My router is Buffalo's WZR-HP-G300NH, which is pretty powerful for it's price.
As I've been tinkering, I've run across some annoyances.
Sysctl Settings
First up: Something seems funky in conntrack. Running logread shows lots of entries like:nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
In my google searches to solve it, I came across some "P2P settings" that lowers the timeouts to keep the tables from filling as quickly. Pop the following in /etc/sysctl.conf:
In my google searches to solve it, I came across some "P2P settings" that lowers the timeouts to keep the tables from filling as quickly. Pop the following in /etc/sysctl.conf:
net.netfilter.nf_conntrack_checksum=0
net.ipv4.netfilter.ip_conntrack_checksum=0
net.ipv4.netfilter.ip_conntrack_max=16384
net.ipv4.netfilter.ip_conntrack_generic_timeout=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1200
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close=5
net.ipv4.netfilter.ip_conntrack_udp_timeout=10
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
net.ipv4.netfilter.ip_conntrack_icmp_timeout=10
I've also stuffed a usb stick in the back and I've been trying to get Squid working on it to supplement my WiMAX connection.
Installing SQUID
Downloading/Installing SQUID
# opkg install squid
Installing squid (2.7.STABLE9-1) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/squid_2.7.STABLE9-1_ar71xx.ipk.
Installing libopenssl (0.9.8p-1) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/libopenssl_0.9.8p-1_ar71xx.ipk.
Installing zlib (1.2.3-5) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/zlib_1.2.3-5_ar71xx.ipk.
Installing libpthread (0.9.30.1-43.10) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/libpthread_0.9.30.1-43.10_ar71xx.ipk.
Installing librt (0.9.30.1-43.10) to root...
Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/librt_0.9.30.1-43.10_ar71xx.ipk.
Configuring librt.
Configuring libpthread.
Configuring zlib.
Configuring libopenssl.
Configuring squid.
Directories
I had to create the following directories:# mkdir -p /mnt/usbstorage/squid/squid-cache
# mkdir -p /mnt/usbstorage/squid/log
SQUID config file
My/etc/squid/squid.conf
looks like:pid_filename /var/run/squid.pid
cache_effective_user root
cache_effective_group nogroup
cache_mgr kamilion@gmail.com
visible_hostname fusion
# These default to lru if commented. Broken on '2.6'? (squid 2.6? Kernel 2.6?)
#cache_replacement_policy heap LFUDA
#memory_replacement_policy LFUDA
ipcache_size 2048
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 100 KB
# If you have 64/8MB Router you can use 16MB cache_mem. If smaller, use 8MB ram. Any less, no worky well.
cache_mem 16 MB
# cache_dir: change it if you want. 100 meams 100MB cache size.
cache_dir ufs /mnt/usbstorage/squid/squid-cache 100 16 256
logfile_rotate 10
fqdncache_size 2048
memory_pools off
maximum_object_size 16384 KB
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
negative_dns_ttl 10 second
connect_timeout 60 second
read_timeout 80 second
request_timeout 80 second
# Logs, goes to USB stick
cache_access_log /mnt/usbstorage/squid/log/squid-access.log
cache_log /mnt/usbstorage/squid/log/squid-debug.log
cache_store_log /mnt/usbstorage/squid/log/squid-storage.log
# Logs, goes into openwrt's existing log folder.
#cache_access_log /var/log/squid-access.log
#cache_log /var/log/squid-debug.log
#cache_store_log /var/log/squid-storage.log
hierarchy_stoplist on
# Our internal IP and listen port
http_port 10.30.60.254:3128 transparent
# Global ACL-Definitions (Access control lists)
acl idents ident REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl intern dst 10.30.60.0/24
acl FTP proto FTP
always_direct allow FTP
# Allowed External Ports and Internal Lan IPs
acl Allowed_Ports port 80 99 443 21 563 488 777 210 1025-65535
acl yourLAN src 10.30.60.0/24
#http_access definition
http_access allow idents
http_access allow all
http_access allow intern
http_access deny manager all
http_access allow yourLAN
http_access deny all
icp_access deny all
miss_access allow all
always_direct allow intern
Check
Check if everything is ok# squid -f /etc/squid/squid.conf -z
S80squid
This is the dd-wrt startup file I'm adapting. It starts SQUID and setting up the transparent iptables rules.#!/bin/sh
INTERNAL_NETWORK=10.30.60.0/24
ROUTER_IP=10.30.60.254
PROXY_SERVER=10.30.60.254
PROXY_PORT=3128
# Uncomment this to short circuit setting iptables.
TRANSPARENT_PROXY="1"
case "$1" in
start)
echo -n "Starting proxy server: "
/usr/sbin/squid -f /etc/squid/squid.conf
if [ -z $TRANSPARENT_PROXY ]; then
/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT
/usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER -j SNAT --to $ROUTER_IP
/usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
export TRANSPARENT_PROXY="1"
else
echo "This script has already run!"
echo "If it hasn't, unset $TRANSPARENT_PROXY manually via the shell."
fi
echo "done."
;;
stop)
echo -n "Stopping proxy server: "
/usr/sbin/squid -f /etc/squid/squid.conf -k shutdown
if [ -z $TRANSPARENT_PROXY ]; then
/usr/sbin/iptables -t nat -D PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -t nat -D PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT
/usr/sbin/iptables -t nat -D POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER -j SNAT --to $ROUTER_IP
/usr/sbin/iptables -t filter -D FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
export TRANSPARENT_PROXY="1"
/usr/sbin/iptables -t filter -L
/usr/sbin/iptables -t nat -L
else
echo "This script has already run!"
echo "If it hasn't, unset $TRANSPARENT_PROXY manually via the shell."
fi
echo "done."
;;
reload|force-reload)
echo -n "Reloading proxy server configuration files: "
/usr/sbin/squid -f /etc/squid/squid.conf -k reconfigure
echo "done."
;;
restart)
echo -n "Restarting proxy server: "
echo "done."
;;
*)
echo "Usage: /etc/init.d/S80squid {start|stop|reload|force-reload|restart} "
exit 1
;;
esac