spratt mike at magicislandtechnologies.com
Wed Jan 5 21:24:29 UTC 2011 

John Nielsen wrote:
> On Jan 4, 2011, at 8:01 AM, Fazal Ahmed Malik wrote:
>
>   
>> I have problem in running transparent squid along with dummynet on FreeBSD 7. I have mpd5 for dialin pppoe which is working perfect along with ipfw dummynet traffic control. Now i want to setup transparent squid using ipfw fwd rule. if i place fwd rule before dummynet rule transparent squid start working but than traffic is not being controlled. Than i placed fwd rule after the dummynet pipe here traffic controlled but transparent squid stop working.Any body have experience in such configuration where both work simultaneously please gave me some hints.
>>     
>
> I have done this successfully in the past. You need to remember that for every web request there are potentially two TCP conversations: one between the client and the proxy and one between the proxy and the server.
>
> You probably do not want to pipe the first type of conversation--requests that can be served from the proxy's cache do not use WAN bandwidth and should be served at full speed over the LAN.
>
> You DO want to pipe the second type of conversation. Requests from the proxy to web servers over the WAN will compete with other traffic for bandwidth.
>
> So leave your fwd rule before the dummynet rule(s) and be sure that LAN traffic is not piped.
>
> Then add rules to pipe requests from the proxy's external IP to non-LAN addresses on port 80. Something like these:
>
> Downstream:
> ipfw add skipto $ACCEPT tcp from $LAN 80 to me
> ipfw add pipe $M tcp from any 80 to $EXTIP
>
> Upstream:
> ipfw add skipto $ACCEPT tcp from me to $LAN 80
> ipfw add pipe $N tcp from $EXTIP to any 80
>
> If you post a specific ruleset you can get specific advice. :)
>
> JN
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>   
John try thinking about using tproxy with your squids and then it will 
be invisible to your IPFW traffic control as the http traffic will have 
a spoofed source and not 'confuse' your bw control setup.

-Mike

More information about the freebsd-ipfw mailing list