SuSe Squid Proxy 1

[Borvik]

Hey all,

Currently we have a SuSe 9 server with Squid running as our proxy server. Ever since I've started my job - this proxy has been causing nothing but grief. I've been looking into getting this taken down and have our users go through their default gateway instead of the proxy.

Now I can successfully shut down Squid, but that leaves all our users without Internet access. Right now our network is setup as follows:

T1 coming into our router.
Router goes into a hub which splits off into two switches.
One switch handles our servers - with public IP address and default gateways of the router.
The other switch handles our internal network.
The Proxy is hooked up to both switches, and thus has and external address - and an internal address.
Our internal machines do not have a default gateway, but use the proxy to get out to the internet.

I've used Yast to modify the Network cards' setup. Both cards currently allow IP Forwarding, and have default gateways pointing to our router.

Any ideas on what I'm doing wrong? Or on how to remove our proxy server from our network?

 

[Castor66]

Whatever the default gateway of the proxy is you should set the clients to have that as their default gateway. But, where is your firewall? Was the Squid server firewalling as well? Is it doing anything else? If not, then stick Smoothwall/M0n0wall on it and make it into a nice little firewall/proxy for yourself. At least with Smoothwall's interface the awkwardness of managing the squid.conf is take away from you. Ideall you should go:
[tt]
+ -> Switch 1 <--> Servers
T1 <--> rtr <--> firewall <--> hub <->|
+ -> Switch 2 <--> Clients
[/tt]
Everything, including your servers, would then have the inside address of your firewall as their default gateway. You would have to ensure that all the services that you are providing from your servers continue to be provided. You could even remove the hub and have the switches coming off different ports on the new firewall/proxy. Cost : nothing but time.

 

[Borvik]

We had a CheckPoint firewall setup on a different box, but we recently migrated our ISP and CheckPoint didn't like that - so temporarily we don't have one. I'm looking into a setup similar to your diagram.

When I take down Squid, your saying that the default gateway of the clients should be the router IP? How would this work, as they are on different subnets? I would assume that the clients should then point to the "old" proxy - setup as a gateway.

 

[lgarner]

Your clients & servers need to be able to route to the Internet, and it looks like the clients can't. Maybe they're using private addresses? If so, they'll need something to translate them.

The easiest way might be to set up a firewall on your server until you get something else. There are a variety of docs on the internet on setting up a Linux firewall. Check them out, paying particular attention to NAT.

 

[Borvik]

Thanks lgarner - I found some documentation on how to setup a gateway/firewall/router and I think I'll try that. If it doesn't work out - I'll be back.