Hello Everyone,

I'm trying to setup a linux box with 3 NICs (2 WAN links and 1 LAN). All http traffic (port 80) should go to WAN 1 via squid proxy and the rest to WAN 2. I already setup MASQUERADING in iptables and I already configured port 80 to redirect to port 3128 for squid. My default gateway is WAN 2. But the problem is squid uses the default gateway - WAN2. can someone help me setting up the iptables / routing for squid to use WAN 1?

Thanks in advance!

Typically, something like this could be handled with source policy routing, such as where you have traffic coming from specific sources, and tell it to use the non-default gateway WAN interface.

Something like this:

http://lartc.org/howto/lartc.rpdb.ht...TC.RPDB.SIMPLE

That isn't going to work in your circumstance as the squid proxy is running on the same system, therefor you don't have that luxury. The easiest thing would have been to use a separate system for the squid proxy/WAN1 connection. Looks like you're too far into this to go that route, however.

I just compiled and installed squid on a system that has two interfaces that will function in a similar manner as your dual WAN setup. I'll provide a basic config for squid, just enough to get it functioning, then see what I can do about coming up with a solution. I've read through some various advanced routing guides, and haven't found a simple, straightforward solution yet.

I managed to find a solution for you, yorbs8.

I have been futzing around with routes, created custom routing tables, iptables rules, all sorts of things.

But, those aren't the solution.

I ran across something here:

http://www.experts-exchange.com/Soft..._23091996.html

Which discussed load balancing, but the key to that was the 'tcp_outgoing_address' option.

Did a quick search on it to turn up a web page, which after looking at it is nothing more than information quoted from the squid.conf file.

This is the pertinent info:

Well, upon further testing, you also will need to add a routing table to more or less associate outbound traffic to WAN 1. If you don't add the following routing configuration, the traffic will still exit the default gateway (WAN 2), the difference being now it will have the IP address of WAN 1.

The rule:

tcp_outgoing_address 10.42.159.20

will have to be added to your squid.conf file, with the proper IP used. Just search for the proper section in the squid.conf file (which is what I'm showing above) and add it there.

To add the routing table, you will have to follow these steps:

You should have an iproute2 package installed on your system. You should have a file:

/etc/iproute2/rt_tables

edit and add something to the effect of:

You can use whatever you want for the name of the rule, mine being 'T1'. If a table already uses the 200 value, use something else.

Now you will have to add a few routes to that table. This is what I used to set up my system:

The 10.42.159.0/24 would be changed to the network definition for WAN 1 on your system. Change 10.42.159.10 to the default route for that interface.

These are not permanent changes to the routing table. You will have to add these configuration settings somewhere in your config scripts.

Thanks devwatchdog! I'll try following your solution. Thanks again!

You're welcome! But I'm wondering if it worked for you. Was this successful?

yeah it worked! but I added a few lines of code to mark port 3128 so that it will use WAN1's gateway....

# Forward HTTP port to squid port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.3.1:3128

# Mark SQUID port 3128
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -p tcp --in-interface eth2 --dport 3128 -j MARK --set-mark 1

ip rule add from 192.168.3.0/24 fwmark 1 table web.out
ip route add default via 192.168.1.1 dev eth0 table web.out

Thanks again!

thanks for this solution

but i got another guestion

if my squid.conf without "tcp_outgoing_address wan1's gateway"

my netowrk interface
eth0 wan1
eht1 wan2
ent2 wan3
eth3 lan 192.168.1.0/24

my iptable T1
wan1 ip dev eth0 scope link
192.168.1.0/24 dev eth3 scope link
default via wan1's dev eth0

iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1

http traffic not follow the iptables
sometime via eth1 or eth2

after squid.conf added "tcp_outgoing_address wan1's gateway"
it worked correctly

why??? what squid do???

the http traffic
192.168.1.x http resquset => iptables(nat) redirect 3128 => iptables (mangle) mark 1
=> route table T1 => internet

why iptables can't not control the traffic

i want creat the tables T2
wna1's gateway dev eth0 scope link
wan2's gateway dev eth1 scope link
wan3's gateway dev eth3 scope link
192.168.1.0/24 dev eth3 scope link
default
nexthop via wna1's gateway dev eth0 weight 1 onlink
nexthop via wna2's gateway dev eth1 weight 1 onlink
nexthop via wna3's gateway dev eth2 weight 1 onlink

how to make squid route follow this table

thanks for any advice!!!

Hello lukeshih!

Could you open up another thread with your question? You'll get more attention that way, and we can work on your problem then.