On Sun, 22 Feb 2004, Andriy Korud wrote:


> - On Linux router:
> forward packets to squid machine using iproute2 and policy routing without
> changing src or dst address;


Ok. This will cause problems with MTU discovery in both directions, but
mainly in Squid->client direction.

If you are today using conntrack on this Linux router then I would
strongly recommend the use of CONNMARK to route HTTP sessions rather than
packets.. doing so will allow MTU discovery to continue function like
normal.

> - On Squid (Linux, separate machine):
> redirect packets coming to port 80 to port 3128 using iptables REDIRECT target.


Is this "behind" the router using the router as gateway to the clients,
or on the same side of the router as the clients?

> > * What is the MTU to your client?

>
> Telling the truth - don't know, however client is usual out-of the box
> Windows2k/XP machine connected via cable modem. I must check the MTU settings,
> but can you direct me what exactly I should check and where problem can be?


If the MTU of any path between the client and the proxy server is lower
than the MTU of the interface on the proxy server then things will break
in the type of setup you have.

Regards
Henrik