[ToS and source IP address selection - Example]

Example of using tosaddracl to select outgoing IP addresses

Would you like to have more that one out going IP address for better network management or for some other reason?

Here is how you can do it.

In this demonstration, I will be using a Cisco router w/ policy routing enable.

  1. Suppose that you need to have different outgoing IP's for different subnets or a group of IP's.
  2. Suppose that you have a lan and Satelite connection and that your satellite is only downstream. ie, you use your lan connection for upstream and come back down satellite. You do not route. All of the router across the world already know to route that Class of Address to your satellite provide.
  3. I was made arrear that Squid 2.5 w/ http://devel.squid-cache.org/tosaddracl/ will have this functionality.
Here is the info for using that parameter:

The tosaddracl branch on Sourceforge has now been cleaned up, and as a result the configuration directives have changed sligthly.

TAG: tcp_outgoing_address

Allows you to map requests to different outgoing IP addresses based on the username or sourceaddress of the user making the request. 

    tcp_outgoing_address ipaddr [[!]aclname] ...

Example where requests from 10.0.0.0/24 will be forwareded with source address 10.1.0.1, 10.0.2.0/24 forwarded with source address 10.1.0.2 and the rest will be forwarded with source address 10.1.0.3. 

    acl normal_service_net src 10.0.0.0/255.255.255.0
    acl good_service_net src 10.0.1.0/255.255.255.0
    tcp_outgoing_address 10.0.0.1 normal_service_net
    tcp_outgoing_address 10.0.0.2 good_service_net
    tcp_outgoing_address 10.0.0.3

Processing proceeds in the order specified, and stops at first fully matching line.

Here is a part of my squid.conf: 

# Redirect for LAN & SAT
acl sat1_service_net src 64.110.11.0/255.255.255.0

acl sat2_service_net src 209.198.221.160/255.255.255.240

tcp_outgoing_address 64.110.11.2 sat1_service_net

tcp_outgoing_address 64.110.11.2 sat2_service_net

tcp_outgoing_address 200.50.68.7

# End

Please remember that the IP addresses that you use must also be config on the machine.

To have those outgoing IP's past through the router, here is a sample config for the router: 

!
access-list 110 deny   tcp any any neq www
access-list 110 deny   tcp host 200.50.68.7 any
access-list 110 deny   tcp host 64.110.11.2 any
access-list 110 permit tcp any any
access-list 120 deny   tcp any any neq ftp
access-list 120 deny   tcp host 200.50.68.7 any
access-list 120 deny   tcp host 64.110.11.2 any
access-list 120 deny   tcp host 200.50.68.10 any
access-list 120 permit tcp any any
route-map squidcaching permit 10
 match ip address 110
 set ip next-hop 200.50.68.7
!
route-map squidcaching permit 120
 match ip address 120
 set ip next-hop 200.50.68.7

Now if you do not allow those ip address in your access-list, you will not be able to browse since it would be loop back to the cache machine

Thank you very much.

Best regards,

Edward Millington

Network Administrator & Senior Technical Support Technician
Cariaccess Communications Ltd.
Wildey, St. Michael, Barbados
1-246-430-7435
Fax : 1-246-431-0170
www.cariaccess.com
Squid Now! Cache Now! Valid HTML 4.0! SourceForge
$Id: example.html,v 1.3 2001/09/19 04:55:03 hno Exp $