11-17-2011 08:13 AM - edited 03-07-2019 03:27 AM
Dear community,
after 4 days incl. nightshift and went deep into the heart of the matter this support community seems to be my last resort to find
some relief from - meanwhile - desperation.
Scenario:
------------------
For one of my clients, a landlord, I maintain 3 wireless networks to provide a free internet access service for his teenants.
In order to comply with changed local law, we are now charged to log the www traffic for at least 6 week as these wifi-nets
are public though they are secured with WPA2 keys.
myr current technical equipment:
-----------------------------------------------
Client site:
1 x Cisco 3640 4x FE, PPPoE
2 x Linksys WRT-54GS
1 x Linksys WAP-54G
1 x ADSL Internet Connection, dynamic IP
my site:
fully equiped ISP NOC/PoP
leased line / peer to international backbone
Cisco 3745 for Main-Access / VPN
Sun Fire UltraSparc IIIi, Sun Solaris 11 (b130), Squid 3.1.16 64bit
my approach / idea:
-----------------------------
From the client site the C3640 connects over VPN to our PoP, the www-traffic from 2 of the 3 wifi-nets is redirected through the VPN/GRE tunnel
to our squid proxy where it is logged and then forwarded, all non-www traffic goes straight through the client's ADSL connection gateway. The 3rd wifi is
the personal wifi of the landlord and thus, no logging is required, he uses the direct way over his own ADSL Gateway.
The www-traffic from the 2 wifi-nets is either forwarded incorporating WCCPv2 or involving PBR with route-map and acl.
As each wifi user gets assigned a fix private CLASS-B address, we can keep track which user on which time has accessed this URL,
what is not the case if all using the ADSL-Gateway.
what I have set up so far:
------------------------------------
the VPN/GRE tunnel is properly configured, I can ping and reach all the EIGRP propagated networks on both sites.
On our site a tunnel is as multipoint gre configured, the client's C3640 initiates the IPSec connection
current network setup:
172.16.14.0/24 VPN-Gateway for PTP
172.16.15.0/24 network on our site in which we run the proxy server
172.16.16.0/24 wifi-net 1
172.16.17.0/24 wifi-net 2
what I have tried so far:
------------------------------------
> WCCPv2 approach:
WCCPv2 is out of a question - this is not to the Cisco Routers,
but a matter of combination between Squid and Sun Solaris.
Squid provides the WCCPv2/TPROXY facility only with linux netfilter what
is not included in the Solaris OS. For some reason - and this is
where the Squid developers should turn an eye on - even compiling
Squid on Sun Solaris enabling the ipf-transparent switch for the
Solaris included IPFilter, the WCCPv2/TPROXY support is not enabled.
Though being a Sun Solaris expert, I feel not realy the desire to re-compile
the Solaris kernel, but I will check, if the netfilter kernel modules can
be added to a running kernel.
> PBR/Policy Based Routing:
After many non-successful attempts I found out, that in this setup the
PBR with the following config:
access-list 110 deny tcp any any neq www
access-list 110 deny tcp host 172.16.15.2 any
access-list 110 permit tcp any any
!
route-map spx-rdr permit 10
match ip address 101
set ip next-hop 172.16.15.2
!
interface Fa0/1
!
will never work, but the cmd 'sh route-map'
shows according the packet counters that the policy matches,
but the packets are not forwarded to the hob.
I furthermore tested if the packets go at least to the server,
what is not the case, the packets do not leave the router at all.
The reason is quite simple, it is the hop counting:
gw#traceroute 172.16.15.2
Type escape sequence to abort.
Tracing the route to 172.16.15.2
1 172.16.14.1 40 msec 36 msec 40 msec
2 172.16.15.2 40 msec 36 msec 40 msec
I have studied this reference without an usefull hint to
get the PBR in my setup running:
http://wiki.nil.com/EIGRP_next_hop_processing#NBMA_network_with_disabled_EIGRP_next-hop-self
On another reference in this community I read something about:
sdm prefer routing
Apparently this is only available on Cisco switches, not on the routers.
my final question(s):
---------------------
Is there anything where I went wrong or have overlooked - maybe my
approach was not the best?
Do I have a chance to get this operational with PBR or with other
configurations?
Could it be, that the problem with regards to the hob counts maybe could have been
resolved using OSPF or BGP instead of EIGRP?
Thank you very much in advance for any advise and help,
I apologize for this long posting, but I believe that only
providing proper details in depth will lead to proper answers.
Best Regards,
David.
11-18-2011 03:05 AM
to follow up with my previous post,
I managed to setup OSPF instead of EIGRP.
Unfortunately I did not get this runnung - the OSPF
tries to find its neighbor on the public IP site, not
in on the internal where the VPN resides.
Is there any help & solution to get my route-map problem running?
Thank you & all the best.
David.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: