Issue with DST-NAT (RouterOS 6.47.10)

Hello,

I have designed a topology which has an external proxy server (192.168.239.152) and a Mikrotik Router (192.168.239.151).
The MikroTik router connected with a LAN and enables internet connection to LAN PCs. The LAN PCs has IP from the block 192.168.1.0/24.

I want traffic (HTTP, HTTPS) from LAN PCs to go through the proxy server, so that I don’t need to configure Browser manually to use proxy settings. For this I have created DST-NAT into MikroTik Router in following method:

Step1

Step2

After this traffic from LAN PCs are going through that proxy server (Squid), but no website is working and giving following error:

What is wrong here?

Note: Manual proxy setup in Browser is working perfectly. But I am trying to set a transparent proxy here via MikroTik.

Few thoughts:

• Isn’t that suppossed to work only with HTTP traffic and not with HTTPS?
• You did not port fotward 443 (HTTPS) traffic, only 80 (HTTP). Most sites use 80 to simply redirect to 443 and serve websites only on 443 port.

a network diagram will help as I have no idea what you mean by external

Same issue if I forward port 443. no matter it’s Port 80 or 443, Proxy server giving the error.

External means the Proxy server not in the same LAN as those PCs. It’s another device, but I can get ping to it from MikroTik Router and LAN PCs. It has public IP. Diagram is like following:

So the mikrotik and proxy server are not behind the same modem?

Sounds like forward chain rules…and IP routes…

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN dst-port=80,443

IP Route
/ip route
add distance=1 gateway=ISP_Gaterway
add distance=1 gateway=ISP_Gateway routing-mark=proxy-route

Route Rule
/ip route rule
add action=lookup-only-in-table src-address=192.168.1.0/24
dst-address=192.168.239.152 table=proxy-route

The end result is that
(1) If any lan user attempts to reach the internet by any other port that 80 and 443 it will not happen period.
(2) if any lan user attempts to reach any other WANIP then the proxy, they will not be routed.

Yes, they are behind the same modem, you can see both using IP from same IP block, which is 192.168.239.0/24.

So at the end, LAN users can’t ping outside addresses? or can’t use any other websites which using other ports rather than 80 or 443?

Well I dont know how to handle that,
I am hoping those more expert than me can help.
My guess is that if it was me I would put the proxy server behind the ROUTER but on its own IP address, vice completely separate like you have.
However I do not know what is better.

This issue is not caused by the MikroTik dst-nat but by the HTTP protocol.
It is simply not possible to make a proxy that way!
When you fetch a HTTP page the browser splits the URL into its parts: http://site.com/path is split into site.com and /path
The browser then does a DNS lookup for site.com, makes a connection to the returned IP port 80, and then sends a request for /path there, unfortunately.
(so it does not send the full http://site.com/path but only the /path part)

When you forward all http traffic to a single internal proxy, there is no way for that proxy to know what you want from it because it only gets the /path and
not the full URL.

Later the HTTP protocol was modified and it sends the extracted part “site.com” in a separate header in the request:
Host: site.com

Apparently your proxy does not support to use that. You may need to configure it differently (as a “transparent proxy”)
However, note that this is not possible for the https protocol! That can only be handled by a proxy when you configure it in each browser, it is not possible to make such a port forward and still have it working. That is exactly the point of the https protocol.

So while it may be convenient to you to not have to configure the proxy, unfortunately it cannot be done this way.
(there are other ways to do it, but they all have special restrictions)

What is the main goal you want to achieve? Reason to install Squid has vanished as 90% of web runs already on HTTPS and those who still not, get downvoted in SEO/searchengines. This is to build trust that clients communicate with an intended service, not fake one. Nowadays content is cached on browsers by the rules server says. btw, do you know Mikrotik contains proxy functionality?

Ok understood. So there’s no way to achieve what I am trying to do.
So either i need to use Proxy feature of MikroTik or I am out of luck.

NO, you do not understand,
PROXY ARE DEAD with 90% of traffic go to HTTPS
Any try you do are perfectly useless and only a lost of time.
Understand now?

No you don’t understand!
You either need to configure the proxy in each computer or you are out of luck.
It does not matter if you use the proxy feature of MikroTik or any other proxy: invisible proxy for https cannot be done.
That is the intended purpose of https: To prevent network admins like you from setting up something between the user and the server without the user knowing about it.

So what’s the best possible way to block clients from accessing certain websites? (i.e. facebook or youtube)
without giving much workload on MikroTik router offcourse. I am using a RB450G device at my place.

Parenting is the solution.
You can cut off internet during certain hours but then they will use their cellphones and data to connect.

DNS filtering is probably your best bet. Pihole or nextdns (cloud based) will allow you to block certain websites. There are ways around it though if you have someone set a doh provider manually on their device. If you don’t have doh on any client then you can use dst-nat to redirect any non approved DNS requests to the mikrotik DNS server that would then be forwarded to your approved doh/DNS provider.

So the topic title “Issue with DST-NAT (RouterOS 6.47.10)” is actually “I don’t know how the internet works, it must be this specific version broken and this specific feature.” ?