Force Squid to connect to sites over IPv4 rather than IPv6

networking proxy ipv6 squid
13,084

My experience with source address selection is that it is difficult to get it right. Usually I give up after a few tries without success.

Here is what I do configuring web proxy to force IPv4 on dual stack machines (tested with Linux):

  • create an unused RFC 1918 IPv4 address on an interface, say 10.2.3.4 on eth0. Netmask probably doesn't matter much, but I pick 32.

  • configure squid using this directive:

    tcp_outgoing_address 10.2.3.4 [your acl]
  • Set the firewall rule to do NAT masquerade if the source address of the packet is 10.2.3.4. This will translate to your real IPv4 address.

Since the source address is explicitly set to IPv4, squid will never make the connection to a IPv6 address.

I could have used my real IP in the tcp_outgoing_address directive, but my ISP is using dynamic IP, and this approach means I don't have to change the config every time I have a new IP.

Share:
13,084

Related videos on Youtube

James White
Author by

James White

Updated on September 18, 2022

Comments

  • James White
    James White almost 2 years

    Is there any feasible way to force a select amount of domains to use IPv4 connectivity rather than IPv6 with Squid, whether its via acl other another method?

    I'm aware of the dns_v4_first config value, but it doesn't help me here.

    The problem I am having is my IPv6 is provided by Hurricane Electric (tunnel) which ultimately confuses various geographical based detection and thinks I'm US (I'm not, I'm UK) when sites have deployed IPv6. This presents problems for streaming services like Netflix, which shows me US based listings but will then detect that I'm actually in the UK most of the time. (Spoiler on how to gain US Netflix without DNS hacks!)

    I need a way to control such services and make sure they go over IPv4. While it is against the whole IPv6 scenario, I don't really have a choice unless I disable IPv6 entirely, which I am not going to do.

    • Admin
      Admin over 8 years
      Not an answer, but something of an explanation: Geo-location on IPv6 is going to be problematic for a while. It still has problems even on IPv4. The accuracy is completely dependent on the geo-location service used, and various companies will use various service for this.
    • Admin
      Admin over 8 years
      Indeed. I'm assuming whatever geolocation service is being used its looking at the Prefix allocation and seeing its Hurricane Electric which is ultimately based in CA, US.
    • Admin
      Admin over 8 years
      Not an answer, but tackling the problem: Did you try to choose a HE tunnel endpoint in the UK (there are three, all in London)? I had a similar problem, I hadn't cared about the tunnel endpoint until Google presented me with Dutch advertisements and search results because the tunnel ended in Amsterdam (I understand Dutch, but I would prefer German results).
    • Admin
      Admin over 8 years
      Yes, I'm using an endpoint in London. I have tried a couple of endpoints in London and geolocation is detected as US no matter what. I think its because the HE prefix rwhois is ARIN, so its assumed US. But as stated above, the IPv6 gelocation is a bit wayward currently.
    • Admin
      Admin over 8 years
      I'm now questioning if what I'm asking is possible. I actually forced IPv4 to take priority on the machine I'm attempting to resolve the issue on, which sent Netflix traffic over IPv4 and Netflix still served US based content. I guess as long as IPv6 is active I'm going to have this problem.
  • James White
    James White over 7 years
    This is an interesting concept. I ended up forcing IPv4 by creating a BIND server that uses filter-aaaa-on-v4, to essentially strip AAAA records from any domain that has v6. I conditionally forward required domains to this specific resolver, thus creating the scenario of no v6 for these domains.
  • Leo
    Leo over 7 years
    Nice. Yours is more "correct." I stumble upon this (ipv4-only behavior) because I have a need to make sure certain program, which can be configured with http proxy, will make outgoing connections over a specific interface regardless of the destination. I use this trick and combine with source based routing to do what I need.
  • Michael Hampton
    Michael Hampton over 7 years
    @Pandorica Perhaps you'd like to share your solution with this guy, who desperately needs it?
  • James White
    James White over 7 years
    @MichaelHampton If I could post I would, but this is the general concept: gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2‌​a6.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to make Ubuntu honor "ignore-hosts" proxy settings for IPv6?
Can't access localhost through Squid proxy
Squid can't complete external DNS queries
Route outgoing VPN traffic through local transparent proxy
how to find out the clients connects to the proxy server in redhat linux
How can I force Squid Proxy to use a specific gateway for internet access?
squid specify outgoing network interface
Squid proxy: how to link inbound IPv4+port to outbound IPv6
squid TAG_NONE/503 0 CONNECT when high load
Simple way to monitor and analyze home network traffic, via proxy?