# Squid and multiple external interfaces

## gmichels

Hi all,

I have a box running a simple shorewall + squid setup, where eth0 is the internal interface and eth1 is the external interface. All users access the internet thru squid and a few other services (mostly postfix) that have direct access to the internet thru nat.

My current internet link is kinda slow (600/600), but it's named "corporative", as I have a mail server (a fancy name for just a fixed ip) and upgrading it is very expensive. So, I'd like to add another "normal" internet link (dhcp ip, something around 2000/300), a cheaper solution, which I'd like to make it exclusive for squid usage.

Is there a way I can set squid to direct all requests thru a specific external interface (eth2)? Or maybe in shorewall?

Any ideas are welcome.

Thanks!

----------

## di1bert

For starters I'd have squid listen only on the LAN interface by updating your squid.conf file.

Then just use Shorewall to redirect the proxy traffic out the second interface. I'm not entirely sure how you'd 

do this with Shorewall, although this will probably give you

a good idea on what you need to do.

HTH

-m

----------

## gmichels

Thanks for your reply.

 *di1bert wrote:*   

> For starters I'd have squid listen only on the LAN interface by updating your squid.conf file.

 

I already have it like this.  :Smile: 

 *di1bert wrote:*   

> 
> 
> Then just use Shorewall to redirect the proxy traffic out the second interface. I'm not entirely sure how you'd 
> 
> do this with Shorewall, although this will probably give you
> ...

 

This seems like a good start, however there's a specific squid link there where they mention about squid as a transparent proxy, and mine is set as a manual proxy (not exactly manual, I'm using WPAD and PAC auto-discovery). Anyway, that link made me think about going the TOS way, marking squid packets with a specific flag and have them routed by shorewall. It's just an idea, I don't even know if it's possible.

Anyone else have any more opinions?

Thanks.

----------

## DawgG

 *Quote:*   

> going the TOS way, marking squid packets with a specific flag and have them routed by shorewall

 

you sure have cpu-power to waste  :wink: 

there is a directive for squid that directs traffic to an interface (using an acl), it is called

```
tcp_outgoing_address
```

 an it looks like it just does what you want.

(i've seen it in squid2, but i'm quite certain it exists in squid3, too.)

GGOD LUCK!

----------

## gmichels

 *DawgG wrote:*   

>  *Quote:*   going the TOS way, marking squid packets with a specific flag and have them routed by shorewall 
> 
> you sure have cpu-power to waste  
> 
> there is a directive for squid that directs traffic to an interface (using an acl), it is called
> ...

 

Thanks for your reply, but I have already checked that option and all it does is make all squid requests have that specific address as source, however the packet will still be routed as usual thru the default gateway, regardless of the address on that option.

I guess I'll really have to go the routing way, but I wasn't aware it would be resourceful on the cpu :S

----------

## DawgG

 *Quote:*   

> Is there a way I can set squid to direct all requests thru a specific external interface (eth2)? 

 

ok, i thought it was three ifs on the same box; the way i understand you know is that squid-traffic is supposed to go thru an extra gateway that has the second (new) if.

i'd set up an internal lan which squid is connected to with one if (eth0), and a wannabe dmz to which the clients have no access and squid is connected to it with its second if (eth1). then you have the router with multple internet-gws, on if is in the wannabe-dmz (with squid) and and the other ifs are connected to the web. you can then configure the squid-process to direct all traffic thru one dmz-if and configure the firwall/gateway to nat this traffic out a certain if and other traffic from that box out a different one. on the box running squid it's also possible to use virtual ifs in the wannabe-dmz.

----------

