www/squid: tcp_outgoing_address binds to wrong interface

Nick Rogers ncrogers at gmail.com
Tue Jun 30 22:09:00 UTC 2015 

On Tue, Jun 30, 2015 at 2:36 PM, Nick Rogers <ncrogers at gmail.com> wrote:

>
>
> On Tue, Jun 30, 2015 at 11:54 AM, Dimitry Andric <dim at freebsd.org> wrote:
>
>> On 30 Jun 2015, at 18:48, Nick Rogers <ncrogers at gmail.com> wrote:
>> ...
>> > I am experiencing an issue with squid 3.5.5 and FreeBSD 10.1 where
>> > tcp_outgoing_address correctly rewrites the source address of outgoing
>> > packets, but fails to bind the socket to the correct interface.
>>
>> How do you arrive at this conclusion?  In the rest of your mail I see no
>> squid configuration for this, e.g. you would have to use:
>>
>> http_port 10.8.8.10:3129
>>
>> to explicitly bind to the first address on em1.  You can add multiple
>> http_port settings to bind to multiple addresses.
>>
>
> The http_port directive is for the address/port squid listens on for
> incoming client connections to the proxy, not what it uses to initiate
> outbound HTTP connections. The tcp_outgoing_address directive is what
> controls the source IP of outbound requests to web servers.
>
>
>>
>> > I've been
>> > using this kind of setup/configuration for quite some time (since the
>> squid
>> > 2.7 days), so I believe something between FreeBSD 9.x and 10.1 has
>> broken
>> > this behavior. FWIW squid 3.3.3 on FreeBSD 9.x behaves correctly with
>> the
>> > same config. My understanding is that squid merely changes the source
>> > address as a hint to the kernel routing stack, which makes me believe
>> the
>> > problem lies outside of squid. I've already sought out help from the
>> > squid-users mailing list and been told the same thing.
>> ...
>> > root# netstat -rn | grep default
>> >
>> > default            192.168.92.2       UGS         em0
>>
>> Do you have a route for 10.8.8.10 and similar?  Those should point to
>> em1, obviously.  If there is no specific route, those packets will
>> simply go to the default gateway.
>>
>
> 10.8.8.10 is an alias configured on em1.
>
> root# ifconfig em1
> em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
> mtu 1500
> options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
> ether 00:0c:29:a3:33:7f
> inet 10.8.8.10 netmask 0xffffff00 broadcast 10.8.8.255
> nd6 options=9<PERFORMNUD,IFDISABLED>
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> root# netstat -rn | grep em1
> 10.8.8.0/24        link#1             U           em1
>
> Is that not sufficient for the kernel to know that packets with a source
> IP of 10.8.8.10 should egress em1, which has 10.8.8.10 configured via
> ifconfig? If I using ping -S the packets go out the correct interface
> (e.g., ping -S 10.8.8.10 10.8.8.250).
>
> I believe I understand your point now... There is no way to specify a
route based on the source IP of the packet, thus it will always egress the
default route interface even though the desired source IP is configured on
a different interface. I suppose I can handle the source-based routing with
PF. Thank you.


>
>>
>> -Dimitry
>>
>>
>

More information about the freebsd-ports mailing list