Re: Should proxy have one interface or two

["ॐ aditya mukadam ॐ" <aditya.mukadam () gmail com>]

Actually, My bad ! The Lan traffic to internet will be encapsulated in
a proxy packet ( ie src = lan & dest = proxy IP). So you don't need
any default route pointing to the proxy.

Internet -----(public interface)-------RTR -------Lan (ABC)
                           |
                        Proxy (XYZ)

The actual set up will look like if the proxy has a public IP to it
because it has to NAT/PAT.

1) So the traffic should flow like Lan requests page from google,
traffic will go to proxy which ( lets say has a public IP). Packet
will look like Src= ABC & Dst = XYZ
2) The router has this IP(XYZ) in its ARP table and will forward it to
the proxy server.
3) The proxy server will process the packet and will send it to the
internet after PAT/NAT. Packet will be src= XYZ & Dst= Google
4) The reply ( from google ) will come to proxy. Proxy will process
the packet and send it to the actual Lan IP.  Packet will be src=
google & dst= XYZ
5) The proxy server will need to know how to route the Lan traffic to
the router. The roure will then send it back to the PC !!!   Packet
will be src= XYZ & dst = ABZ

Yes this work fine with one interface proxy .The only issue would be
that the proxy server has to be protected by some internet  firewall
in front of it . Having said that I have seen a two interface (
including virtual interface) work well. Again, one interface proxy or
two interface will depend on the solution we are trying to role
depending on the requirement.

Thanks,
Aditya Govind Mukadam


On Mon, Jul 14, 2008 at 1:58 PM, Gleb Paharenko <gpaharenko () gmail com> wrote:
> Aditya, thank you!
>
> > 3) You can say that we can add a router /L3 device in between like
> > below.The router will take care of NAT/PAT.
> >
> > Internet ------ (pub int)----RTR ------- Proxy
> >                                    |
> >                                 Lan
>
> This this the scheme I mean. Also in my scheme the proxy is only
> http,https, ftp proxy.
> On all clients proxy is set to PROXY_ADDR. And no raw ip packets are
> go to internet (no NAT/PAT for LAN).
> Why do we have to put default router for gateway pointing to PROXY_ADDR?
>
>
>
> > In this set up the router will have three interfaces. One to internet(
> > which does SNAT) , Proxy and Lan. The lan's PCs  would have proxy
> > configured in their browser. When the lan wants to go on internet via
> > the proxy  , the router will have to send this to proxy's IP ( so the
> > router need to have default gateway pointing to proxy). Now once the
> > proxy receives and processes this, it would send it back to the router
> > to go to the internet because proxy's default gateway is router.
> > However, the router has default gateway pointing to the proxy !!! The
> > packet will loop between proxy and the router and will never traverse
> > outside because router has to send all the traffic to the proxy for
> > processing and the proxy has to send the processed traffic to internet
> > via the router. Please note, the router would also need a default
> > route pointing to the internet gateway !!! So the traffic from Lan
> > would never make it to internet via such 'one arm routing' on proxy
> > set up.
>
>
>
>
> 2008/7/14 ॐ aditya mukadam ॐ <aditya.mukadam () gmail com>:
> > Gleb,
> >
> > I would like to explain what I think are the possible reasons with
> > help of below scenarios
> >
> > 1) Internet ----- (public interface)---- Proxy ---- (internal
> > interface)-------LAN
> >
> >  The public interface of proxy would have a public IP . The internal
> > IPs can be PATed/NATed to this interface's IP or can have a diferrent
> > IP in the same public segment ( as that of pub int.). However the
> > internal lan would mostly have private IP subnet. So, two different
> > subnets , one for public internet and other for private lan. And so we
> > would need one IP from each segment on the Proxy device. The
> > interfaces can be virtual or physical. Both the subnets(public n
> > private) cannot be/should not be a part of same subnet because it will
> > defeat the purpose of a proxy and we are bound to have routing
> > complications.
> >
> > 2) If we would still go ahead and have a single interface the setup
> > will look like below where the Lan & public subnet are in the same
> > subnet. So, Lan IPs would have public IPs !!!  But you would have
> > still have routing issue ( explained in point 4)
> >
> > Internet ------ (public and private subnet )---Proxy.
> >
> > 3) You can say that we can add a router /L3 device in between like
> > below.The router will take care of NAT/PAT.
> >
> > Internet ------ (pub int)----RTR ------- Proxy
> >                                    |
> >                                 Lan
> >
> > In this set up the router will have three interfaces. One to internet(
> > which does SNAT) , Proxy and Lan. The lan's PCs  would have proxy
> > configured in their browser. When the lan wants to go on internet via
> > the proxy  , the router will have to send this to proxy's IP ( so the
> > router need to have default gateway pointing to proxy). Now once the
> > proxy receives and processes this, it would send it back to the router
> > to go to the internet because proxy's default gateway is router.
> > However, the router has default gateway pointing to the proxy !!! The
> > packet will loop between proxy and the router and will never traverse
> > outside because router has to send all the traffic to the proxy for
> > processing and the proxy has to send the processed traffic to internet
> > via the router. Please note, the router would also need a default
> > route pointing to the internet gateway !!! So the traffic from Lan
> > would never make it to internet via such 'one arm routing' on proxy
> > set up.
> >
> > 4) The above scenario will work if we configure separate VRFs on
> > router, one VRF for LAN , other for proxy and third global routing
> > table. So, we have pushed the need of two interface from proxy to the
> > router (with help of VRF) !
> >
> > Since we are humans , we can apply all sort of knowledge and still get
> > it working with proxy having one interface.However, this will
> > complicate rest of the network and increase the cost of the solution
> > as we would need additional devices.Additionally, it will also make
> > the troubleshooting complicated for the network administrators in case
> > of issue.
> >
> > Simplest solution is to have two interface on the proxy !!! ;-)
> >
> > Hope this will help to understand.Let me know if you have any questions.
> >
> > Thanks,
> > Aditya Govind Mukadam
> >
> >
> >
> > On Fri, Jul 11, 2008 at 5:39 PM, Gleb Paharenko <gpaharenko () gmail com> wrote:
> > > Hi, list.
> > >
> > > In many network designs web proxy server has two interfaces. One is
> > > for internal clients, second is outgoing interface for proxy.
> > > Why it is not use one interface both for incoming requests from users
> > > and for outgoing requests from proxy? Of course this interface should
> > > be in separate subnet with firewalled control on it and it should be
> > > SNATed as well. Hope I clearly describe my question, of why it is
> > > better to
> > > have two interfaces in different subnets for web-proxy.
> > >
> > >
> > > --
> > > Best regards.
> > > Gleb Pakharenko.
> > > http://gpaharenko.livejournal.com
> > > http://www.linkedin.com/in/gpaharenko
>
>
>
> --
> Best regards.
> Gleb Pakharenko.
> http://gpaharenko.livejournal.com
> http://www.linkedin.com/in/gpaharenko