Port redirect and proxy

Started by Arthur

Port redirect and proxy   14 October 2008, 18:05

Well, after 2 days of trying I'm about to throw in the towel. Here's the problem:

I'm trying to setup port mapping and squid to work together, but it seems impossible. BWM is working perfectly on my windows xp gateway box.
I setup squid version 2.7, it works fine too. In my lan, I can setup the browsers on port 3128 and they will browse ok. I can check the access log and all is ok, the cache log is normal too.

After that, I setup the port mapping "squid" to port 3128. I have two rules for each client, upload and download. When I activate "process through the following mapping -squid-" and in ports "single port 80" on the upload rule, the user can no longer browse the web. He can however access https and other non http services, as it is a different port. Http request are being made, but there is no data coming back. It looks like squid does not receive the request from BWM, the mapping does not work.

If I put in "ports" the value 3128, the user can browse the web, but it appears the proxy is not working, because the access log stays completely empty!

What I did to diagnose:
Put squid in transparent and non transparent (http_port 3128 transparent)
Changed between version 2.8 and 2.9 beta of BWM
Used parts of Shunt's squid.conf as posted in another topic

All to no avail.

Obviously I'm overlooking something, if someone recognizes this situation, please give me a hint.

Re: Port redirect and proxy   14 October 2008, 18:19

I don't know if it helps, but if you use the latest version of BWM, you should only need one rule, since you can now assign different upstream/downstream rates per client.

Re: Port redirect and proxy   14 October 2008, 19:15

That is correct Shunt, but I'm updating from older versions that didn't support async. upload and downloads. I've got to change all the rules to one rule only - format. But that is something not so urgent, first I have to get the port mapping and proxy going.

I would like to add something, just did another test.
My gateway has three network cards. You could call it multi-homed.
One ethernet card comes from the adsl router.
The second one goes out to the lan, 192.168.1.x net for the clients. These two are bridged by BWM.
The third one is a gbit card to our private network, 192.168.168.x for our own office.
We wanted to keep "our" lan separate from the other lan, where all the internet clients are.

I did a test from the 192.168.1.x net, configuring the proxy port 3128 and disabled the rule in BWM - guess what, no connection. "Could not find remote server" was the message, and it was no squid message.

Then I did a test on the system with 2 network cards, and disabled the 192.168.1.x card normally used for internet. I could still browse the net, but from the 192.168.168.x net. This was not supposed to be like that. I suspect that squid is the cause of it, because in the log appears the IP address.

Seems that it is not a BWM related problem. Squid just won't let the 192.168.1.x net access the web, while I put all the acl and http_allow in place, after all 192.168.168.0/24 is on a different subnet.

My apologies if this goes beyond the scope of this forum, but if someone can put me on the right track, it would be great.

Cheers
Arthur.
SoftPerfect Support forum - Andrew avatar image

Re: Port redirect and proxy   14 October 2008, 20:20

I would advise to install any protocol analyzer / sniffer on this machine, which will let you see what is really going on.

Or, I have one more point that might be the reason of the problem: you said that you have NICs bridged with BWM. Bridging works regardless of IP addressing configured on these NICs. Port mapping, however, requires a correctly configured IP address on the NIC facing the LAN clients.

Perhaps I could say more if you provide output of the following commands launched on the server:
ipconfig /all
arp -a
route print

Re: Port redirect and proxy   15 October 2008, 05:21

Here is the output you requested. The bridge is configured with two diferent ip's, because if I put them on the same range, the gateway itself looses it's internet connection.

Windows IP Configuration

Host Name . . . . . . . . . . . . : gateway
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Private: (this is the 192.168.168.x net)

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-13-D4-29-31-12

Ethernet adapter WAN Side:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8169/8110 Family Gigabit Ethernet NIC
Physical Address. . . . . . . . . : 00-08-54-B1-9D-0A
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.50
DNS Servers . . . . . . . . . . . : 192.168.1.50

Ethernet adapter Lan Side:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 PM Network Connection
Physical Address. . . . . . . . . : 00-13-D4-29-29-42
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Arp -a:

Interface: 192.168.1.2 --- 0x3
Internet Address Physical Address Type
192.168.1.50 00-1a-92-dc-63-f5 dynamic

route print:
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 d4 29 31 12 ...... Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
0x3 ...00 08 54 b1 9d 0a ...... Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Packet Scheduler Miniport
0x4 ...00 13 d4 29 29 42 ...... Intel(R) PRO/1000 PM Network Connection - Packet Scheduler Miniport
==============
==============
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.50 192.168.1.2 20
84.x.x.x 255.255.255.255 192.168.1.50 192.168.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.3 192.168.0.3 30
192.168.0.3 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.0.255 255.255.255.255 192.168.0.3 192.168.0.3 30
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.0.3 192.168.0.3 30
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
255.255.255.255 255.255.255.255 192.168.0.3 192.168.0.3 1
255.255.255.255 255.255.255.255 192.168.0.3 2 1
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default Gateway: 192.168.1.50
============
Persistent Routes:
None

Main problem is, the BWM bridge works, but squid does not want to work with it. Even if I disable the rule, no connection can be made with squid.
If I use the interface that's not part of the bridge and on another subnet, it does work. Bizarre that squid takes traffic from 192.168.168.x interface and passes it on to the wan side 192.168.1.2.
I have Wireshark installed, could give that a try to see what happens when request are being made.

Thanks and again sorry to bother with this.
Arthur.

Re: Port redirect and proxy   15 October 2008, 18:24

Done some changes:

Configured the lan side with the correct IP address. Now both cards on the bridge aro on the same subnet. Lost internet on the gateway machine, but for the sake of testing it didn't matter. Tried to activate mapping again, no change. Could not find remote server while browsing.

When BWM bridges the network cards, they loose their properties. I tried to ping any of the two cards in the bridge, 1.2 and 1.3, without success. Can ping the adsl router and other computers on the network, but not the gateway computer with BWM installed. I can however ping the system from the other subnet 192.168.168.x.

I had the idea, at some point, to remove the bridge and just leave BWM catch all trafic on the lan side without bridging.
I made a rule in Squid.conf "http_port 192.168.1.2:3128 transparent" to let it listen only on that specific interface.
I'm afraid however, that this will defeat the purpose of BWM, Squid will catch packets on port 3128, but there will be no bandwidth control. Is this correct?

Cheers,
Arthur.

Re: Port redirect and proxy   16 October 2008, 12:37

Please guys, I know some of you have this working, at least explain me your setup, perhaps I'm doing something wrong. It's always good to have something to compare.

Re: Port redirect and proxy   16 October 2008, 12:54

Sorry Arthur, I don't use Bridge...

My setup is:
SoftPerfect BWM
Kerio Winroute
Squid (I don't like Kerio proxy)

Re: Port redirect and proxy   16 October 2008, 14:38

Hi Lucas,

Was just looking at Winroute, my first impression is that Kerio is a very complete solution. It has a firewall, proxy, bandwidth limiter and other nice features. I understand that you do not use the proxy part, so you are using the firewall and the internet sharing NAT component.

I could try this as a last resort, I know the Softperfect bridge is giving me problems so I might be looking at another solution soon. The BWM bridge is not absolutely necessary, but it would be nice to have it working properly. At this moment I have either BWM or Squid, but not both at the same time.

Cheers
Arthur.

Re: Port redirect and proxy   26 October 2008, 12:25

At last I managed to solve this. Got it working 100% exactly how I wanted it. I'll post the solution in a new topic, because there was something else going on that needs to be explained first. I've seen this problem posted here several times, but no solution was given until today.
Vela Gumede

Re: Port redirect and proxy   18 October 2016, 05:20

Hi Arthur,
Could you please explain for me how you managed to sort your problem, I 'm having a similar problem here.

Thank you
SoftPerfect Support forum - Ann avatar image
Ann

Re: Port redirect and proxy   18 October 2016, 11:27

To Vela Gumede:
That message is 8 years old and its author may not be monitoring this topic anymore. As he said, he posted his solution in a separate topic here.

Sometimes you can get the answer faster if you try the forum search and/or have a look at the software user manual to see if your question has already been answered.

Our forum rules are simple:

  • Be polite.
  • Do not spam.
  • If possible, check your spelling and grammar.

Author:

Subject

A brief and informative title for your message, approximately 4–8 words:

     

Spam prevention: please enter the following code in the input field below.

  ******    ******    *******   **         **     ** 
 **    **  **    **  **     **  **    **   ***   *** 
 **        **               **  **    **   **** **** 
 **        **         *******   **    **   ** *** ** 
 **        **               **  *********  **     ** 
 **    **  **    **  **     **        **   **     ** 
  ******    ******    *******         **   **     ** 

Message: