1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Routing over external proxy

Discussion in 'Tomato Firmware' started by jnappert, Sep 1, 2009.

  1. jnappert

    jnappert LI Guru Member

    Hello.

    I am running a little network with 7 WRT54Gls in WDS-Connections (192.168.2.1 to 192.168.2.8). VOIP is done over a FRITZ-BOX (192.168.2.55) in the same subnet. My pppoe Connection is running at the first GL (192.168.2.1).

    To speed up the connection (1024 kbit/s) for all users, i installed polipo proxy (http/https) at the FRITZ-BOX (192.168.2.55), listening at port 8123.

    This config is running fine if i configure each machines browser manually with the proxy data (192.168.2.55:8123). The speedup is noticeable!

    To avoid this manually configuration i tried to adapt the complete routing in a firewall script (running at 192.168.2.1):

    iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.2.55 -p tcp --dport 80 -j DNAT --to 192.168.2.55:8123
    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -d 192.168.2.55 -j SNAT --to 192.168.2.1
    iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.2.55 -i eth0 -o eth0 -p tcp --dport 8123 -j ACCEPT

    Pakets seem not to be routed over the proxy.

    Any hints?
     
  2. mstombs

    mstombs Network Guru Member

    Check the order of your resulting iptables config - you may need to use "-I" to insert your rules above existing.
     
  3. jnappert

    jnappert LI Guru Member

    Just to understand: You think the rules are correct but the syntax has to be like:

    iptables -I -t nat -A PREROUTING -i eth0 -s ! 192.168.2.55 -p tcp --dport 80 -j DNAT --to 192.168.2.55:8123
    iptables -I -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -d 192.168.2.55 -j SNAT --to 192.168.2.1
    iptables -I -A FORWARD -s 192.168.2.0/24 -d 192.168.2.55 -i eth0 -o eth0 -p tcp --dport 8123 -j ACCEPT

    Is eth0 correct? I thougth about changing it to br0?
     
  4. mstombs

    mstombs Network Guru Member

    Yes it should be br0, but thinking about it I do not know how it can work with web requests - surely you need something special to pass on the original website IP address, or your webcache won't know what site your browser originally wanted?
     
  5. Engineer

    Engineer Network Guru Member

    I'm trying to picture how you have your network set up. 192.168.2.1 is connected directly to your pppoe (ISP - via the WAN port I presume). I'm having a hard time picturing how the proxy fits into the network. Is it simply connected to a lan port on 192.168.2.1?

    Sorry to ask questions (hopefully not dumb), I'm trying to see this in my head to see if I can help (or at least learn from the situation).
     
  6. jnappert

    jnappert LI Guru Member

    @mstombs: Right. I had to configure the proxy as "transparent". So i had to change from polipo to squid 3.0 and now i am working on my "squid.conf".

    @Engineer: The WDS Routers are wireless connected using WPA/AES and numbered from 192.168.2.2 to 192.168.2.8. My DSL Modem is connect via WAN-Port at 192.168.2.1.

    The fritzbox, where the proxy is running, has disabled all WAN und PPPoe functions. It only establishes VOIP calls. This device is connected to a LAN-Port. The cache data is stored on an USB Stick (16GB).

    Perhaps i could run squid on my 192.168.2.1 (ASUS WL 500gp v1) running teddybear's usb-mod?
     
  7. jnappert

    jnappert LI Guru Member

    I finally got it running using squid 3.0 and the following firewall script:

    #!/bin/sh
    INTERNAL_NETWORK="192.168.2.0/24"
    ROUTER_IP="192.168.2.1"
    PROXY_SERVER="192.168.2.55"
    PROXY_PORT="3128"
    if [ -z $TRANSPARENT_PROXY ]; then
    /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK \
    -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
    /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 \
    -j DNAT --to $PROXY_SERVER:$PROXY_PORT
    /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d \
    $PROXY_SERVER -j SNAT --to $ROUTER_IP
    /usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 \
    -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
    export TRANSPARENT_PROXY="1"
    else
    echo "This script has already run!"
    echo "If it hasn't, unset \$TRANSPARENT_PROXY manually via the shell."
    fi
     

Share This Page