External Squid Box with No Limit Cache HIT Object ROS 2.9

From MikroTik Wiki
Jump to: navigation, search

Introduction

This page will tak about how to bypass Squid Cache HIT object with Queues Tree in RouterOS 2.9 . Its mean you can download cache HIT object with maximum speed. This feature introduce in RouterOS 3.0 DSCP option but if you have External Squid Cache Box You can make possible in 2.9 with TOS, Mangle and Queue Tree

Note : Please disable webproxy in mikrotik before implementing /ip web-proxy set enabled=no


Network Layout

Squidbox.JPG

Basic Setup

basic setting 2 network interface:

[pokemon@home] > interface print

#    NAME       TYPE    RX-RATE    TX-RATE    MTU  
0  R public     ether1   0          0          1500 
1  R lan        ether2    0          0          1500

IP Address for each interface:

[pokeman@home] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
#  ADDRESS           NETWORK      BROADCAST      INTERFACE
0  192.168.0.2/24  192.168.0.0  192.168.0.255  public   
1  172.16.1.1/24     172.16.1.0   172.21.1.255   lan

First you mark the cache object in mangle:

[pokeman@home] > /ip firewall mangle add chain=postrouting tos=48 action=mark-packet \
new-packet-mark=proxy-hit passthrough=no

(Note: As everyone is using newer version now a days, therefore above line is outdated, newer version of above line is as follows. Rest of things still works in newer version)

[pokeman@home] > /ip firewall mangle add chain=postrouting dscp=12 action=mark-packet new-packet-mark=proxy-hit passthrough=no

Then Create Global Queue tree:

[pokeman@home] > /queue tree add name="pmark" parent=global-out packet-mark=proxy-hit \
limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

Linux Setup

Network Setting:

eth0 Public ip e.g 111.222.222.222/29
eth1 Private ip e.g 192.168.0.1/24

Enable NAT with Transparent proxy:

touch /etc/rc.d/rc.firewall
vi /etc/rc.d/rc.firewall

Paste Configuration:

!/bin/sh
IPTABLES=/sbin/iptables
$IPTABLES -F -t nat
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -m multiport --dports 80 -j REDIRECT --to-port 8080
echo 1 > /proc/sys/net/ipv4/ip_forward  

Execute Firewall:

sh /etc/rc.d/rc.firewall

Patch TOS or ZPH in squid:

Their is some patch in squid 2.6 if you are used squid 2.7 skip this step just add the squid.conf parameters below
wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE16.tar.gz
tar -xzvf squid-2.6.STABLE16.tar.gz
cd squid-2.6.STABLE16
wget http://kambing.ui.edu/gentoo-portage/net-proxy/squid/files/squid-2.6.16-ToS_Hit_ToS_Preserve.patch
patch -p1 < ./squid-2.6.16-ToS_Hit_ToS_Preserve.patch
./configure add your compile options

Squid Parameters:

Squid.conf 2.6
zph_tos_local 0x30
zph_tos_peer 0
zph_tos_parent off
zph_preserve_miss_tos on
Squid.conf 2.7 
tcp_outgoing_tos 0x30 ourusers
zph_mode tos
zph_local 0x30
zph_parent 0

Happy Cache ! Bugs & Suggestions @ asifbakali(at)gmail.com