Содержание
- Getting error in SQUID in virtual machine : SendEcho ERROR:sending to ICMPv6 packet t0 [2a06:98c1:3121::8]: (101) Network is unreachable
- 1 answer
- Thread: icmpv6_send: no reply to icmp error
- icmpv6_send: no reply to icmp error
- Re: icmpv6_send: no reply to icmp error
- Re: icmpv6_send: no reply to icmp error
- Re: icmpv6_send: no reply to icmp error
- Re: icmpv6_send: no reply to icmp error
- Re: icmpv6_send: no reply to icmp error
- Re: icmpv6_send: no reply to icmp error
- Re: icmpv6_send: no reply to icmp error
- Re: icmpv6_send: no reply to icmp error
- SquidGuard configuration file
- (C)2006 Serg Dvoriancev
- Allowed access to file transfer sites
- Managing partners
Getting error in SQUID in virtual machine : SendEcho ERROR:sending to ICMPv6 packet t0 [2a06:98c1:3121::8]: (101) Network is unreachable
I created one virtual machine and configured squid proxy over it. While communicating to outside network i got below error many times.
«SendEcho ERROR:sending to ICMPv6 packet t0 [2a06:98c1:3121::8]: (101) Network is unreachable»
But this happen not every time some time it make connection successful .
Can anyone help me to figure out this issue.
Thanks in Advance
1 answer
@Manish Dixit (NAV Backoffice)
I understand you have configured a squid proxy on your VM and are facing the above error.
Can you confirm if this is affecting your connectivity at all or is this simply an error you are seeing? If you are utilizing ipv4 you can enable the dns_v4_first option which might help. I don’t believe this error is caused by anything on the Azure side. You might try posting your question on StackOverflow or reaching out to the squid mailing lists for more insights into the error.
Please don’t forget to «Accept the answer» and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Источник
Thread: icmpv6_send: no reply to icmp error
Thread Tools
Display
icmpv6_send: no reply to icmp error
Hi, I’m getting this error every two minutes in my /var/log/syslog.
kernel: [392954.360034] icmpv6_send: no reply to icmp error
kernel: [393025.890027] icmpv6_send: no reply to icmp error
kernel: [393254.830033] icmpv6_send: no reply to icmp error
I don’t know what it means. Is there anything wrong with my Ubuntu 10.04 server ?
Re: icmpv6_send: no reply to icmp error
And are you running this on real hardware, or in a virtual machine?
Re: icmpv6_send: no reply to icmp error
eth0 Link encap:Ethernet direcciуnHW 00:1f:d0:bf:8d:ec
Direc. inet:150.214.196.123 Difus.:150.214.197.255 Mбsc:255.255.254.0
Direcciуn inet6: fec0::9:21f:d0ff:febf:8dec/64 Alcance:Sitio
Direcciуn inet6: 2002:96d6:c55c:9:21f:d0ff:febf:8dec/64 Alcance:Global
Direcciуn inet6: fe80::21f:d0ff:febf:8dec/64 Alcance:Enlace
ACTIVO DIFUSIУN FUNCIONANDO MULTICAST MTU:1500 Mйtrica:1
Paquetes RX:3165702 errores:0 perdidos:0 overruns:0 frame:0
Paquetes TX:901161 errores:0 perdidos:0 overruns:0 carrier:0
colisiones:0 long.colaTX:1000
Bytes RX:1570952863 (1.5 GB) TX bytes:308178876 (308.1 MB)
Interrupciуn:26 Direcciуn base: 0xc000
eth1 Link encap:Ethernet direcciуnHW 00:0c:76:00:fd:d2
Direc. inet:192.168.0.1 Difus.:192.168.0.255 Mбsc:255.255.255.224
Direcciуn inet6: fe80::20c:76ff:fe00:fdd2/64 Alcance:Enlace
ACTIVO DIFUSIУN FUNCIONANDO MULTICAST MTU:1500 Mйtrica:1
Paquetes RX:593925 errores:0 perdidos:0 overruns:0 frame:0
Paquetes TX:919668 errores:0 perdidos:0 overruns:0 carrier:0
colisiones:0 long.colaTX:1000
Bytes RX:110859505 (110.8 MB) TX bytes:1046700889 (1.0 GB)
Interrupciуn:21 Direcciуn base: 0x6000
Re: icmpv6_send: no reply to icmp error
You have a 2002:96d6:c55c. address, so you have 6to4 activated, right? Can you «ping6 ipv6.google.com»?
And eth0 has a public IPv4 address, so this system is directly connected to Internet? Is it a kind of gateway, as it has an eth1 (with private IPv4) too?
Re: icmpv6_send: no reply to icmp error
Not sure if I have 6to4 activated, at least it was not activated on purpose. Can be that the reason for the error?
I can’t ping «ping6 ipv6.google.com»
connect: Network is unreachable
Eth0 is directly connected to Internet and Eth1 is connected to Intranet as it is explained here: http://www.somewhereville.com/?p=1196
Re: icmpv6_send: no reply to icmp error
That 6to4 address could be the reason your system thinks there is IPv6, does something, which leads to the error message (because IPv6 is not working).
There are two ways that the 6to4 2002: address can have landed on your Linux system:
1) a router building up the 6to4 tunnel, and distributing 2002: address on your LAN. However: your system has a public IP address, so a router doing NAT is unlikely.
2) your Linux system having a 6to4 tunnel itself (although I don’t see a tunnel interface in your ifconfig). See http://ubuntuforums.org/showthread.php?p=10939087 how to create such a tunnel; hopefully it will give an idea how to remove it
Another possibility is to go *forward* and make the IPv6 working. I would prefer that (see my sig).
Re: icmpv6_send: no reply to icmp error
«rdisc6» is a nice tool to listen for IPv6-address-broadcasts:
rdisc6 -1 -r1 -q wlan0
rdisc6 -1 -r1 -q eth0
If there is a router advertising IPv6, you will get a response .
Re: icmpv6_send: no reply to icmp error
Well, I’m not sure I need IPv6, actually I’ve disabled it and the error is gone.
$ sudo nano /etc/sysctl.conf
Then these lines were added:
# IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Could this problem has something to do with avahi-daemon? I was getting errors until it was restarted.
$ sudo restart avahi-daemon
PS. I can’t ping localhost. Isn’t it weird?
Last edited by fl5x; March 27th, 2012 at 11:44 AM .
Re: icmpv6_send: no reply to icmp error
$ ifconfig | grep lo $ sudo /sbin/ifconfig lo 127.0.0.1 up
I get this:
$ ifconfig
eth0 Link encap:Ethernet direcciуnHW 00:1f:d0:bf:8d:ec
Direc. inet:150.214.196.123 Difus.:150.214.197.255 Mбsc:255.255.254.0
ACTIVO DIFUSIУN FUNCIONANDO MULTICAST MTU:1500 Mйtrica:1
Paquetes RX:4018297 errores:0 perdidos:0 overruns:0 frame:0
Paquetes TX:1174822 errores:0 perdidos:0 overruns:0 carrier:0
colisiones:0 long.colaTX:1000
Bytes RX:1890428697 (1.8 GB) TX bytes:416260902 (416.2 MB)
Interrupciуn:26 Direcciуn base: 0xc000
eth1 Link encap:Ethernet direcciуnHW 00:0c:76:00:fd:d2
Direc. inet:192.168.0.1 Difus.:192.168.0.255 Mбsc:255.255.255.224
ACTIVO DIFUSIУN FUNCIONANDO MULTICAST MTU:1500 Mйtrica:1
Paquetes RX:763562 errores:0 perdidos:0 overruns:0 frame:0
Paquetes TX:1129403 errores:0 perdidos:0 overruns:0 carrier:0
colisiones:0 long.colaTX:1000
Bytes RX:156109149 (156.1 MB) TX bytes:1227315193 (1.2 GB)
Interrupciуn:21 Direcciуn base: 0x6000
lo Link encap:Bucle local
Direc. inet:127.0.0.1 Mбsc:255.0.0.0
ACTIVO BUCLE FUNCIONANDO MTU:16436 Mйtrica:1
Paquetes RX:46 errores:0 perdidos:0 overruns:0 frame:0
Paquetes TX:46 errores:0 perdidos:0 overruns:0 carrier:0
colisiones:0 long.colaTX:0
Bytes RX:3385 (3.3 KB) TX bytes:3385 (3.3 KB)
Now I’m able to ping localhost.
Why didn’t «lo» show up first?
Источник
SquidGuard configuration file
(C)2006 Serg Dvoriancev
logdir /var/squidGuard/log
dbhome /var/db/squidGuard
src Allow_all_dest <
ip 192.168.16.118
>
Allowed access to file transfer sites
src Alow_FileSharing <
ip 192.168.16.106
>
Managing partners
src Management2 <
ip 192.168.16.118
log block.log
>
.
If i enable in web console the Allow_alll_Dest ACL than it is woking just fine, the computer in case can access yahoo.
With allow all dest disabled and Management2 enabled it is not working.
First it has Allow all destionation and the last it has only Webmail allowed. This config was working just fine until a month or two. I have changed nothing beside the update.
Thank you again for your answer :-).
Can you post the corresponding acl for the Management2 src? Perhaps the complete squidGuard config?
The IP address 192.168.16.118 is listed in two group acls: Allow_all_dest and Management.
As long as this is the case, the group won’t be assigned:
2020-07-29 14:26:37 [56101] squidGuard ready for requests (1596025597.929)
2020-07-29 14:26:37 [56101] no ACL matching source, using default
ERR
2020-07-29 14:26:37 [56101] squidGuard stopped (1596025597.930)
As soon as I change one entry, it works:
2020-07-29 14:27:08 [58266] squidGuard 1.4 started (1596025628.201)
2020-07-29 14:27:08 [58266] squidGuard ready for requests (1596025628.203)
ERR
2020-07-29 14:27:08 [58266] squidGuard stopped (1596025628.203)
@coffeelover I will test this imidiatly!
But if it is like this then it is a bug because Allow all destinations it is always disabled! I use it only for investigation.
EDIT: Yes you are right! If i removed the ip form Allow_all_destinations even if this ACL is disabled then Management ACL started working again!
Thank you for thi, i have tested everything but this! 🙂
Yeah, glad to hear this.
I think it is a not a real bug: the src rules are parsed to a linked list, so order matters.
As long as the first matching entry for the source address has no associated acl, it will fall back to default. If you change the order in your configuration, it will also work again.
So this should be an issue for documentation or a plausibility check.
Thanky very much coffelover for helping me with this!
I have another issue, after upgrading pfsense to 2.4.5 series, every morning when people comes to work squid crashes.
The only options i have are:
-from cli starting squid (simple squid..no other parameters) or
-delete cache from UI and then squid automaticaliy restart without a problem or
-reboot the whole system
From services UI i can not restart the squid service. It fails.
This is a tipical log file:
How can i investigate further this problem:
«Jul 29 09:02:17 kernel pid 65891 (squid), jid 0, uid 100: exited on signal 6»
Thank you again! i will start another thread if you think it will help someone else but me.
@coffeelover I will test this imidiatly!
But if it is like this then it is a bug because Allow all destinations it is always disabled! I use it only for investigation.
EDIT: Yes you are right! If i removed the ip form Allow_all_destinations even if this ACL is disabled then Management ACL started working again!
Thank you for thi, i have tested everything but this! 🙂
Seems related to https://redmine.pfsense.org/issues/4088
@viktor_g yeah, but i don’t agree completely to the bug. It is filed very opinionated and some guesses are completely wrong.
Squidguard just resets a non-resolvable client to the default acl, which is common behaviour. If the default acl means ‘allow_all’, it is an configuration issue, it doesn’t «renders squidguard useless».
But yes, perhaps a global setting like ‘include non-linked acls in config’ would be nice or at least a warning should be shown.
- the system resources (cpu, ram, filesystem usage)
- the file permissions
Daily could mean that squid is not able to rotate the logs, because of wrong file permissions.
And if it works after you cleaned the disk cache, it could just be the filesystem filling up.
@coffeelover Hi. Thanks for your reply.
I have checked everthing. RAM CPU Disk Space ..nothing out of the ordinary.
The file permissions seems ok because the system rotates logs at 00:00 without problems.
Squid crashes between 9 and 9:30 AM every morning. I see nothing in crontab which runs at 9.
Jul 29 14:20:26 check_reload_status Syncing firewall
Jul 29 14:20:26 check_reload_status Syncing firewall
Jul 29 14:20:31 check_reload_status Syncing firewall
Jul 29 14:20:42 php-fpm 397 /pkg_edit.php: [squid] — squid_resync function call pr:1 bp: rpc:no
Jul 29 14:20:44 php-fpm 397 /pkg_edit.php: [squid] Adding cronjobs .
Jul 29 14:20:44 php-fpm 397 /pkg_edit.php: [squid] Antivirus features disabled.
Jul 29 14:20:44 php-fpm 397 /pkg_edit.php: [squid] Removing freshclam cronjob.
Jul 29 14:20:44 php-fpm 397 /pkg_edit.php: [squid] Stopping any running proxy monitors
Jul 29 14:20:45 php-fpm 397 /pkg_edit.php: [squid] Reloading for configuration sync.
Jul 29 14:20:46 php-fpm 397 /pkg_edit.php: [squid] Starting a proxy monitor script
Jul 29 14:20:47 check_reload_status Reloading filter
Jul 29 15:45:17 check_reload_status Syncing firewall
Jul 29 15:45:17 check_reload_status Syncing firewall
Jul 29 15:45:28 check_reload_status Syncing firewall
Jul 29 15:45:39 php-fpm 99938 /pkg_edit.php: [squid] — squid_resync function call pr:1 bp: rpc:no
Jul 29 15:45:40 php-fpm 99938 /pkg_edit.php: [squid] Adding cronjobs .
Jul 29 15:45:40 php-fpm 99938 /pkg_edit.php: [squid] Antivirus features disabled.
Jul 29 15:45:40 php-fpm 99938 /pkg_edit.php: [squid] Removing freshclam cronjob.
Jul 29 15:45:40 php-fpm 99938 /pkg_edit.php: [squid] Stopping any running proxy monitors
Jul 29 15:45:41 php-fpm 99938 /pkg_edit.php: [squid] Reloading for configuration sync.
Jul 29 15:45:41 php-fpm 99938 /pkg_edit.php: [squid] Starting a proxy monitor script
Jul 29 15:45:42 check_reload_status Reloading filter
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): WRITE(6). CDB: 0a 19 d2 28 40 00
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): CAM status: SCSI Status Error
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): SCSI status: Check Condition
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): SCSI sense: UNIT ATTENTION asc:3f,2 (Changed operating definition)
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): Retrying command (per sense data)
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): WRITE(6). CDB: 0a 07 4f 08 01 00
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): CAM status: SCSI Status Error
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): SCSI status: Check Condition
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): SCSI sense: UNIT ATTENTION asc:3f,2 (Changed operating definition)
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): Retrying command (per sense data)
Jul 30 05:00:55 rc.gateway_alarm 7850 >>> Gateway alarm: GW_WAN (Addr:192.168.16.1 Alarm:1 RTT:1.383ms RTTsd:1.839ms Loss:21%)
Jul 30 05:00:55 check_reload_status updating dyndns GW_WAN
Jul 30 05:00:55 check_reload_status Restarting ipsec tunnels
Jul 30 05:00:55 check_reload_status Restarting OpenVPN tunnels/interfaces
Jul 30 05:00:55 check_reload_status Reloading filter
Jul 30 05:02:23 check_reload_status Linkup starting hn0
Jul 30 05:02:23 kernel hn0: network changed, change 1
Jul 30 05:02:23 kernel hn0: link state changed to DOWN
Jul 30 05:02:24 php-fpm 99938 /rc.linkup: Ignoring link event for bridge member without IP config
Jul 30 05:02:24 check_reload_status Reloading filter
Jul 30 05:02:27 sshd 82200 Timeout, client not responding.
Jul 30 05:02:28 check_reload_status Linkup starting hn0
Jul 30 05:02:28 kernel hn0: link state changed to UP
Jul 30 05:02:29 php-fpm 339 /rc.linkup: Ignoring link event for bridge member without IP config
Jul 30 05:02:29 check_reload_status Reloading filter
Jul 30 05:02:41 check_reload_status Linkup starting hn0
Jul 30 05:02:41 kernel hn0: network changed, change 1
Jul 30 05:02:41 kernel hn0: link state changed to DOWN
Jul 30 05:02:42 php-fpm 30623 /rc.linkup: Ignoring link event for bridge member without IP config
Jul 30 05:02:42 check_reload_status Reloading filter
Jul 30 05:02:46 check_reload_status Linkup starting hn0
Jul 30 05:02:46 kernel hn0: link state changed to UP
Jul 30 05:02:47 php-fpm 338 /rc.linkup: Ignoring link event for bridge member without IP config
Jul 30 05:02:47 check_reload_status Reloading filter
Jul 30 05:02:53 check_reload_status Linkup starting hn0
Jul 30 05:02:53 kernel hn0: network changed, change 1
Jul 30 05:02:53 kernel hn0: link state changed to DOWN
Jul 30 05:02:54 php-fpm 22515 /rc.linkup: Ignoring link event for bridge member without IP config
Jul 30 05:02:54 check_reload_status Reloading filter
Jul 30 05:02:58 check_reload_status Linkup starting hn0
Jul 30 05:02:58 kernel hn0: link state changed to UP
Jul 30 05:02:59 php-fpm 397 /rc.linkup: Ignoring link event for bridge member without IP config
Jul 30 05:02:59 check_reload_status Reloading filter
Jul 30 05:04:14 rc.gateway_alarm 86494 >>> Gateway alarm: GW_WAN (Addr:192.168.16.1 Alarm:0 RTT:1.445ms RTTsd:1.415ms Loss:5%)
Jul 30 05:04:14 check_reload_status updating dyndns GW_WAN
Jul 30 05:04:14 check_reload_status Restarting ipsec tunnels
Jul 30 05:04:14 check_reload_status Restarting OpenVPN tunnels/interfaces
Jul 30 05:04:14 check_reload_status Reloading filter
Jul 30 09:14:55 kernel pid 3599 (squid), jid 0, uid 100: exited on signal 6
Jul 30 09:14:56 kernel pid 58817 (squid), jid 0, uid 100: exited on signal 6
Jul 30 09:14:57 kernel pid 61209 (squid), jid 0, uid 100: exited on signal 6
Jul 30 09:14:58 kernel pid 64892 (squid), jid 0, uid 100: exited on signal 6
Jul 30 09:14:59 kernel pid 67991 (squid), jid 0, uid 100: exited on signal 6
Jul 30 09:15:00 kernel pid 71182 (squid), jid 0, uid 100: exited on signal 6
Jul 30 09:15:22 Squid_Alarm 75627 Squid has exited. Reconfiguring filter.
Jul 30 09:15:22 Squid_Alarm 75891 Attempting restart.
Jul 30 09:15:25 Squid_Alarm 77973 Reconfiguring filter.
Jul 30 09:15:25 check_reload_status Reloading filter
Jul 30 09:15:26 php-fpm 22515 /rc.filter_configure_sync: [squid] Installed but not started. Not installing ‘nat’ rules.
Jul 30 09:15:26 php-fpm 22515 /rc.filter_configure_sync: [squid] Installed but not started. Not installing ‘pfearly’ rules.
Jul 30 09:15:26 php-fpm 22515 /rc.filter_configure_sync: [squid] Installed but not started. Not installing ‘filter’ rules.
Jul 30 09:19:47 php-fpm 397 /pkg_edit.php: Session timed out for user ‘admin’ from: 192.168.16.10 (Local Database)
Jul 30 09:19:49 php-fpm 397 /pkg_edit.php: Successful login for user ‘admin’ from: 192.168.16.10 (Local Database)
Jul 30 09:20:19 php-fpm 22515 /pkg_edit.php: [squid] Clear disk cache forced via GUI. Clearing cache now.
Jul 30 09:20:19 php-fpm 22515 /pkg_edit.php: [squid] Stopping any running proxy monitors
Jul 30 09:20:21 php-fpm 22515 /pkg_edit.php: [squid] Creating cache dir ‘/var/squid/cache’ .
Jul 30 09:20:21 php-fpm 22515 /pkg_edit.php: [squid] Creating Squid cache subdirs in /var/squid/cache .
Jul 30 09:20:25 php-fpm 22515 /pkg_edit.php: [squid] Starting service.
Jul 30 09:20:25 php-fpm 22515 /pkg_edit.php: [squid] Starting a proxy monitor script
Jul 30 09:20:26 check_reload_status Syncing firewall
Jul 30 09:20:26 php-fpm 22515 /pkg_edit.php: [squid] — squid_resync function call pr:1 bp: rpc:no
Jul 30 09:20:28 php-fpm 22515 /pkg_edit.php: [squid] Adding cronjobs .
Jul 30 09:20:28 php-fpm 22515 /pkg_edit.php: [squid] Antivirus features disabled.
Jul 30 09:20:28 php-fpm 22515 /pkg_edit.php: [squid] Removing freshclam cronjob.
Jul 30 09:20:28 php-fpm 22515 /pkg_edit.php: [squid] Stopping any running proxy monitors
Jul 30 09:20:29 php-fpm 22515 /pkg_edit.php: [squid] Reloading for configuration sync.
Jul 30 09:20:29 php-fpm 22515 /pkg_edit.php: [squid] Starting a proxy monitor script
Jul 30 09:20:30 check_reload_status Reloading filter
What other logs should i check?
Thank you again! 🙂
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): WRITE(6). CDB: 0a 19 d2 28 40 00
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): CAM status: SCSI Status Error
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): SCSI status: Check Condition
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): SCSI sense: UNIT ATTENTION asc:3f,2 (Changed operating definition)
Jul 30 01:30:25 kernel (da0:storvsc0:0:0:0): Retrying command (per sense data)
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): WRITE(6). CDB: 0a 07 4f 08 01 00
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): CAM status: SCSI Status Error
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): SCSI status: Check Condition
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): SCSI sense: UNIT ATTENTION asc:3f,2 (Changed operating definition)
Jul 30 02:08:03 kernel (da0:storvsc0:0:0:0): Retrying command (per sense data)
And it works before 9? These scsi errors are from hyper-v snapshots i guess?
Perhaps try to disable these? There is no filesystem error, but i think it is worth a try.
And you should increase the debug level:
debug_options 1,5 6,5 ALL,1
Section 1 is main loop, Section 6 is disk i/o.
Hi coffelover!
Yes you are right, at that time windows backup start. But unfortuantly it is unrelated.
But today i have restarted and cleaned the cache at 8:30 AM from UI to see if it will crash again. At 9:02 it crashed . / CPU was ok, RAM also, disk space 35 GB free.
Could be an user that try to access something that crashes the whole squid? The office hours starts at 9:00 AM here..
Is there any other log that i could look into?
Thanks.
The debugging logs from squid go to /var/log/squid/cache.log
Hi. I do not have such a file..but:
/var/squid/logs/cache.log
This is the log from the time of crash. and it continuies like this. 6000 lines.
Do you see anything importand than the second log line?
Thanks
EDIT: I have problem pasting the log here. it says that contains spam. So i have uplaoded the log as an atachmentsquid.cache.log.txt
Your permissions for /var/log/squidGuard/squidGuard.log are not correct.
And i would check my generated whitelist file and possibly fix the whitelist entries.
Источник
Topic: [SOLVED] Squid cache seems to not be used (Read 32655 times)
Hello!
I have the latest OPNSense version to date (OPNsense 15.7.22-amd64) and wanted to enable Proxy Server to cache web stuff and make it quicker. However it seems to not be working:
This is the Cache tab log
2015/12/16 15:50:04| Error sending to ICMPv6 packet to [2a00:1450:400c:c02::79]. ERR: (65) No route to host
2015/12/16 15:49:59 kid1| ipcacheParse: No Address records in response to 'e.monetate.net'
2015/12/16 15:49:58 kid1| ipcacheParse: No Address records in response to 'nexus.ensighten.com'
2015/12/16 15:48:13| Error sending to ICMPv6 packet to [2001:41c8:1000:21::21:35]. ERR: (65) No route to host
2015/12/16 15:48:13| Error sending to ICMPv6 packet to [2001:a78:5:1:216:35ff:fe7f:6ceb]. ERR: (65) No route to host
2015/12/16 15:47:53| Error sending to ICMPv6 packet to [2a00:1450:4004:800::200e]. ERR: (65) No route to host
This is the Access log. I have never seen a TCP HIT. I wish it could be a way to see «live» logs or maybe a website to have a better overview of the data (apart from the tail -f /var/squid/logs command)
1450277683.236 265 10.0.1.59 TCP_MISS/200 377 POST http://bridge.meethue.com/queue/getmessage? - ORIGINAL_DST/64.233.166.121 text/plain
1450277657.965 998 10.0.1.59 TCP_MISS_ABORTED/000 0 POST http://bridge.meethue.com/queue/getmessage? - ORIGINAL_DST/64.233.166.121 -
1450277631.960 246 10.0.1.59 TCP_MISS/200 376 POST http://bridge.meethue.com/queue/getmessage? - ORIGINAL_DST/64.233.166.121 text/plain
1450277606.705 233 10.0.1.59 TCP_MISS/200 376 POST http://bridge.meethue.com/queue/getmessage? - ORIGINAL_DST/64.233.166.121 text/plain
1450277581.466 241 10.0.1.59 TCP_MISS/200 375 POST http://bridge.meethue.com/queue/getmessage? - ORIGINAL_DST/64.233.166.121 text/plain
1450277576.692 947 10.0.1.14 TCP_MISS/200 204884 GET http://is2.mzstatic.com/image/thumb/Music/v4/8c/37/00/8c3700ab-3874-be8c-3cef-334a05486161/source/800x800bb.jpg - ORIGINAL_DST/77.67.29.203 image/jpeg
1450277556.214 245 10.0.1.59 TCP_MISS/200 376 POST http://bridge.meethue.com/queue/getmessage? - ORIGINAL_DST/64.233.166.121 text/plain
1450277536.453 1383 10.0.1.14 TCP_MISS/200 372830 GET http://a4.mzstatic.com/us/r30/Music/v4/8c/37/00/8c3700ab-3874-be8c-3cef-334a05486161/cover1400x1400.jpeg - ORIGINAL_DST/77.67.29.194 image/jpeg
1450277534.908 15987 10.0.1.14 TCP_MISS/200 7241694 GET http://aod.itunes.apple.com/apple-assets-us-std-000001/Music/v4/be/61/df/be61dfb6-375b-0b87-9c64-c70198df7f96/mzaf_7113937544685891047.m4a? - ORIGINAL_DST/17.253.39.207 audio/x-m4a
1450277530.964 242 10.0.1.59 TCP_MISS/200 376 POST http://bridge.meethue.com/queue/getmessage? - ORIGINAL_DST/64.233.166.121 text/plain
1450277518.424 161 10.0.1.59 TCP_MISS/200 941 POST http://dcp.cpp.philips.com/DcpRequestHandler/index.ashx - ORIGINAL_DST/5.79.62.93 application/CB-Encrypted
This is the Store log
File /var/log/squid/store.log doesn't exist.
I’m running OPNSense on a VM (VMWare ESXi 6). I haven’t make any special configurations, only enabled Proxy server). I would also love to be able to cache SSL connections without the «middle in the man» technique
Thanks!
« Last Edit: January 10, 2016, 07:34:51 pm by franco »
Logged
Squid should work, however in the default mode it only allows for mem_cache, not disk cache.
That needs to be enabled via the «Enable local cache (requires service restart)» option in the General proxy settings -> Local cache settings pull/drop-down menu options. In advanced mode you can set the disk cache size.
However «https» sites do not cache without some MITM certificate configuration on both the squid and the clients. So it is getting less and less effective to do a squid cache with more and more sites becoming https.
I’ve tinkered with the template file to use more ram than the default of 256MB.
It would be great if you could set a value for the «cache_mem» setting in the GUI.
In (/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf)
I added @ approx. line 271
after this line:
# Deny all other access to this proxy
I added:
http_access deny all
# Increase cache_mem to 8GB (I have 32GB available)
cache_mem 8192 MB
But I do see TCP_MEM_HIT, so it is caching.
1450281877.924 0 192.168.0.51 TCP_MEM_HIT/200 4375 GET http://m.bestofmedia.com/sfp/js/plugins/head.min.js? - HIER_NONE/- application/javascript
1450281877.924 0 192.168.0.51 TCP_MEM_HIT/200 1299 GET http://m.bestofmedia.com/sfp/css/socialPromote.css? - HIER_NONE/- text/css
1450281877.644 509 192.168.0.51 TCP_MISS/200 700 GET http://facebook.computing.net/cgi-bin/recent_json.pl? - HIER_DIRECT/69.167.142.128 application/json
1450281877.402 186 192.168.0.51 TCP_MISS/200 849 POST http://www.tomshardware.com/destilar-rtffvqutvwxzfb.js? - HIER_DIRECT/95.100.96.185 text/plain
1450281877.325 0 192.168.0.51 TAG_NONE/400 4357 NONE error:invalid-request - HIER_NONE/- text/html
1450281877.314 1 192.168.0.51 TCP_MEM_HIT/200 6627 GET http://img.tomshardware.com/F/K/262352/2/262352.gif - HIER_NONE/- image/gif
1450281877.313 1 192.168.0.51 TCP_MEM_HIT/200 7841 GET http://img.tomshardware.com/I/O/262464/2/262464.gif - HIER_NONE/- image/gif
1450281877.313 1 192.168.0.51 TCP_MEM_HIT/200 3170 GET http://img.tomshardware.com/G/V/331087/2/331087.jpg - HIER_NONE/- image/jpeg
1450281877.313 1 192.168.0.51 TCP_MEM_HIT/200 3334 GET http://img.tomshardware.com/U/C/358788/2/358788.jpg - HIER_NONE/- image/jpeg
1450281877.307 115 192.168.0.51 TCP_MEM_HIT/200 49455 GET http://img.tomshardware.com/1/J/359047/2/359047.png - HIER_NONE/- image/png
1450281877.307 115 192.168.0.51 TCP_MEM_HIT/200 38051 GET http://img.tomshardware.com/G/H/358289/2/358289.png - HIER_NONE/- image/png
Logged
Interesting! I will check it out. Thanks for your reply.
Do you know if there’s other «new» method of caching that includes SSL? I would love to cache websites, but also things I downloads or files (for example when I download OS’ updates – I’m a Mac and iOS user)
Will report back!
Logged
I was looking for roughly the same, there is a ticket in for some expanded Squid options via the GUI. I hope the 16.1 milestone for them comes true! (I also wish I could code at all so I could help.)
https://github.com/opnsense/core/issues/417
Logged
Ticket 417 seems to be about caching options, which I guess are already in there (only size option for cache_mem seems to be missing / defaulting to 256MB).
There is some additional info about peek and splice for squid at the bottom of https://github.com/opnsense/core/issues/460 . Not sure when this feature will enter OPNsense.
Logged
I was looking for roughly the same, there is a ticket in for some expanded Squid options via the GUI. I hope the 16.1 milestone for them comes true! (I also wish I could code at all so I could help.)
https://github.com/opnsense/core/issues/417
This seems to do the trick (I’m not good at diffs )
The first step is to edit the template conf-file.
Add the «OPNsense.proxy.general.cache.memory» parts after line 270 like below.
«/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf»
# Deny all other access to this proxy
http_access deny all
{% if helpers.exists('OPNsense.proxy.general.cache.memory') %}
# Set cache_mem, (default is 256 MB)
cache_mem {{OPNsense.proxy.general.cache.memory.size}} MB
{% endif %}
{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
{% if OPNsense.proxy.general.cache.local.enabled == '1' %}
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}}
{% endif %}
{% endif %}
Then edit the model XML to include the new memory section, just start it before the «<local>» section in the «<cache>».
@ around line 71
«/usr/local/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml»
<cache>
<memory>
<size type="IntegerField">
<default>256</default>
<MinimumValue>8</MinimumValue>
<ValidationMessage>Specify a positive memory cache size. (number of MB's)</ValidationMessage>
<Required>Y</Required>
</size>
</memory>
<local>
<enabled type="BooleanField">
<default>0</default>
<Required>Y</Required>
</enabled>
Then create a new subtab field called «proxy-general-cache-memory» before the «proxy-general-cache-local» section and you should have a new pull down option in the proxy service menu this is done in the form XML.
(@ around line 93)
«/usr/local/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml»
<div class="text-info"><b>NOTE:</b> the current Squid implementation of encode and chop violates
RFC2616 by not using a 301 redirect after altering the URL.</div>]]></help>
<advanced>true</advanced>
</field>
</subtab>
<subtab id="proxy-general-cache-memory" description="Memory Cache Settings">
<field>
<id>proxy.general.cache.memory.size</id>
<label>Memory Cache size in Megabytes</label>
<type>text</type>
<help><![CDATA[Enter the storage size for the memory cache (default is 256).]]></help>
<advanced>true</advanced>
</field>
</subtab>
<subtab id="proxy-general-cache-local" description="Local Cache Settings">
Logged
The cache_mem setting addition will be part of 15.7.24 tomorrow.
Logged
I don’t see any hits in the logs and I don’t want to enable local cache. I want it all in memory — assigned 4Gig, but don’t see that anything is hitting.
Don’t see any logs at all except for a repeated «Error sending to ICMPv6 packet» in Cache: https://forum.opnsense.org/index.php?topic=1254.0 Access is empty.
Logged
1
2
3
4
5
6
7
8
9
10
11
12
14
15#if USE_ICMP
16
21
22
23
24
25#if HAVE_NETINET_IP6_H
26#include <netinet/ip6.h>
27#endif
28
29
30
31static const char *
33{
34
35 static const char *icmp6LowPktStr[] = {
36 «ICMPv6 0»,
37 «Destination Unreachable»,
38 «Packet Too Big»,
39 «Time Exceeded»,
40 «Parameter Problem»,
41 };
42
43
44 if (0 < v && v < 5)
45 return icmp6LowPktStr[(int)(v&0x7f)];
46
47
48 static const char *icmp6HighPktStr[] = {
49 «Echo Request»,
50 «Echo Reply»,
51 «Multicast Listener Query»,
52 «Multicast Listener Report»,
53 «Multicast Listener Done»,
54 «Router Solicitation»,
55 «Router Advertisement»,
56 «Neighbor Solicitation»,
57 «Neighbor Advertisement»,
58 «Redirect Message»,
59 «Router Renumbering»,
60 «ICMP Node Information Query»,
61 «ICMP Node Information Response»,
62 «Inverse Neighbor Discovery Solicitation»,
63 «Inverse Neighbor Discovery Advertisement»,
64 «Version 2 Multicast Listener Report»,
65 «Home Agent Address Discovery Request»,
66 «Home Agent Address Discovery Reply»,
67 «Mobile Prefix Solicitation»,
68 «Mobile Prefix Advertisement»,
69 «Certification Path Solicitation»,
70 «Certification Path Advertisement»,
71 «ICMP Experimental (150)»,
72 «Multicast Router Advertisement»,
73 «Multicast Router Solicitation»,
74 «Multicast Router Termination»,
75 };
76
77
78 if (127 < v && v < 154)
79 return icmp6HighPktStr[(int)(v&0x7f)];
80
81
82 static char buf[50];
83 snprintf(buf, sizeof(buf), «ICMPv6 %u», v);
84 return buf;
85}
86
88{
89 ;
90}
91
93{
95}
96
97int
99{
101
103 int xerrno = errno;
105 return -1;
106 }
107
110
112}
113
117void
119{
120 int x;
122 struct icmp6_hdr *icmp = nullptr;
124 struct addrinfo *S = nullptr;
125 size_t icmp6_pktsize = 0;
126
127 static_assert(sizeof(*icmp) + sizeof(*echo) <= sizeof(pkt), «our custom ICMPv6 Echo payload fits the packet buffer»);
128
130 icmp = (struct icmp6_hdr *)pkt;
131
132
133
134
135
136 if (len < 0) {
137 len = 0;
138 }
139
140
141 icmp->icmp6_type = ICMP6_ECHO_REQUEST;
142 icmp->icmp6_code = 0;
143 icmp->icmp6_cksum = 0;
147
148 icmp6_pktsize = sizeof(struct icmp6_hdr);
149
150
151 echo = reinterpret_cast<icmpEchoData *>(reinterpret_cast<char *>(pkt) + sizeof(*icmp));
152 echo->opcode = (unsigned char) opcode;
153 memcpy(&echo->tv, ¤t_time, sizeof(struct timeval));
154
155 icmp6_pktsize += sizeof(struct timeval) + sizeof(char);
156
157 if (payload) {
160
161 memcpy(echo->payload, payload, len);
162
163 icmp6_pktsize += len;
164 }
165
166 icmp->icmp6_cksum = CheckSum((unsigned short *) icmp, icmp6_pktsize);
167
169 ((sockaddr_in6*)S->ai_addr)->sin6_port = 0;
170
172
173 debugs(42, 5, «Send Icmp6 packet to « << to << «.»);
174
176 (const void *) pkt,
177 icmp6_pktsize,
178 0,
181
182 if (x < 0) {
183 int xerrno = errno;
185 }
186 debugs(42,9, «x=» << x);
187
188 Log(to, 0, nullptr, 0, 0);
190}
191
195void
197{
198 int n;
199 struct addrinfo *from = nullptr;
200
201 static char *pkt = nullptr;
202 struct icmp6_hdr *icmp6header = nullptr;
204 struct timeval now;
206
209 return;
210 }
211
212 if (pkt == nullptr) {
214 }
215
217
219 (void *)pkt,
221 0,
224
225 if (n <= 0) {
226 debugs(42, DBG_CRITICAL, «ERROR: when calling recvfrom() on ICMPv6 socket.»);
228 return;
229 }
230
231 preply.from = *from;
232
233#if GETTIMEOFDAY_NO_TZP
234
235 gettimeofday(&now);
236
237#else
238
239 gettimeofday(&now, nullptr);
240
241#endif
242
243 debugs(42, 8, n << » bytes from « << preply.from);
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272 icmp6header = (struct icmp6_hdr *) pkt;
273
274 if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
275
276 switch (icmp6header->icmp6_type) {
277 case 134:
278 case 135:
279 case 136:
280
281 break;
282
283 default:
284 debugs(42, 8, preply.from << » said: « << icmp6header->icmp6_type << «/» << (int)icmp6header->icmp6_code << » « <<
286 }
288 return;
289 }
290
291 if (icmp6header->icmp6_id != icmp_ident) {
292 debugs(42, 8, «dropping Icmp6 read. IDENT check failed. ident=='» << icmp_ident << «‘=='» << icmp6header->icmp6_id << «‘»);
294 return;
295 }
296
297 echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
298
300
301 struct timeval tv;
302 memcpy(&tv, &echo->tv, sizeof(struct timeval));
304
305
306
307
308
309
310
311 preply.hops = 1;
312
313 preply.psize = n — sizeof(icmp6_hdr) — (sizeof(icmpEchoData) — MAX_PKT6_SZ);
314
315
316 if ( preply.psize > (unsigned short) MAX_PKT6_SZ) {
318 } else if ( preply.psize < (unsigned short)0) {
319 preply.psize = 0;
320 }
321
322 Log(preply.from,
323 icmp6header->icmp6_type,
325 preply.rtt,
326 preply.hops);
327
328
331}
332
333#endif
334
static const char * IcmpPacketType(uint8_t v)
IcmpPinger control
pinger helper contains one of these as a global object.
#define PINGER_PAYLOAD_SZ
int Open() override
Start pinger helper and initiate control channel.
void SendEcho(Ip::Address &, int, const char *, int) override
void SendResult(pingerReplyData &preply, int len)
Send ICMP results back to squid.
virtual void Close()
Shutdown pinger helper and control channel.
int CheckSum(unsigned short *ptr, int size)
Calculate a packet checksum.
void Log(const Ip::Address &addr, const uint8_t type, const char *pkt_str, const int rtt, const int hops)
Log the packet.
static void InitAddr(struct addrinfo *&ai)
static void FreeAddr(struct addrinfo *&ai)
void getAddrInfo(struct addrinfo *&ai, int force=AF_UNSPEC) const
#define debugs(SECTION, LEVEL, CONTENT)
#define LOCAL_ARRAY(type, name, size)
struct sockaddr * ai_addr
char payload[MAX_PAYLOAD]
struct timeval current_time
the current UNIX time in timeval {seconds, microseconds} format
int tvSubMsec(struct timeval t1, struct timeval t2)
const char * xstrerr(int error)