Proxy Suggestions for CBRS connectivity
We recommend against using cnMaestro on-premises as a proxy for cbrs connectivity. Normally, upgrades to cnMaestro that result in a small amount of downtime do not impact network devices under management. In the case of cbrs they do, and even a brief outage of the proxy during upgrade will result in network outages.
External proxy requirements
If you already use a forward proxy in your network, its best to use this rather than setting up a new one. Connections will be made using http CONNECT to sas.cbrs.cambiumnetworks.com, your proxy will need to allow this. A TLS intercepting proxy (like some security gateways) will break connectivity.
Squid as external proxy
The following configuration will work for an external proxy config if needed, but does not offer high-availability and may not be in line with your network standards. Weve tested this on fresh installs of:
- Ubuntu 20.04 / Squid Cache: Version 4.10
- Centos 7 / Squid Cache: Version 3.5.20
Though they should work on your distro just fine as well.
## WARNING:
## While this config may work for your use case, we encourage you to
## follow your own best practices and modify this file for
## your network.
## Tested on squid version 4.10
## This localnet ACL is not useful unless you want to use
## this proxy for anything other than a cbrs proxy.
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
## This cbrs ACL limits connections to sas.cbrs.cambiumnetworks.com
## only.
acl cbrs dstdomain sas.cbrs.cambiumnetworks.com
## Updates require access to destinations under cloud.cambiumnetworks.com
## This is a separate ACL for readability, but can be combined with the cbrs
## ACL if preferred.
acl cloud dstdomain .cloud.cambiumnetworks.com
## This group blocks http CONNECT to non-standard https ports
acl SSL_Ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_Ports
## Allow access only to the sas and cloud acls. Add your own ACLs here if
## needed
http_access allow CONNECT cbrs
http_access allow CONNECT cloud
http_access deny all
## We dont need any cache for proxying cbrs traffic
cache deny all
## Port config, change this to suit your requirements
http_port 3128
HA for squid external proxy
Since a standalone proxy is a single point of failure, we recommend using an HA setup for squid. This can be done fairly simply using pacemaker or drdb.