But, if it is the same squid why it doesn't have this option ?You can't until they have already downloaded the first 200MB, which would waste that bandwidth.
So practically you can do nothing about it, not good, not goodit is not squid in RouterOS. (older versions had squid, but that was 2.9.x)
for a lot of downloads you cannot predict the size, so they will download 200MB and then you disable them. In these cases I usually suggest throttling, so these big downloads get lower data rate. You can look up queues for this and how to do this.
Understood, thank againhttp://wiki.mikrotik.com/wiki/Manual:IP ... ccess_List
Make two proxy access rules that accept traffic unconditionally from the two IP addresses, and put them higher in the list than the deny rule.
Thank you fewi, just one thing, I changed the action from memory to disk, because I want to keep the logs for a few day and to check it from time to time, my question is for how long the system will save the logs ? I don't want to remain without disk space on my router, can I delete them somehow or how it works ?
Yes this is the only wise thing to do in this situation, tomorrow I'll find a free Syslog Server and se wht will happen. Thanks.The router will save so many lines that you specify in the logging action disk. I think it's default is 100 lines, and once the 100 lines are used up it will drop the old one to add on the new one. It would be much better if you wanted to save these logs to use the remote action and set up a syslog server. There you can define retention policies.
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 \
action=dst-nat to-address=192.168.1.2
add chain=srcnat out-interface=WAN action=masquerade
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.2 protocol=tcp dst-port=80 \
out-interface=LAN action=masquerade
/ip firewall nat
add chain=dstnat dst-address=87.233.82.82 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.200 to-port=81
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 protocol=tcp dst-port=81 out-interface=LAN action=masquerade
add chain=srcnat out-interface=WAN1 action=masquerade
Works like a charm, but not quite...when I use the IP 87.233.82.82 it works great I see the web mail, but when I use the domain name: mail.domain.com it's not workingHere the complete NAT ruleset you need:Code: Select all/ip firewall nat add chain=dstnat dst-address=87.233.82.82 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.200 to-port=81 add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 protocol=tcp dst-port=81 out-interface=LAN action=masquerade add chain=srcnat out-interface=WAN1 action=masquerade
The thing is that, I'm at home at the moment and I can use both ways, IP or domain and it's working, but at work it isn't working when trying with domain name, so I don't thing it is a DNS issue. But what could it be ?Then you have a DNS problem. If it works via IP, it works via IP. Check what IP address the domain name resolves to.
Stupid me, now I understood why it wasn't working, on the server I was testing the DNS server was set to the Domain server, but when I tried my personal computer that had the router DNS it worked Thank youIt IS a DNS issue. DNS just helps you resolve a name to an IP, the browser then actually uses the IP address to access the service. Access by IP is working, so the problem MUST be with DNS.
Go to the command line both at work and at home and run "nslookup whatever.domain.com" and compare the output. There'll be a difference.
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 protocol=tcp dst-port=81 out-interface=LAN action=masquerade
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 out-interface=LAN action=masquerade
Sorry for not mentioning other port forwards, I disabled the rule you said and added the new one, but I receive the same error in Outlook, I want to say that not all ports are forwarded to the same IP (192.168.0.2) there are about 3 rules (remote desktop) for other IP's .You never mentioned there were more ports being forwarded. You need to make the same hairpin NAT exceptions for ALL ports. Since you have a bunch of ports, it's easier to just do it for the entire host.
Remove the following line:and replace it with:Code: Select all/ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 protocol=tcp dst-port=81 out-interface=LAN action=masquerade
Code: Select all/ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 out-interface=LAN action=masquerade
which ports are you redirecting to the proxy? only 80? do you have some rules in the proxy access list ?Another thing - I just enabled Web Proxy and I get the "ERROR: Gateway Timeout" when trying to reach web mail server with the public IP
ERROR: Gateway Timeout
While trying to retrieve the URL http://mail.domain.com/:
* Connection refused
Your cache administrator is Webmaster.
Generated Tue, 04 Jan 2011 09:15:15 GMT by 192.168.0.1 (Mikrotik HttpProxy)
Everything is done as it is stated here: http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxywhich ports are you redirecting to the proxy? only 80? do you have some rules in the proxy access list ?Another thing - I just enabled Web Proxy and I get the "ERROR: Gateway Timeout" when trying to reach web mail server with the public IP
ERROR: Gateway Timeout
While trying to retrieve the URL http://mail.domain.com/:
* Connection refused
Your cache administrator is Webmaster.
Generated Tue, 04 Jan 2011 09:15:15 GMT by 192.168.0.1 (Mikrotik HttpProxy)
I said in the above posts why I needed, I disabled it - nothing changed.why would you need a NAT rule like that? disable it and see if it changes something
Solved, so I just put the 80 to 81 forward rule above the transparent proxy rule and it works!are all other sites working? for example other web mail servises like gmail or yahoo?
If I don't check exclamation it doesn't work from the outside, only in LAN. But it doesn't matter now with port forwards it is solved.your port forward rules had the address inverted - "!192.168.88.1" means "Not This Address!". Do not check the exclamation mark (!) in the rules.
The router will save so many lines that you specify in the logging action disk. I think it's default is 100 lines, and once the 100 lines are used up it will drop the old one to add on the new one. It would be much better if you wanted to save these logs to use the remote action and set up a syslog server. There you can define retention policies.
Understand, thank youyes, and the exclamation mark made the difference - either from outside (with !), or from inside (no !). you needed to have two rules then (for each network).
i'm just trying to explain what caused it, I know that you solved it.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram.
Arax/WAN1 (PPPoE) - first providerSpecific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram.
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN1 actual-interface=LAN1
1 address=77.X.X.X/30 network=77.X.X.X broadcast=77.X.X.X interface=WAN2 actual-interface=WAN2
2 D address=87.X.X.X/32 network=217.X.X.X broadcast=0.0.0.0 interface=Arax actual-interface=Arax
[admin@MikroTik] >
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=Arax,WAN2 gateway-status=Arax reachable,WAN2 reachable distance=1 scope=30 target-scope=10
1 A S dst-address=77.X.X.X/24 gateway=WAN2 gateway-status=WAN2 reachable distance=1 scope=30 target-scope=10
2 ADC dst-address=77.X.X.X/30 pref-src=77.X.X.X gateway=WAN2 gateway-status=WAN2 reachable distance=0 scope=10
3 A S dst-address=87.X.X.X/24 gateway=Arax gateway-status=Arax reachable distance=1 scope=30 target-scope=10
4 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=LAN1 gateway-status=LAN1 reachable distance=0 scope=10
5 ADC dst-address=217.X.X.X/32 pref-src=87.X.X.X gateway=Arax gateway-status=Arax reachable distance=0 scope=10
[admin@MikroTik] >
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ;;; interface WAN
WAN1 ether 1500 1524
1 R WAN2 ether 1500 1524
2 R ;;; interface LAN
LAN1 ether 1500 1524
3 R LAN2 ether 1500 1524
4 R LAN3 ether 1500 1524
5 R Arax pppoe-out 1480
[admin@MikroTik] >
[admin@MikroTik] > /ip firewall export
# jan/04/2011 19:25:07 by RouterOS 4.11
# software id = HT2T-Y3XQ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN1 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN2 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=Arax protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp
add action=accept chain=input comment="" disabled=no dst-port=8291 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN2
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN1
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN2
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN1
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN2
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN1
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN2 jump-target=customer
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN1 jump-target=customer
add action=accept chain=customer comment="Added by webbox" connection-state=established disabled=no
add action=accept chain=customer comment="Added by webbox" connection-state=related disabled=no
add action=drop chain=customer comment="Added by webbox" disabled=no
add action=drop chain=input comment="" disabled=yes dst-port=8291 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=WAN2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=Arax
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=21 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=21
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=25 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=25
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=110 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=110
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=143 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=143
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=443 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=433
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=465 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=465
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=993 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=993
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=995 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=995
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=2222 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.250 to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=3333 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.187 to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=87.233.82.82 dst-port=80 protocol=tcp to-addresses=192.168.0.200 to-ports=81
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp to-addresses=192.168.0.1 to-ports=8080
add action=masquerade chain=srcnat comment="" disabled=no dst-address=192.168.0.200 out-interface=LAN1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061
set pptp disabled=yes
[admin@MikroTik] >
I understand, the think is I don't know anybody that is good in Mikrotik, about the ECMP/PCC schme, should I chage to PCC ? Is this Load Balancing - Application Example good enough in my case ? Will I solve the port forwarding issues ?Your configuration is messed up in many ways. Your loadbalancing scheme is badly breaking things since you're just using ECMP instead of a stable scheme such as PCC, and your NAT rules are all over the place (and ECMP doesn't work well with servers behind NAT). Things are made worse by the fact that you appear to be using the web proxy.
My advice would be to get with a consultant to fix things up for you, this is nearly impossible to fix all at once in a forum environment - and fixing it bit by bit would mean downtime for you when sections haven't been implemented yet.