Page 1 of 1

Mikrotik with External Proxy

Posted: Thu Jan 20, 2011 4:38 pm
by ferdinandbabst
Hi I would like to use Mikrotik with an external Squid transparent proxy.
I would however like to know, how do you setup the forwarding rules on Mikrotik so that the IP of the user is passed to the squid. If you do a normal dstnat rule the Mikrotik passes its own IP to squid.
:?
Im sure you can do it by using routing marks but im not at all sure how to go about.



Thanks

Re: Mikrotik with External Proxy

Posted: Thu Jan 20, 2011 5:08 pm
by fewi
If the router is used as a proxy with a parent proxy set the packets MUST have the source IP address of the router, that's how chained proxies work.

If you're destination NATing to the Squid proxy directly and the router source NATs the packets to itself then it's doing so because you specifically told it to do so in the source NAT rule set. Reconfigure your ruleset so that it stops doing that. If you need help with that please post a network diagram with IP addresses and device names, and the output of /ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export".

Re: Mikrotik with External Proxy

Posted: Fri Jan 21, 2011 9:06 am
by ferdinandbabst
Hi Thanks for the reply

Here is the IP addresses detail:
0 address=10.100.0.1/24 network=10.100.0.0 broadcast=10.100.0.255 interface=ether1 actual-interface=ether1

1 address=172.16.0.2/29 network=172.16.0.0 broadcast=172.16.0.7 interface=ether2 actual-interface=ether2

IP Route detail

0 A S dst-address=0.0.0.0/0 gateway=172.16.0.1 gateway-status=172.16.0.1 reachable ether2 distance=1 scope=30 target-scope=10

1 ADC dst-address=10.100.0.0/24 pref-src=10.100.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=200

2 ADC dst-address=172.16.0.0/29 pref-src=172.16.0.2 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10

Firewall Export:

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=!443 protocol=tcp src-address=10.100.0.0/24 to-addresses=172.16.0.1 to-ports=8080
add action=masquerade chain=srcnat comment="" disabled=no src-address=10.100.0.0/24

Re: Mikrotik with External Proxy

Posted: Fri Jan 21, 2011 4:03 pm
by fewi
Your only option is to remove the masquerade rule and do all source NAT on the Squid box, or to introduce another NAT router behind the squid box. If all traffic goes through the squid box anyway why are you destination NATing at all?

Re: Mikrotik with External Proxy

Posted: Fri Mar 11, 2011 10:09 pm
by rumiclord
Has anyone got this working correctly? I have a squid server that works fine when i manually put the proxy settings into Internet exploder. When i use the dst-nat rule I only get invalid request from the squid box.
/ip firewall nat
chain=dstnat action=dst-nat to-addresses=172.16.1.1 to-ports=3128 
     protocol=tcp src-address=172.16.0.2 in-interface=ether2 dst-port=80 
Getting error "The requested URL could not be retrieved"
The following error was encountered:
Invalid Request

I want to send all port 80 traffic from 172.16.0.2 to 172.16.1.1 port 3128, which appears to be working, however this error message is telling me that it is NOT working... but this message is of course coming from the squid server. any insight would be greatly appreciated.