Transparent Proxy Redirect

Started by shunt010

Transparent Proxy Redirect   20 February 2008, 01:41

Hi Andrew.

Is it possible that in a rule, when the transparent proxy is enabled, it's possible it works for just 1 port?

At the moment I have 3 rules per user, one for the transparent proxy, one for the upload and one for download

It would be really neat if I could have just 2 rules. That way the download speed wouldn't be doubled. At the moment, if a user has 300k/sec down on http and 300 on non http, then they really get 600.

If the transparent proxy only worked for port 80, then this would mean I have 2 rules, so the user would only get 300.

Thanks!
SoftPerfect Support forum - Andrew avatar image

Transparent Proxy Redirect   04 April 2008, 21:46

Yes, I think we'll consider this feature to be added. It could be implemented as an additional condition (e.g. a port number) to route traffic via a transparent proxy. Something like a normal rule with redirection enabled yet apply the redirection only if a certian condition is met.

Transparent Proxy Redirect   10 June 2008, 18:43

Hi Andrew

Did you get anywhere with this feature in the v2.8?
SoftPerfect Support forum - Andrew avatar image

Transparent Proxy Redirect   12 June 2008, 18:49

Honestly it has been successfully forgotten sad However, it is easy to implement to expect it be available in a couple of days. I will post a notice here.

Transparent Proxy Redirect   12 June 2008, 19:52

Not a problem, I know what it's like!

I think it would be a fantastic feature though. Looking around on the internet, BWM seems to be the only program out there that does anything to support Transparent Proxying in Windows.

I believe the latest versions of Windows Server do, but they're a long way out of most people's price range sad

Transparent Proxy Redirect   13 June 2008, 09:02

Hey yeah! That would be a nice feature! I think this is what we were wanting to do for some time. We have a win2k adv server box with lots of juice and atm we are only running BWM on it with 2 network cards and the BWM transparent bridging feature turned on. This sounds like it would let us install squid and do some caching with relative ease! smile
SoftPerfect Support forum - Andrew avatar image

Transparent Proxy Redirect   14 June 2008, 22:13

This feature has just been added in 2.8 beta, please download and test it here

Transparent Proxy Redirect   15 June 2008, 08:19

I've just tried it.

This is absolutely fantastic!

I've set my upstream rule to have the transparent proxy on port 80 to redirect to my server's port 3128 (Squid).

The downstream then (obviously) works as normal, since Squid talks to the client as it should.

It's saved me having 3 rules per client, now the client's HTTP speed also is properly throttled (before the upstream wasn't being throttled properly), and it means clients can no longer download 2mbit/sec on the web and 2mbit/sec on limewire, which gave them twice as much as it should.

I guess this makes BWM the first product out there to properly support transparent proxying on Windows


Thanks Andrew

Transparent Proxy Redirect   15 June 2008, 19:49

Hi Andrew

I've noticed something interesting with this...

I've currently got 3 rules per user - HTTP, up and down.

When I kill the HTTP rule, and put transparent redirect on the upstream rule, the bandwidth available to the user becomes whatever the bandwidth is for the upstream rule.

eg:
HTTP (source as client MAC, destination as any, port 80) <-- now removed
up (source as client MAC, any, with port forwarding only on port 80 to port 3128, only incoming traffic)
down (any, destination as client MAC, only outgoing traffic)

It seems like the data gets as far as the up rule, it gets mangled then the downstream also goes through the same rule and doesn't get passed to the downstream rule, even though it's supposed to (in theory).

Swapping the rules over doesn't work - the destination on the downstream rule isn't port 80, so it doesn't work putting the transparent proxy there!

Changing the order of the rules so it goes down, up doesn't work either.


It seems like possibly once a port redirect is in operation, then any packets returned on that redirect are returned through the same rule regardless of direction or if there's a more suitable return rule?


I guess this is the operation it needs, since a kind of NAT is going on, and it saves having massive tables, by just having a table for each rule?

If this is the operation, which would be memory-efficient and save confusion within NAT, to possibly have a different upstream/downstream rate per rule? Or can anyone else think of another workaround to make this usable?

The idea is that since it's an asynchronous connection coming in, then it makes sense to only allocate the users an asynchronous bandwidth. Otherwise it's very easy for one user to saturate the upstream, which really degrades the quality of service provided to all users.

Transparent Proxy Redirect   20 July 2008, 15:21

Hi all...

I use proxy transparent feature too (with squid). But some services need to not use a transparent proxy to work correct.

Exemple: In Brazil exist a service called "Conectividade Social". It use a socket in port 80. Without transparent proxy this test (TELNET 200.201.174.207 80) show this:

-----------------------------------------------------------------------------------------------
HTTP/1.0 200 OK
Content-Type: text/html
Pragma: no-cache


<HTML>
<HEAD>
<TITLE>PrivateWire GateWay</TITLE>
<TD>
<TR>
<TD COLSPAN="2"><HR SIZE="3"></TD>
</HEAD>
<BODY BGCOLOR="#C0C0C0" TEXT="#000000" LINK="#0000EE" VLINK="#551A8B" ALINK="#FF
0000">
<TABLE CELLPADDING="3" WIDTH="100%">
<TR>
<TD ALIGN="CENTER">
<TD>
<CENTER>
<B><FONT SIZE="5">PrivateWire GateWay
</FONT><BR><BR>
</CENTER>
<P>
<FONT SIZE="4">
User is not Authorized.<BR><BR>
<FONT SIZE="4">
</CENTER>
Please contact your organization for further information.</A>
<P>
<P STYLE="background: transparent"><FONT COLOR="#c0c0c0">
254
</FONT></P>
<BR>
<P>
</FONT>
<TR>
<TD COLSPAN="2"><HR SIZE="3"></TD>
<TR>
</TABLE>
</FONT>
</BODY>
</HTML>

-----------------------------------------------------------------------------------------------

If this happen, the service is working.

But if I enable transparent proxy on port 80 the test (TELNET 200.201.174.207 80) is get by Squid

I put a rule above all my "clients" of WISP

SOURCE RANGE OF MY NETWORK | DESTINATION 200.201.174.207 PORT 80

And this problem not happen anymore. But if Andrew implement a modification in Port Mapping Redirect to select excluded destination IP`S that not affected by Port Redirect.

Sorry my english...

Thanks !

Transparent Proxy Redirect   21 July 2008, 12:07

Shunt, I have problems with Squid... what your configuration (squid.conf)

My cache_mem is 256

cache_dir 1000 16 256

You can help me ? Please !

Transparent Proxy Redirect   21 July 2008, 23:19

What problems are you having?

If you drop me an email ( sam@eastmidlandscomms.co.uk ), I can email you over my whole squid.conf file, if that's of any help? It's quite big, so is probably best not to put on the forum, unless Andrew thinks it may be useful for others

Transparent Proxy Redirect   22 July 2008, 00:02

Ah... Ok... I will send a email to you....


Thanks !!!!!!! laugh

Transparent Proxy Redirect   27 July 2008, 03:41

Andrew,

Transparent Proxy Redirect don't work with Kerio Winroute 6.5

Transparent Proxy Redirect   27 July 2008, 13:48

Hey Shunt010, I would be interested in seeing your squid.conf myself smile We have just started getting together a machine running BWM and Squid and it would be good to have a reference to look at from someone who has it running. If you don't mind I might shoot you an email and get a copy of your conf to compare.

Just out of curiosity, what type of system(cpu,mem,hd type) are you running your BWM/Squid setup on and how is it handling resources, etc??

Also, are you using the 3 rules in BWM you mentioned earlier to do this or one overall http rule?? Up to now with no cache running, we have just been using BWM with one rule for each IP address we want to control with "any IP based", the both option(up/down), and we were trying to figure out which way to add in the http redirect. We didn't really wanna split it up to 3 rules but we can if thats the best way. We also just thought about adding 1 global rule for all http first, we may test it different ways and see which seems better.


Thanks
TomW

Transparent Proxy Redirect   27 July 2008, 20:29

Hi Tom

I've just tried to attach my Squid.Conf file, but I can't attach larger than 100kb, so email me and I'll send it off to you.

The only reason that I've got 3 rules is I want asymmetrical bandwidth and BWM does not support different upstream/downstream rates per rule.

If I reduce it to 2 rules, using the new port forwarding filtering, I have to put the transparent proxy "trap" on the upstream rule, so users only get the internet at 300kbits/sec, not 3mbits/sec - they soon would notice!

If I reduce it to 1 rule, then I wouldn't have it being asymmetrical, so my upstream of the internet would quickly become overloaded by P2P, which would make things slow down dramatically.

That's the reason I've got 3 rules. The HTTP isn't asymmetrical still, but that's not so bad since people don't tend to do very large HTTP uploads.

I've attached my config file to point you in the right direction.

I can't remember exactly what the spec of the machine is. I've tried it on 2.

I've tried it on a 900mhz thing with 512mb RAM and 4gb HDD. Worked well, could easily handle 10mbits/sec.

I've tried it on a dual core 3400mhz thing with 2gb RAM and 4gb HDD. Worked slightly better, probably because of the dual core. Web pages were more "responsive".

You can tell the difference between the 900 and 3400mhz dual core straight away. Looking in task manager, you can see the two processors being used properly. OS Win 2000 Advanced Server.

Transparent Proxy Redirect   28 July 2008, 06:02

Hey Shunt010, thanks for all the info! Very helpful! I have sent you an email, so hopefully you should get it soon.


"I've attached my config file to point you in the right direction."

I don't seem to see any attachments on your post at all, the config file must not have gotten attached for some reason.


The system we are going to try and get it running on is similar to your latter machine. Its a P4 D 3ghz, 1gb DDR2 PC2 5300 ram, 2 - 80gb SATAII HDD, 2 intel gb ethernet interfaces builtin, and also running W2K AS. We were hoping that would be enough juice to handle a fair number of rules and/or caching.

Transparent Proxy Redirect   30 July 2008, 12:09

Eai Lucas Alexandre.

Porque não utiliza o WINPROXY 6.1 para fazer proxy transparente? Funciona que é uma beleza, totalmente compatível com o BWM. Meu único servidor faz todo o serviço. Caso tenha alguma dúvida de como configurá-lo entra em contato: mario@benvenutis.net.

Transparent Proxy Redirect   30 July 2008, 12:43

Olá!

Consegui fazer funcionar o Squid com proxy transparente utilizando o BWM.

Muito Obrigado

Transparent Proxy Redirect   31 July 2008, 14:34

I tested Kerio Winroute 6.42 and 6.5b this night with SPECIAL BUILD OF BWM and works perfect!

Transparent Redirect works perfect with kerio winroute...

Thanks...

Transparent Proxy Redirect   06 August 2008, 00:46

Hi Andrew,

You can implement a modification in port mapping to bypass some IP's ?

Exemple: Port mapping is enabled catching all traffic redirect to Squid (3128 port), but some IP's not working with transparent proxy and need to excluded of port mapping.


I use a rule in a top of my ruleset to bypass squid. But this is not the best solution for this.

Transparent Proxy Redirect   06 August 2008, 05:40

Hi Lucas.

I too use a "catch" rule at the top to bypass squid.

The only website I need to bypass is the local host, so I put a rule at the top for port 80 of the local server to be unlimited (I need this for my speed test calibration).

Squid does add the original IP onto headers if this helps?

Transparent Proxy Redirect   06 August 2008, 08:49

Hi Samuel

I am using a "catch" rule as same you... but if Andrew implement a modification in port mapping to exclude custom ip's is better than "catch" rule...

Transparent Proxy Redirect   06 August 2008, 21:55

I guess it would be nice.

Out of interest, what sort of things do you want to exclude from Squid? I've never had any problems with Squid, and also use Squid to zap the adverts (using the Adzapper plugin), which saves quite a bit of my bandwidth, and nobody's ever noticed/complained.

The reason I have it as a catch all is because of the way my bandwidth script works. I measure the customer's maximum bandwidth first, then only give them up to 95% of what their line can take. This isn't to be mean, it just helps the Wifi protocol along a lot better, as I've said before I think. I need therefore access to the local server to be an unlimited speed, so the "catch all" rule works very nicely for me.

But I'm trying to figure out what you let your users have access to that needs throttling but not Squidding? There's probably a very good reason for it!

Transparent Proxy Redirect   07 August 2008, 00:16

In Brazil exist a service called "Conectividade Social". It use a socket in port 80. If I am not bypass squid this service don't work. So, I have to do a "pure" NAT to some IP's.

Transparent Proxy Redirect   07 August 2008, 00:45

Ah, this makes sense now. I was wondering if you'd got something really clever going on, but I guess that's it.

I wonder why they don't use port 443. Port 443 is a good port to use for things like that, since you can't transparent proxy it, and most firewalls let it through because it's HTTPS. I use it on a few of my servers.

Transparent Proxy Redirect   07 August 2008, 08:14

These things only happen in Brazil. sad

Transparent Proxy Redirect   20 August 2008, 22:43

Andrew? You can implement this modification in port mapping ?
SoftPerfect Support forum - Andrew avatar image

Transparent Proxy Redirect   15 September 2008, 00:42

Lucas, if you mean "exclusion" of some IP addresses from being proxied, it can be done currently quite easily. Simple define a group of IP addresses that you want to bypass, then link this group to the rule that does port mapping and make it "not in" rule.

Let me explain with an example. Suppose you don't want all outgoing requests to addresses 100.100.100.100 and 200.200.200.200. Make a group with these two IP addresses. Then make a rule like this:

Source: set as needed
Destination: Not in the Group (to do so, choose the group and then enable inversion of the destination address on the Advanced tab)
Advanced: Redirect to port 3128 (or whatever the port is).

This should work perfectly.

Transparent Proxy Redirect   16 September 2008, 01:02

Hi Andrew,

Currently, I am using a rule in the top of my ruleset catching all traffic to bypass squid only for 5 ip's (in a group). This solution is working for me at the moment.

Reply to this topic

Sometimes you can get the answer faster if you try the forum search and/or have a look at the software user manual to see if your question has already been answered.

Our forum rules are simple:

  • Be polite.
  • Do not spam.
  • If possible, check your spelling and grammar.

Author:

Email:

Subject

A brief and informative title for your message, approximately 4–8 words:

     

Spam prevention: please enter the following code in the input field below.

 **      **  **    **  **     **  **     **  **    ** 
 **  **  **  **   **   **     **  ***   ***  **   **  
 **  **  **  **  **    **     **  **** ****  **  **   
 **  **  **  *****     **     **  ** *** **  *****    
 **  **  **  **  **     **   **   **     **  **  **   
 **  **  **  **   **     ** **    **     **  **   **  
  ***  ***   **    **     ***     **     **  **    ** 

Message: