+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Internet Related/Filtering/Firewall Thread, Squid physical configuration in Technical; I'm looking into configuring Squid on a network that is used by about 20 clients. I plan to have the ...
  1. #1

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15

    Squid physical configuration

    I'm looking into configuring Squid on a network that is used by about 20 clients. I plan to have the Squid PC with a static IP address on the network (172.16.0.0/16), configure the clients to use the proxy and configure the ADSL router to block all internet traffic except from the Squid PC. That bit's OK.

    My question relates to what happens if the number of clients increases significantly because the single Gb network card would have a lot of in/out traffic. The possibilities that I have thought of are:

    1. Have a second (third or fourth) Gb NIC in the Squid PC (say, 172.16.0.250, 172.16.0.251, 172.16.0.252 and 172.16.0.253) and configure the appropriate proportion of the clients to use the different NICs, hence providing balancing.

    2. Have a second Gb NIC in the Squid PC - one on the 172.16.0.0/16 network and the second connected to the ADSL router via a 192.168.0.0/30 network. I realise that I would have to provide routing in the Squid PC and suspect that I'd have to provide NAT.

    Which of these solutions would be preferable? I suspect that the former would be more simple. If the latter solution would be used, would it kick in on a network of a particular size (i.e. number of clients) or would there be some other time when I should (or must) use such a configuration?

    Finally, other than having several Squid proxies, are there any other solutions that would be necessary in a large network?

  2. #2
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,009
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108
    I'm guessing you could just use different ports with squid rather than loads of NICs, especially where you only have 20 clients.

  3. Thanks to ChrisH from:

    Ignatius (25th January 2011)

  4. #3

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,810
    Thank Post
    272
    Thanked 1,135 Times in 1,031 Posts
    Rep Power
    349
    I doubt you need to worry about the throughput of a 1gb network card. I currently have about 600+ pc's going through one squid box. then about 200+ on another (due to different filter policies for staff/students). I have never had a problem with the capacity of the squid box more the internet connection on the other side. I'm assuming you don't have a 1gb internet connection!

  5. Thanks to glennda from:

    Ignatius (25th January 2011)

  6. #4


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Unless your internet connection is >1gb then you don't need to worry, thats where your bottle neck is going to be. The only reason I can think of to have more than 1gb of bandwidth on your squid box would be if you cached high bitrate media and had tonnes of clients.

  7. Thanks to j17sparky from:

    Ignatius (25th January 2011)

  8. #5

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,197
    Thank Post
    13
    Thanked 228 Times in 217 Posts
    Rep Power
    67
    I have 1000+ devices connecting to my server on a 1Gb connection and its fine, I wouldn't worry about it.

  9. Thanks to MatthewL from:

    Ignatius (25th January 2011)

  10. #6

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15
    I'm grateful for everyone's comments and am reassured that I wouldn't have any problems with the amount of traffic passing in and out through a single 1Gb NIC. I'm relieved because I didn't particularly want to have to delve into configuring iptables!

  11. #7


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 849 Times in 671 Posts
    Rep Power
    196
    Yeah - the NIC'sthe last of your worries, virtually every subsystem would flake before the NIC choked. That, however would be a long way off 20 PCs, or probably 2000

  12. #8

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15
    Quote Originally Posted by tom_newton View Post
    Yeah - the NIC'sthe last of your worries, virtually every subsystem would flake before the NIC choked. That, however would be a long way off 20 PCs, or probably 2000
    I realise that a network of 20 PCs would manage without any problems. I was really "pontificating" about what would be appropriate in a much larger network, such as a school, college or university where the number of clients could well be into four figures.

  13. #9

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,624
    Thank Post
    1,240
    Thanked 778 Times in 675 Posts
    Rep Power
    235
    Quote Originally Posted by Ignatius View Post
    Have a second (third or fourth) Gb NIC in the Squid PC (say, 172.16.0.250, 172.16.0.251, 172.16.0.252 and 172.16.0.253) and configure the appropriate proportion of the clients to use the different NICs, hence providing balancing.
    If you're going to have multiple NICs, you could just team them - I think that provides both fail-over and load balancing, all in one easy-to-do setup. As already pointed out, though, no matter how many client computers you have there's little point having a network connection to your router that's faster than your Internet connection. I suppose you might see some improvement from a faster network connection to your Squid box if you were getting a lot of cache hits - maybe a whole class viewing a YouTube video or something?

    --
    David Hicks

  14. #10


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 849 Times in 671 Posts
    Rep Power
    196
    Quote Originally Posted by Ignatius View Post
    I realise that a network of 20 PCs would manage without any problems. I was really "pontificating" about what would be appropriate in a much larger network, such as a school, college or university where the number of clients could well be into four figures.
    Admittedly most of the systems I see have filtering - which will discourage saturation of the NIC, but I have seen one of synetrix's squid test boxes. They have quality Gig network cards, but the throughput was limited by other aspects - which is why each box has a couple of top end xeons and a bunch of solid state storage and 10s of gigs of RAM. For this reason, it is generally the case that cache/filter boxes end up clustered before you do anything with the >1 NIC. Additionally, of course, in larger networks, a cluster gives resilience.

    The only recent >1 NIC install we have done teamed 2 NICs for failover, not performance - this was in a large cluster already.

  15. #11

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15
    Quote Originally Posted by dhicks View Post
    If you're going to have multiple NICs, you could just team them - I think that provides both fail-over and load balancing, all in one easy-to-do setup.
    I suppose my initial theoretical way of dealing with a large number of clients would be to configure 25% to have one of the four NIC IP addresses as the proxy, hence reducing the traffic that would be borne by a single 1Gb NIC. I appreciate the comments in this thread though that my over-complicated solution wouldn't be necessary in the hypothetical scenario that I proposed.

  16. #12

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15
    Quote Originally Posted by tom_newton View Post
    They have quality Gig network cards, but the throughput was limited by other aspects - which is why each box has a couple of top end xeons and a bunch of solid state storage and 10s of gigs of RAM.
    Before I started this discussion, I hadn't really thought of other areas that might create a bottleneck. I understand now that, in the mega network scenario, all hardware components must be capable of high throughput. A chain is, after all, as strong as it's weakest link.

  17. #13


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 849 Times in 671 Posts
    Rep Power
    196
    Quote Originally Posted by Ignatius View Post
    Before I started this discussion, I hadn't really thought of other areas that might create a bottleneck. I understand now that, in the mega network scenario, all hardware components must be capable of high throughput. A chain is, after all, as strong as it's weakest link.
    Spot on. It's actually remarkably difficult to saturate a modern NIC in all but the most network heavy of scenarios. Some interesting corner cases arrive when you've lots of little packets though (say heavy heavy voip users - we're talking carrier grade stuff here).

  18. #14

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    15
    I wasn't sure whether to start a new thread ... I'm happy to do so if necessary.

    I've made progress in configuring Squid. A single NIC (eth0 172.19.0.250/16) and using port 3128. I blocked all outward traffic in my ADSL router except from the Squid box and working everything's fine.

    The next stage was to make it transparent. Here's what I've done:

    I changed the client Default Gateway to the Squid IP address
    I removed the proxy in my web browser then restarted it
    I changed squid.conf to have the line "http_port 3128 transparent"
    I executed "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128"
    I cleared the Squid log (/var/log/squid/access.log) then restarted Squid

    I visited some sites using the client and the browsing works with the sites added to the Squid log file.

    BUT

    When I try to access e-mail via my e-mail client (Outlook 2003), it fails. However, if I change the DG to the "real" one on my ADSL router (172.19.0.1), Outlook sends and retrieves mail correctly.

    I suspect that I need some other iptables command ... unless there's something else that I've missed. Does anyone have any suggestions?

    Sorry if I should have started a new thread. I'm happy to do so.

    EDIT - I've now noticed that https traffic is blocked if I have the Squid box as the Default Gateway. I understand that Squid doesn't deal with secure sites so I guess I'd have to configure https traffic to bypass the transparent proxy.
    Last edited by Ignatius; 7th February 2011 at 03:52 PM. Reason: After some research

  19. #15

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,810
    Thank Post
    272
    Thanked 1,135 Times in 1,031 Posts
    Rep Power
    349
    you would need to also setup port 443 to redirect to port 3128 like you have done for port 80 traffic - its not tested but i think it should work.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Squid Configuration - Bypass Auth?
    By Duke5A in forum Internet Related/Filtering/Firewall
    Replies: 4
    Last Post: 13th August 2013, 03:20 PM
  2. Need a Dansguardian / Squid configuration expert
    By Number6 in forum Internet Related/Filtering/Firewall
    Replies: 70
    Last Post: 10th August 2010, 12:31 PM
  3. SQUID issue, anyone good with squid?
    By bart21 in forum Internet Related/Filtering/Firewall
    Replies: 4
    Last Post: 23rd April 2010, 09:12 AM
  4. Squid configuration problem
    By Cragzman in forum *nix
    Replies: 3
    Last Post: 22nd October 2008, 02:59 PM
  5. VMWare Physical Configuration
    By JamesC in forum Thin Client and Virtual Machines
    Replies: 12
    Last Post: 26th February 2008, 11:11 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •