Configuring multiple interception ports using WCCPv2

By AdrianChadd

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.


The Squid WCCPv2 implementation can intercept more than TCP port 80. The currrent implementation can create multiple arbitrary TCP and UDP ports.

There are a few caveats:

  • Squid will have to be configured to listen on each port - the wccp2_service configuration only tells WCCPv2 what to do, not Squid;

  • WCCPv2 (as far as I know) can't be told to redirect random dynamic TCP sessions, only "fixed" service ports - so it can't intercept and cache the FTP data streams;
  • You could use Squid to advertise services which are handled by "other" software running on the server (for example, if you had a RealServer proxy which functioned you could use Squid to cache the web traffic and announce the RealMedia port interception and RealMedia to proxy.)


Here is an example of redirecting port 80 and port 8080 traffic to a Squid proxy server.

Cisco configuration

This configures a dynamic service group - group 80 - which is handed a bunch of details by the neighbour caches. I chose 80 because its "web and some other stuff", but it doesn't have to be 80 and it doesn't have to involve http (tcp port 80.) It could be 90, or 100, or 123.

ip wccp 80                                                                                                                               
interface FastEthernet0/1                                                                                                                
 ip address                                                                                                    
 ip wccp 80 redirect in                                                                                                                  
 ip nat inside                                                                                                                           
 ip virtual-reassembly                                                                                                                   
 duplex auto                                                                                                                             
 speed auto                                                                                                                              

Squid configuration

This configuration covers the interception part - this Squid sits behind a NATted interface that is WCCPv2 intercepted. The Squid server sits on two network interfaces: an external interface with real a IP address that squid binds to with tcp_outgoing_address, and the internal WCCPv2 intercept + NAT'ted address.

wccp2_service dynamic 80                                                                                                                 
wccp2_service_info 80 protocol=tcp priority=240 ports=80,8000,2080                                                                       
http_port transparent vport=80                                                                                         
http_port transparent vport=8000                                                                                       
http_port transparent vport=2080                                                                                       

Linux interception configuration

eth0 is the external (public) IP address; eth1 is the internal IP address which is being WCCPv2 intercepted.

ip tunnel add gre0 mode gre remote local dev eth1
ifconfig gre0 inet netmask up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter

iptables -F -t nat
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 2080 -j DNAT --to-destination


ConfigExamples/MultiplePortsWithWccp2 (last edited 2009-10-13 23:56:32 by AmosJeffries)