# [solved] squid: some addresses are unreachable

## Jimini

Hey there,

I have been running squid as a transparent proxy for some months. This morning, I tried to set up squidclamav,  but after a while I recognized, that some addresses like www.google.de where unreachable. So I revoked all changes, but all attempts to reach www.google.de with my browser led to timeouts. Nevertheless, the address is resolved, as I found out with various pings. Additionally, everything works fine, when I disable squid completely and let al http-traffic reach the internet directly. 

My conclusion:

- dns works

- browsers work

This is my squid.conf:

```
http_port 10.0.0.1:3128 transparent

cache_dir aufs /var/cache/squid/ 10000 1 1

cache_mem 128 MB

minimum_object_size 0 KB

maximum_object_size 0 KB

maximum_object_size_in_memory 0 KB

cache_replacement_policy heap LFUDA

memory_replacement_policy heap LFUDA

shutdown_lifetime 3 seconds

access_log /var/log/squid/access.log

emulate_httpd_log on

acl Safe_ports port 80

acl purge method PURGE

acl clients src 10.0.0.1-10.0.0.50

acl wlanap src 10.0.0.100

acl url_ads url_regex -i "/etc/squid/banner-ads.acl"

http_access allow clients !url_ads

http_access allow wlanap

http_access deny all
```

I use squid-3.1.19. This setup worked well for a few months, but now I just can't find the reason for this behavior. Any help would be really appreciated.

Best regards,

Jimini

Solution: reinstalled squid without ipv6-support.

----------

## truc

check cache.log & access.log

check with and without explicit proxy settings in your browser

if you need help, then help us helping you(give some logs and everything related you can think of)

----------

## Jimini

Thank you for your reply.

Now I reactived the following iptables rule:

```
iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
```

cache.log when I stop squid:

```
2012/08/12 07:57:26| basic/auth_basic.cc(97) done: Basic authentication Shutdown.

CPU Usage: 0.120 seconds = 0.090 user + 0.030 sys

Maximum Resident Size: 33440 KB

Page faults with physical i/o: 0

Memory usage for squid via mallinfo():

        total space in arena:    2538 KB

        Ordinary blocks:         2442 KB      8 blks

        Small blocks:               0 KB      6 blks

        Holding blocks:           820 KB      3 blks

        Free Small blocks:          0 KB

        Free Ordinary blocks:      95 KB

        Total in use:            3262 KB 129%

        Total free:                96 KB 4%
```

cache.log when I start squid:

```
2012/08/12 07:57:32| Starting Squid Cache version 3.1.19 for i686-pc-linux-gnu...
```

access.log when I access www.gentoo.org:

```
10.0.0.4 - - [12/Aug/2012:08:04:20 +0200] "GET http://www.gentoo.org/ HTTP/1.1" 200 10759 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/css/main.css HTTP/1.1" 200 2893 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/gtop-www.jpg HTTP/1.1" 200 5068 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/gentoo-new.gif HTTP/1.1" 200 5305 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/gridtest.gif HTTP/1.1" 200 3714 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/icon-gentoo.png HTTP/1.1" 200 10876 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/icon-clock.png HTTP/1.1" 200 14232 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/G-Earth.png HTTP/1.1" 200 20100 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/favicon.ico HTTP/1.1" 200 5370 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/icon-cow.png HTTP/1.1" 200 11074 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://images.paypal.com/images/x-click-but21.gif HTTP/1.1" 200 951 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:28 +0200] "GET http://sidebar.gentoo.org/ HTTP/1.1" 200 3200 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:29 +0200] "GET http://www.gentoo.org/images/osuosl.png HTTP/1.1" 200 9099 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:32 +0200] "GET http://images.paypal.com/images/x-click-but21.gif HTTP/1.1" 200 946 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:32 +0200] "GET http://www.gentoo.org/images/G-Earth.png HTTP/1.1" 200 4474 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:32 +0200] "GET http://www.gentoo.org/images/gentoo-new.gif HTTP/1.1" 200 4474 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/gridtest.gif HTTP/1.1" 200 3709 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/gtop-www.jpg HTTP/1.1" 200 5041 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/icon-clock.png HTTP/1.1" 200 5674 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/icon-cow.png HTTP/1.1" 200 5674 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/icon-gentoo.png HTTP/1.1" 200 5674 TCP_MISS:DIRECT

10.0.0.4 - - [12/Aug/2012:08:05:41 +0200] "GET http://www.gentoo.org/images/osuosl.png HTTP/1.1" 200 5673 TCP_MISS:DIRECT
```

When I want to access www.google.de, nothing is logged, until I get a timeout after ~2 minutes and the following appears in access.log:

```
10.0.0.4 - - [12/Aug/2012:08:07:07 +0200] "GET http://www.google.de/ HTTP/1.1" 504 4618 TCP_MISS:DIRECT
```

I also get the following error in my browser:

```
The following error was encountered while trying to retrieve the URL: http://www.google.de/

    Connection to 2a00:1450:4016:801::101f failed.

The system returned: (110) Connection timed out

The remote host or network may be down. Please try the request again.

Your cache administrator is root.
```

With our without explicit proxy settings in firefox - it makes no difference. Google is always unreachable.

If you need additional information, please let me know.

Best regards,

Jimini

----------

## cach0rr0

 *Jimini wrote:*   

> 
> 
> ```
> 
>     Connection to 2a00:1450:4016:801::101f failed.
> ...

 

this is an ipv6 address. something in the chain, be it client, or proxy, is missing ipv6 support.

----------

## Jimini

I have absolutely no idea why this should all of a sudden be a problem. I use exactly the same config as two days ago, when everything went fine. I have not set up any support for ipv6 yet - and I hope, I am not forced to change this by now.

Best regards,

Jimini

Edit: I rebuilt squid without ipv6-support - seems, as if everything works again.

----------

## truc

 *Jimini wrote:*   

> I have absolutely no idea why this should all of a sudden be a problem. I use exactly the same config as two days ago, when everything went fine. I have not set up any support for ipv6 yet - and I hope, I am not forced to change this by now.
> 
> Best regards,
> 
> Jimini
> ...

 

Damn! I should have bet on an IPv6 problem! I was almost sure:)

You're certainly not forced to enable Ipv6 but you definitely should.

You can still do transparent proxy with IPv6 using TPROXY, it's really not that hard.

Please do what you have to! The more we are using IPv6, the better it is for everybody  :Very Happy: 

----------

## Jimini

 *truc wrote:*   

> You're certainly not forced to enable Ipv6 but you definitely should.
> 
> You can still do transparent proxy with IPv6 using TPROXY, it's really not that hard.
> 
> Please do what you have to! The more we are using IPv6, the better it is for everybody :D

 

You are absolutely right. I've got that point on my to-do-list since many many months, but at the moment, I simply do not have enough free time to reconfigure my network (5 clients, 1 server, 1 router, traffic-shaping- and iptables-scripts and so on...) - this project will be done this winter - I promise ;)

Best regards and thanks for your (and cach0rr0, too!) help,

Jimini

----------

## cach0rr0

 *Jimini wrote:*   

> I have absolutely no idea why this should all of a sudden be a problem. I use exactly the same config as two days ago, when everything went fine. I have not set up any support for ipv6 yet - and I hope, I am not forced to change this by now.
> 
> Best regards,
> 
> Jimini
> ...

 

looks like the ebuilds for Squid 3 enable ipv6 by default

```

# grep IUSE.*ipv6 /usr/portage/net-proxy/squid/squid-3*.ebuild

/usr/portage/net-proxy/squid/squid-3.1.15.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test

/usr/portage/net-proxy/squid/squid-3.1.16.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test

/usr/portage/net-proxy/squid/squid-3.1.18.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test

/usr/portage/net-proxy/squid/squid-3.1.19.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test

/usr/portage/net-proxy/squid/squid-3.1.20.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test

```

so unless you explicitly disable ipv6 in make.conf or package.use, it would be enabled. Dunno when your last Squid update was, or when this might have been enabled by default, though. 

I've just USE="-ipv6" in make.conf for a while for precisely this reason; I have 5 static ipv4 addresses, and will not be able to get ipv6 addresses without paying extra money. I have no intention of using a tunnel broker either so for now this avoids the sort of annoying ipv6 problems that seem to pop up everywhere unexpectedly  :Smile: 

----------

