I am trying to get a squid accelerator (reverse proxy) server running. Everything works as expected until a WAN client tries to connect, at which point the SYN packets on port 80 get ignored. They are visible with both tcpdump and Wireshark. Before blaming squid as the problem, I installed Apache and disabled squid, but Apache doesn't seem to receive the packets, either.
Where oh where could they be going?!!
Environment:
openSuSE 13.1, updates to 1200UCT 31 July applied from the on-line repos. It's actually a VirtualBox VM, which I don't think matters as the packets show up on it.
Network topology:
ISP (Comcast :( ) modem/firewall/router/switch ->10.n.n.n subnet (DMZ) (configured to forward HTTP and HTTPS to 10.n.n.110)
Second firewall/router/switch ->192.168.n.n subnet (INTERNAL)
Ethernet interface for squid server (10.n.n.110)
From the INTERNAL zone, the squid server is correctly accessible. But from a wireless connection to a Comcast public hotspot, all that arrives are the SYN packets with a zero length, and they receive no response.
I have tried dynamically disabling tcp_timestamp in the squid server. There was no visible change in behavior.
Note that the firewall on the squid server is disabled. Yes, yes, it is a risk, but this is a test machine and the backend servers are off-line etc etc. I don't think the firewall is the problem, but let's keep it out of the mix.
This was working a few weeks ago, and then Comcast pushed out an upgrade to the modem. Perhaps that was really a downgrade? [One of the other effects is that when I connect to an xfinitywifi hotspot, I get a 192.168.1.n IP whereas prior to that it was a public IP.]
The whole thing will be pretty useless if an external client can't connect. :(
Cheers.
Tim
Where oh where could they be going?!!
Environment:
openSuSE 13.1, updates to 1200UCT 31 July applied from the on-line repos. It's actually a VirtualBox VM, which I don't think matters as the packets show up on it.
Network topology:
ISP (Comcast :( ) modem/firewall/router/switch ->10.n.n.n subnet (DMZ) (configured to forward HTTP and HTTPS to 10.n.n.110)
Second firewall/router/switch ->192.168.n.n subnet (INTERNAL)
Ethernet interface for squid server (10.n.n.110)
From the INTERNAL zone, the squid server is correctly accessible. But from a wireless connection to a Comcast public hotspot, all that arrives are the SYN packets with a zero length, and they receive no response.
I have tried dynamically disabling tcp_timestamp in the squid server. There was no visible change in behavior.
Note that the firewall on the squid server is disabled. Yes, yes, it is a risk, but this is a test machine and the backend servers are off-line etc etc. I don't think the firewall is the problem, but let's keep it out of the mix.
This was working a few weeks ago, and then Comcast pushed out an upgrade to the modem. Perhaps that was really a downgrade? [One of the other effects is that when I connect to an xfinitywifi hotspot, I get a 192.168.1.n IP whereas prior to that it was a public IP.]
The whole thing will be pretty useless if an external client can't connect. :(
Cheers.
Tim