Squid + FreeBSD + Cisco WCCP !!! – Sabin Shrestha's Personal Site

Posted in Cisco, Linux

This How-To details the steps required to configure WCCP version 2 with a Cisco 3620 or 7206 router together with Squid-2.6.STABLE18 running on FreeBSD-6.2.

Cisco’s WCCP (Web Cache Control Protocol) version 2 is used for sending web requests from clients to 1 or more Squid proxy servers. WCCP feature allows us to redirect Web traffic to our proxy servers which in turn provides Web caching, filtering, or other services, thus reducing transmission costs and downloading time.

With WCCP, we can build a “cache cluster” for load balancing, scaling, and fault tolerance.

For example, in the case of 2 proxy severs, if 1 proxy server goes down, WCCP redirects clients requests to the 2nd working proxy server.

In the rare circumstance where both or all of your proxy servers should go down, WCCP will determine the dead proxy servers and will route clients web requests directly from your cisco router.

Note: Only Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the WCCP.

How WCCP and transparent intercepting Squid caches work?

A Client’s Web browser makes a request, which goes to the cisco router.
The router intercepts the request.
The router redirects the request to a new location inside a generic routing encapsulation (GRE) frame to prevent any modifications to the original packet.
A (GRE) tunnel is established between our FreeBSD squid boxes and the cisco 3620/7206 router.
All redirected requests from the router are encapsulated down the GRE tunnel to our FreeBSD Squid caches.
The FreeBSD Squid boxes decapsulates the GRE traffic and redirects the WCCP packets onto Squid.
This redirection is achieved transparently using FreeBSD IP forwarding and IPFW firewall.
Squid pulls apart the request, then attempts to deliver the content either from the local cache or via direct request from target.
The content is then delivered back to the router for delivery to the originator (ie. client’s browser).

Now to connect all the pieces of information regarding WCCP, the following steps are required:

(1.) Configure and compile your kernel

cd /usr/src/sys/i386/conf/

cp GENERIC SQUID_WCCP

vi SQUID_WCCP

(2.) Copy and paste the following kernel parameters

machine i386
cpu I686_CPU
ident SQUID_WCCP

options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time #extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.

device apic # I/O APIC
device eisa
device pci
device fdc
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
device ahd # AHA39320/29320 and onboard AIC79xx devices
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
device amd # AMD 53C974 (Tekram DC-390(T))
device isp # Qlogic family
device mpt # LSI-Logic MPT-Fusion
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr’)
device trm # Tekram DC395U/UW/F DC315U adapters
device adv # Advansys SCSI adapters
device adw # Advansys wide SCSI adapters
device aha # Adaptec 154x SCSI adapters
device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
device bt # Buslogic/Mylex MultiMaster SCSI adapters
device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
device amr # AMI MegaRAID
device arcmsr # Areca SATA II RAID
device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
device ciss # Compaq Smart RAID 5*
device dpt # DPT Smartcache III, IV – See NOTES for options
device hptmv # Highpoint RocketRAID 182x
device rr232x # Highpoint RocketRAID 232x
device iir # Intel Integrated RAID
device ips # IBM (Adaptec) ServeRAID
device mly # Mylex AcceleRAID/eXtremeRAID
device twa # 3ware 9000 series PATA/SATA RAID
device aac # Adaptec FSA RAID
device aacp # SCSI passthrough for aac (requires CAM)
device ida # Compaq Smart RAID
device mfi # LSI MegaRAID SAS
device mlx # Mylex DAC960 family
device pst # Promise Supertrak SX6000
device twe # 3ware ATA RAID
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
device sc
device agp # support several AGP chipsets
device pmtimer
device cbb # cardbus (yenta) bridge
device pccard # PC Card (16-bit) bus
device cardbus # CardBus (32-bit) bus
device sio # 8250, 16[45]50 based serial ports
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
device de # DEC/Intel DC21×4x (“Tulip”)
device em # Intel PRO/1000 adapter Gigabit Ethernet Card
device ixgb # Intel PRO/10GbE Ethernet Card
device txp # 3Com 3cR990 (“Typhoon”)
device vx # 3Com 3c590, 3c595 (“Vortex”)
device miibus # MII bus support
device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
device bfe # Broadcom BCM440x 10/100 Ethernet
device bge # Broadcom BCM570xx Gigabit Ethernet
device dc # DEC/Intel 21143 and various workalikes
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device lge # Level 1 LXT1001 gigabit Ethernet
device nge # NatSemi DP83820 gigabit Ethernet
device nve # nVidia nForce MCP on-board Ethernet Networking
device pcn # AMD Am79C97x PCI 10/100(precedence over ‘lnc’)
device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
device sf # Adaptec AIC-6915 (“Starfire”)
device sis # Silicon Integrated Systems SiS 900/SiS 7016
device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
device ste # Sundance ST201 (D-Link DFE-550TX)
device stge # Sundance/Tamarack TC9021 gigabit Ethernet
device ti # Alteon Networks Tigon I/II gigabit Ethernet
device tl # Texas Instruments ThunderLAN
device tx # SMC EtherPower II (83c170 “EPIC”)
device vge # VIA VT612x gigabit Ethernet
device vr # VIA Rhine, Rhine II
device wb # Winbond W89C840F
device xl # 3Com 3c90x (“Boomerang”, “Cyclone”)
device cs # Crystal Semiconductor CS89×0 NIC
device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
device ex # Intel EtherExpress Pro/10 and Pro/10+
device ep # Etherlink III based cards
device fe # Fujitsu MB8696x based cards
device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
device lnc # NE2100, NE32-VL Lance Ethernet cards
device sn # SMC’s 9000 series of Ethernet chips
device xe # Xircom pccard Ethernet
device wlan # 802.11 support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device an # Aironet 4500/4800 802.11 wireless NICs.
device ath # Atheros pci/cardbus NIC’s
device ath_hal # Atheros HAL (Hardware Access Layer)
device ath_rate_sample # SampleRate tx rate control for ath
device awi # BayStack 660 and others
device ral # Ralink Technology RT2500 wireless NICs.
device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory “disks”
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device bpf # Berkeley packet filter
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device ugen # Generic
device uhid # “Human Interface Devices”
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage – Requires scbus and da
device ums # Mouse
device ural # Ralink Technology RT2500USB wireless NICs
device urio # Diamond Rio 500 MP3 player
device uscanner # Scanners
device aue # ADMtek USB Ethernet
device axe # ASIX Electronics USB Ethernet
device cdce # Generic USB over Ethernet
device cue # CATC USB Ethernet
device kue # Kawasaki LSI USB Ethernet
device rue # RealTek RTL8150 USB Ethernet
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus and da)
device fwe # Ethernet over FireWire (non-standard!)

#Enable IPFW in Kernel to DROP packets by default rule

options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity
options IPSTEALTH #support for stealth forwarding
options DUMMYNET
options NETGRAPH

options DEVICE_POLLING
options HZ=1000

options SHMSEG=128
options SHMMNI=256
options SHMMAX=50331648 # max shared memory segment size (bytes)
options SHMALL=16384 # max amount of shared memory (pages)
options MSGMNB=16384 # max # of bytes in a queue
options MSGMNI=48 # number of message queue identifiers
options MSGSEG=768 # number of message segments
options MSGSSZ=64 # size of a message segment
options MSGTQL=4096 # max messages in system

(3.) Configure and compile your new kernel

(a.) config SQUID_WCCP

(b.) cd ../compile/SQUID_WCCP/

(c.) make cleandepend

(d.) make depend

(e.) make

(f.) make install

(g.) reboot

If all goes well, your kernel has been compiled!!!. Reboot with your new kernel.

(4.) Create the GRE tunnel on your FreeBSD-6.x box

ifconfig gre0 create
ifconfig gre0 IP.OF.SQUID.BOX 10.20.30.40 netmask 255.255.255.255 link2 tunnel IP.OF.SQUID.BOX IP.OF.CISCO.ROUTER up

(3.) Configuring WCCP on your squid box. Add the following in your squid.conf

wccp2_router IP.OF.CISCO.ROUTER
#wccp2_router LoopBack.IP.OF.CISCOROUTER

wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
(4.) Create the firewall rules to redirect web requests to Squid’s 3128 port via the GRE tunnel.

We will create the script called rc.firewall to save our IPFW rules. Use the script below:

#!/bin/sh

##### Start of rc.firewall script ######

##Change the network interfaces and IP addresses to match your network!

NET_IF=”em0″
IPFW=”/sbin/ipfw -q”

#IP of Proxy Server
IF_ADDR=”192.168.0.10″

NTP_SERVER=”192.168.0.55″

PROXY_NET=”192.168.0.0/27″

ALL_NET=”192.168.0.0/24″
CLIENT_NET=”192.168.0.128/25″
WIRELESS_NET=”172.16.0.128/25″
ADMIN_NET=”192.168.0.48/28″
SSH_PORT=”12345″

LOCALHOST=”127.0.0.1″

$IPFW -f flush

$IPFW add allow all from any to any via lo0

$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 via gre0 in

$IPFW add fwd 127.0.0.1,3128 ip from any to any via gre0 in
$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in
$IPFW add fwd 127.0.0.1,3128 tcp from any to any http in via gre0

#$IPFW add permit ip from any to any
$IPFW add allow all from $IF_ADDR to any

#$IPFW add fwd 127.0.0.1,3128 ip from any to any via gre0 in
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any http in via gre0
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in
#$IPFW add permit ip from any to any

#Allow local DNS caching
$IPFW add allow udp from $ALL_NET to any 53

$IPFW add allow udp from any 53 to $IF_ADDR
$IPFW add allow tcp from any 53 to $IF_ADDR

$IPFW add allow all from any to any out via $NET_IF

#######For DNS
#Allow DNS Query
$IPFW add allow udp from $ALL_NET 53 to $IF_ADDR
$IPFW add allow udp from $WIRELESS_NET 53 to $IF_ADDR

#For Proxy access
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in

$IPFW add allow tcp from $ALL_NET to any 3128 in via $NET_IF
$IPFW add allow tcp from $WIRELESS_NET to any 3128 in via $NET_IF

#####Allow Established session
$IPFW add allow tcp from any to any in via $NET_IF established

#$IPFW add allow tcp from any to $IF_ADDR 113

#For ICP Query
$IPFW add allow UDP from $PROXY_NET to $PROXY_NET 3130

$IPFW add allow udp from $NTP_SERVER 123 to $IF_ADDR

###Only needed for Experimental Multicast
#$IPFW add allow all from 224.9.9.1 to any
#$IPFW add allow all from any to 224.9.9.1
#$IPFW add allow all from me to 224.9.9.1

#######For SSH

$IPFW add allow tcp from $ADMIN_NET to $IF_ADDR $SSH_PORT

#for snmpwalk from Admin network
$IPFW add allow udp from $ADMIN_NET to me 3001
$IPFW add allow udp from $ADMIN_NET to me 161
$IPFW add allow udp from $ADMIN_NET to me 161
$IPFW add allow udp from $LOCALHOST to me 3001
$IPFW add allow udp from $LOCALHOST to me 161

###########
$IPFW add allow ICMP from $ALL_NET to any
$IPFW add allow ICMP from $WIRELESS_NET to any
#################################################

###Only if you want the world to send ICMP packets to your server!!

#ipfw add allow icmp from any to any icmptypes 8
#ipfw add allow icmp from any to any

$IPFW add allow all from $ADMIN_NET to me
$IPFW add allow all from me to $ADMIN_NET

$IPFW add 65533 deny log all from any to any

############# End of rc.firewall ###############

(5.) Configure WCCP on your Cisco router

Global Configuration

Router (config)#  ip wccp version 2

Router (config)#  ip wccp web-cache redirect-list 160

Access-List 160

permit ip 192.168.0.0 0.0.0.255 any

permit ip 172.16.0.0 0.0.0.255 any

Router (config)#   interface fastethernet 0/0
Router(config-if)# ip wccp web-cache redirect in

Router# write

END of Router WCCP confiruration.

(6.) Restart Squid and reload your firewall. If all goes well, you will have a working WCCP2 on your FreeBSD Box with Squid-2.6.STABLE18.

Happy Proxying with Squid + FreeBSD + Cisco WCCP !!!

squid.conf

##Start of squid.conf###

cache_effective_user squid
cache_effective_group squid

wccp2_router IP.ADDRESS.OF.ROUTER
wccp2_router LoopBackIP.ADDRESS.OF.ROUTER
#wccp2_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0

acl all src all

#icp_query_timeout 2000

high_memory_warning 500 MB

visible_hostname mycache.domain.com

cache_mem 128 MB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

cache_swap_low 90
cache_swap_high 95

maximum_object_size 131072 KB

########New test — Default is 8
maximum_object_size_in_memory 24 KB

#minimum_object_size 1 KB
#store_avg_object_size 20 KB

tcp_recv_bufsize 65535 bytes

ipcache_size 8192
fqdncache_size 8192

high_page_fault_warning 10
high_response_time_warning 2000
client_persistent_connections off
server_persistent_connections on
half_closed_clients off

cache_dir diskd /cache1 6144 16 256 Q1=72 Q2=64
cache_dir diskd /cache2 6144 16 256 Q1=72 Q2=64

log_icp_queries off

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none

emulate_httpd_log on

cache_mgr info@sabinshrestha.com.np

refresh_pattern ^ftp: 1440 30% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 40% 4320

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

#Configure downloading even after aborted requests.
quick_abort_min 0 KB
quick_abort_max 0 KB
#quick_abort_pct 99

negative_dns_ttl 2 minutes

acl mynetwork src 192.168.0.0/24
acl admin src 192.168.0.85
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 2082 2083 2087 2093 2096
acl Safe_ports port 80 21 443 563 70 210 3128 8000 11999 8080 2082 2083 2087 209 6 8082 8090
acl CONNECT method CONNECT

http_port 3128 transparent

http_access allow manager localhost
http_access allow manager admin
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow mynetwork

acl PURGE method PURGE
http_access allow PURGE localhost
http_access allow PURGE admin
http_access deny PURGE

http_access deny all

snmp_access deny all

icp_access allow mynetwork
icp_access deny all

miss_access allow all

ie_refresh on

###End of squid.conf###

Indeed I had made a typo mistake.

Router (config)# ip wccp web-cache redirect-list 360

should have been:
Router (config)# ip wccp web-cache redirect-list 160

Leave a Reply