squid, bridge or gateway setup?

Discussion in 'Linux Networking' started by Ezequiel Birman, Jun 27, 2012.

  1. Hi. I'd like to set up squid (transparent) but i am not sure how. The
    router is Cisco RV042 v3 (same functionality as linksys RV042 v1). I
    think it doesn't support wccp. Should I set a bridge or is it possible
    to give the proxy server a fixed ip in the same subnet as the clients
    and configure the clients to use proxy ip as gateway (by means of dhcp)?
    Ezequiel Birman, Jun 27, 2012
    1. Advertisements

  2. Both possible. Both introduce a SPOF for non web Internet traffic.

    For the default gateway solution, don't forget to disable ICMP redirects
    on the squid box.

    Third solution, make the squid box the default gateway, make it a router
    instead of a bridge and put the Cisco behind the squid box.

    To avoid the SPOF, you can use a redundant squid box and use a virtual IP
    address (routing, default gateway) or spanning tree (bridge).

    There is not much to recommend one solution over the other. The default
    gateway solution has the disadvantage that traffic crosses the LAN twice.
    Unless you have a very fast Internet connection and only 100Mbit LAN,
    this is unlikely to be a real problem. And you can solve that with an
    etherchannel or a 1G port on the squid box.

    BTW, you do realize that people can always use some proxy on the Internet
    on some non standard port to bypass your proxy? And that your proxy will
    only work for the ports that get forwarded to it?

    If you want this proxy for security, a better solution is to block all
    traffic on the Internet connection, except for what is explicitly
    allowed. Allow the proxy box out, but not the workstations. Then tell
    people that if they want to surf the Internet, they have to use the
    proxy. Simpler network, better security.

    Martijn Lievaart, Jun 29, 2012
    1. Advertisements

  3. Ezequiel Birman

    Chris Davies Guest

    And this works better with certain scenarios, too, because the browser
    knows it's got a proxy in the chain.

    Chris Davies, Jun 30, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.