LARTC - Feb 2007 - trouble https multiple uplinks... how?

hello, my name is Denny. I am new in this list.

I am trying use multiple uplinks as describe in the lartc
documentation (http://lartc.org/howto/lartc.rpdb.multiple-links.html)
with squid transparent proxy in my gateway server.

let me draw the configuration :

              /-----------------
-----DSL1-----|                  \
              |Transparent proxy  |----Local network
-----DSL2-----|                  /
              \-----------------

IP DSL1 : 172.17.1.2/30
IP DSL2 : 172.18.1.2/30
IP eth1(DSL1) : 172.17.1.1/30
IP eth2(DSL2) : 172.18.1.1/30
Local network : 10.14.1.0/24
each DSL links rate is 384 kbps downlink and 128 kbps uplinks.

my ip route setting :
------------
ip route add equalize scope global \
    nexthop via 172.17.1.2 dev eth1 weight 1 \
    nexthop via 172.18.1.2 dev eth2 weight 1
------------


my iptables setting :
------------
# proxy redirect
iptables -t nat -A PREROUTING  -p tcp --dport 80 -j REDIRECT --to-port 3128
# postrouting
iptables -t nat -A POSTROUTING -j SNAT -o eth1 --to-source 172.17.1.1
iptables -t nat -A POSTROUTING -j SNAT -o eth2 --to-source 172.18.1.1
------------

squid config :
------------
visible_hostname my_isp.net
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_mem 512 MB
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
cache_dir ufs /cache 6000 14 256

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 10.14.1.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow localhost
http_access allow localnet
http_access allow manager localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

cache_mgr cache-me
cache_effective_user squid
cache_effective_group squid
logfile_rotate 0
log_icp_queries off
buffered_logs on
half_closed_clients off
maximum_object_size 2048 KB
------------

All Configuration is works. I can browsing most website.
But, I have another problem when implementing this multiple uplinks methods.
1. Messenger tools like YM will disconnect and try to reconnect every
3-5 minutes. it''s always happens.
2. HTTPS for hotmail/msn is always error. "The connection was reset"
always appear in mozilla firefox. but, it never happens with
yahoo-mail and gmail (https).
3. MSN messenger never connect successfully.

All these problem never happens when I used conventional routing with
only one gateway.

After search articles in internet, I am trying to mark each connection
for MSN messenger via only one gateway. this is my solve using
iptables :
----------
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 0x10
iptables -t mangle -A PREROUTING -p tcp --dport 1863:1864 -j MARK
--set-mark 0x10
iptables -t nat -A POSTROUTING -m mark --mark 0x10 -j SNAT -o eth1
--to-source 172.17.1.2
----------

It works!! My MSN messenger is able to connect now. but always
disconnect every 3-5 minutes.

The same way I try to fix my YM problem. I trying to mark YM port and
postrouting the traffic to eth1. but, it''s not solve my problem. YM
always connect/disconnect every 5 minutes. (problem number 1)

Another problem, why MSN/Hotmail webmail always refuse my connection?
(problem number 2)

Maybe somebody have idea how to solve this problem? I feel will give
up soon... :(


thanks alot for your information and helps.. :)

best regards,

Denny Zulfikar

I ran into this issue too, what I did for IM clients was run the dante
socks server and had my lan clients configure to use the proxy server to
connect. As for ssl, try marking every packet as it comes in and reroute
it out over the same interface it came in on, that way the sessions will
stay persistent over a single interface

-charlie

-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Denny Zulfikar
Sent: Friday, February 09, 2007 1:15 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] trouble https multiple uplinks... how?

hello, my name is Denny. I am new in this list.

I am trying use multiple uplinks as describe in the lartc
documentation (http://lartc.org/howto/lartc.rpdb.multiple-links.html)
with squid transparent proxy in my gateway server.

let me draw the configuration :

              /-----------------
-----DSL1-----|                  \
              |Transparent proxy  |----Local network
-----DSL2-----|                  /
              \-----------------

IP DSL1 : 172.17.1.2/30
IP DSL2 : 172.18.1.2/30
IP eth1(DSL1) : 172.17.1.1/30
IP eth2(DSL2) : 172.18.1.1/30
Local network : 10.14.1.0/24
each DSL links rate is 384 kbps downlink and 128 kbps uplinks.

my ip route setting :
------------
ip route add equalize scope global \
    nexthop via 172.17.1.2 dev eth1 weight 1 \
    nexthop via 172.18.1.2 dev eth2 weight 1
------------


my iptables setting :
------------
# proxy redirect
iptables -t nat -A PREROUTING  -p tcp --dport 80 -j REDIRECT --to-port
3128
# postrouting
iptables -t nat -A POSTROUTING -j SNAT -o eth1 --to-source 172.17.1.1
iptables -t nat -A POSTROUTING -j SNAT -o eth2 --to-source 172.18.1.1
------------

squid config :
------------
visible_hostname my_isp.net
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_mem 512 MB
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
cache_dir ufs /cache 6000 14 256

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 10.14.1.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow localhost
http_access allow localnet
http_access allow manager localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

cache_mgr cache-me
cache_effective_user squid
cache_effective_group squid
logfile_rotate 0
log_icp_queries off
buffered_logs on
half_closed_clients off
maximum_object_size 2048 KB
------------

All Configuration is works. I can browsing most website.
But, I have another problem when implementing this multiple uplinks
methods.
1. Messenger tools like YM will disconnect and try to reconnect every
3-5 minutes. it''s always happens.
2. HTTPS for hotmail/msn is always error. "The connection was reset"
always appear in mozilla firefox. but, it never happens with
yahoo-mail and gmail (https).
3. MSN messenger never connect successfully.

All these problem never happens when I used conventional routing with
only one gateway.

After search articles in internet, I am trying to mark each connection
for MSN messenger via only one gateway. this is my solve using
iptables :
----------
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark
0x10
iptables -t mangle -A PREROUTING -p tcp --dport 1863:1864 -j MARK
--set-mark 0x10
iptables -t nat -A POSTROUTING -m mark --mark 0x10 -j SNAT -o eth1
--to-source 172.17.1.2
----------

It works!! My MSN messenger is able to connect now. but always
disconnect every 3-5 minutes.

The same way I try to fix my YM problem. I trying to mark YM port and
postrouting the traffic to eth1. but, it''s not solve my problem. YM
always connect/disconnect every 5 minutes. (problem number 1)

Another problem, why MSN/Hotmail webmail always refuse my connection?
(problem number 2)

Maybe somebody have idea how to solve this problem? I feel will give
up soon... :(


thanks alot for your information and helps.. :)

best regards,

Denny Zulfikar
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc