Mikrotik with External Proxy
RouterOS general discussion

5 posts   •   Page 1 of 1
ferdinandbabst
newbie
 
Posts: 31
Joined: Thu Dec 11, 2008 1:51 pm

Mikrotik with External Proxy

by ferdinandbabst » Thu Jan 20, 2011 5:38 pm

Hi I would like to use Mikrotik with an external Squid transparent proxy.
I would however like to know, how do you setup the forwarding rules on Mikrotik so that the IP of the user is passed to the squid. If you do a normal dstnat rule the Mikrotik passes its own IP to squid.
:?
Im sure you can do it by using routing marks but im not at all sure how to go about.



Thanks

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Mikrotik with External Proxy

by fewi » Thu Jan 20, 2011 6:08 pm

If the router is used as a proxy with a parent proxy set the packets MUST have the source IP address of the router, that's how chained proxies work.

If you're destination NATing to the Squid proxy directly and the router source NATs the packets to itself then it's doing so because you specifically told it to do so in the source NAT rule set. Reconfigure your ruleset so that it stops doing that. If you need help with that please post a network diagram with IP addresses and device names, and the output of /ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export".
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

ferdinandbabst
newbie
 
Posts: 31
Joined: Thu Dec 11, 2008 1:51 pm

Re: Mikrotik with External Proxy

by ferdinandbabst » Fri Jan 21, 2011 10:06 am

Hi Thanks for the reply

Here is the IP addresses detail:
0 address=10.100.0.1/24 network=10.100.0.0 broadcast=10.100.0.255 interface=ether1 actual-interface=ether1

1 address=172.16.0.2/29 network=172.16.0.0 broadcast=172.16.0.7 interface=ether2 actual-interface=ether2

IP Route detail

0 A S dst-address=0.0.0.0/0 gateway=172.16.0.1 gateway-status=172.16.0.1 reachable ether2 distance=1 scope=30 target-scope=10

1 ADC dst-address=10.100.0.0/24 pref-src=10.100.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=200

2 ADC dst-address=172.16.0.0/29 pref-src=172.16.0.2 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10

Firewall Export:

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=!443 protocol=tcp src-address=10.100.0.0/24 to-addresses=172.16.0.1 to-ports=8080
add action=masquerade chain=srcnat comment="" disabled=no src-address=10.100.0.0/24
Attachments
Diagram.png
Diagram.png (17.46 KiB) Viewed 689 times

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Mikrotik with External Proxy

by fewi » Fri Jan 21, 2011 5:03 pm

Your only option is to remove the masquerade rule and do all source NAT on the Squid box, or to introduce another NAT router behind the squid box. If all traffic goes through the squid box anyway why are you destination NATing at all?
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

rumiclord
Frequent Visitor
Frequent Visitor
 
Posts: 64
Joined: Fri Jul 23, 2010 10:20 pm

Re: Mikrotik with External Proxy

by rumiclord » Fri Mar 11, 2011 11:09 pm

Has anyone got this working correctly? I have a squid server that works fine when i manually put the proxy settings into Internet exploder. When i use the dst-nat rule I only get invalid request from the squid box.

Code: Select all
/ip firewall nat
chain=dstnat action=dst-nat to-addresses=172.16.1.1 to-ports=3128
     protocol=tcp src-address=172.16.0.2 in-interface=ether2 dst-port=80


Getting error "The requested URL could not be retrieved"
The following error was encountered:
Invalid Request

I want to send all port 80 traffic from 172.16.0.2 to 172.16.1.1 port 3128, which appears to be working, however this error message is telling me that it is NOT working... but this message is of course coming from the squid server. any insight would be greatly appreciated.

5 posts   •   Page 1 of 1

Who is online

Users browsing this forum: No registered users and 29 guests

It is currently Sun Nov 23, 2014 10:03 am