Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 11-29-2011, 07:24 AM   #1
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 311

Rep: Reputation: 33
one Squid transparent proxy for multiple ISP links

Hello all,
currently I have 3 independent internet lines and I have a router/firewall on each one of those lines. The routers have Squid transparent proxies for controlling the access to the Internet based on acls.
I want to remove those routers/firewalls and to replace them with Mikrotik routers. Unfortunately the web proxy of the mikrotik is not so flexible and I have to use Squid proxy again. The reason for replacing old routers is because they run on old HP servers and consume a lot of electricity.
With the new configuration I want to use only one Squid proxy for all lines.
The basic idea is that I want my clients to go through certain line to the Internet, but not to mix all 3 lines.
The traffic for not http access will go via Mikrotik, but the http should be redirected to the Squid, inspected, logged, rerouted back to the Mikrotik and go to the internet. I saw some schemes with one Mikrotik and Squid, but I want to have 3 Mikrotik's and one squid.
I started to think to mark packets from certain Mikrotik and to reroute to it back based on the mark, but maybe something else is possible.
Any suggestions will be appreciated

Best regards.
Old 12-01-2011, 09:58 PM   #2
LQ Newbie
Registered: Dec 2011
Posts: 1

Rep: Reputation: Disabled
Let your traffic be passed through squid first. Configure a transparent proxy. Proxy will log all the details you want to be logged, and then will forward to the router. If traffic is non http, proxy would route it immediately to the router.

It is very simple to implement compared to "marking the packets" idea.

Nikunj Master
Old 12-02-2011, 05:44 AM   #3
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 311

Original Poster
Rep: Reputation: 33
I didn't get your idea.
There are 3 routers and 1 Squid.

ISP1 ----- Mikrotik Router1 -------------| |--------------------- LAN1
                                         | |
ISP2 ----- Mikrotik Router2 ------------|| ||-------------------- LAN2
                                        || ||
ISP3 ----- Mikrotik Router3 -----------||| |||------------------- LAN3
                                       ||| |||
This is what I need, but the Squid could be everywhere - not before Mikrotiks or like this. I actually prefer the Mikrotiks to redirect traffic to the squid. In the scheme above it looks that my clients PC should use the Squid as gateway. It is very important that the http traffic is rerouted to squid, but not the proxy address set in clients browsers.
Old 12-02-2011, 11:25 PM   #4
Registered: Oct 2010
Location: Texas
Distribution: Debian, Ubuntu, CentOS, RHEL
Posts: 131

Rep: Reputation: 25
sending all HTTP GET requests from LAN to a single squid

You can publish a wpad.dat file to all your LAN clients such that they will send their requests to one squid. It doesn't matter on what segment that squid resides as long as all your internal clients can connect to it. I had a situation that was similar in some respects to yours. I had to maintain three squids for some time, but only because two plants were connected to our data center with only 6 MBPS pipes. Instead of sending web traffic over slow WAN links, I sent it out through their sites' local squids and PIXs. In theory, I could have configured all clients to hit one squid or another from the beginning, and in fact I had to do that temporarily because of an emergency one time. Once we went to a faster MPLS network, the web traffic from all sites could be directed to the one squid at the data center.
You might also consider firewalling outbound traffic from clients directly to web sites, in case some client would change the proxy settings to avoid the squid. They will also try to hit proxy-avoidance sites on 443, so you may have to maintain a list of those in SquidGuard or the redirector of your choice.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid transparent proxy astalavista2000 Linux - Server 3 11-20-2011 07:40 PM
Transparent Proxy with 2 WAN links yorbs8 Linux - Networking 7 03-01-2010 07:32 PM
transparent proxy server setup for isp bhumika Linux - Server 1 09-05-2009 04:32 AM
Squid Transparent Proxy SBN Linux - Server 6 07-11-2007 03:54 AM
Squid as a transparent proxy kemplej Linux - Software 2 12-08-2004 05:00 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:16 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration