[j-nsp] Transparent Proxy

Kevin Day toasty at dragondata.com
Tue Feb 20 13:15:27 EST 2007

On Feb 20, 2007, at 10:21 AM, Ed Ronayne wrote:

> Hi all,
> 	Long time reader first time poster.
> 	over the last two months I have started changing a lot of our Cisco
> 7200's out with the new J6350. All things going well so far. I was
> wondering if anyone could share a quick config snipit for  
> implementing a
> transparent proxy. I want to redirect all requests to port 80 seen
> coming in a vlan to a webcache box that is listening on port 80 out
> another interface.
> Regards
> Ed

This is what I'm using... Posting here because, while it works, I'm  
not 100% convinced this is the best way to go about it. :) I'm sure  
if this is awful, someone else will pipe up with a better way.

This assumes that the proxy server is on a directly attached  
interface. If your proxy server's route is learned through anything  
more complex than an interface's next hop or if it's anything other  
than directly attached to the router, it gets a lot more complicated.

(squid = the proxy we're using)

routing-options {
     interface-routes {
         rib-group inet main;    /* Needed so that the squid RIB  
group knows what the next hop is for the proxy server IP itself is */
     rib-groups {
         main {
             import-rib [ inet.0 squid.inet.0 ];
firewall {
     family inet {
         filter lan-to-fw {   /* This gets applied to the inbound  
side of the interface that the clients are attached to */
             term squid {
                 from {
                     source-address {
/* replace with whatever hosts you want to go through the proxy -  
make sure the proxy server IP itself doesn't get included here, or  
you'll make your proxy get stuck in a loop of redirecting to itself */
                     protocol tcp;
                     destination-port [ 80 443 ];
                 then {
                     count squidredir;
                     routing-instance squid;
routing-instances {
     squid {
         instance-type forwarding;
         routing-options {
             static {
                 route {
                     next-hop  x.x.x.x /* IP of your proxy */;

More information about the juniper-nsp mailing list