I’m using this as a transparent proxy. I’m trying to close my open proxies by authenticating. I tried using a hot spot configuration but never really got it to work. Ideally I would be able to authenticate the mac address of the routerboard over a vpn using something like radius. I’m just not quite sure how to tie all of this together. I see a forward proxy setup in the hotspot and I was wondering if that might be a solution. But the users do not want to sign into a splash screen. Everything needs to be transparent to the end user. I realize this setup is a bit outlandish but I’d be willing to entertain custom scripting too.
maybe it’s better to just close your proxy by blocking external requests in firewall filter?..
Going to a more related topic is there a way to bypass proxy upon failure for the transparent proxy setup?
what do you mean?..
I’ve configured the proxy section for transparent proxy. That works fine. But what happens if the proxy goes down? Can I tell the OS to “bypass on failure”? That is, if it is not available, go direct to Internet instead.
add netwatch, that checks IP address of proxy. If it fails disable nat rule, when it is up enable nat rule
Is that on the download section of mikrotik?
are you talking about Parent Proxy, or about RouterOS WebProxy?..
I think, if WebProxy is down - then your router is down too, so you don’t need failure detection on that level
If the parent proxy goes down.
Trying to understand how the router board 450 interfaces work. If I setup for nat how do I make the private interfaces work? I enabled eth1 for dhcp which is public. I enabled eth2 for staic which is private. I enabled nat. I can get online. If I plug into eth3-5 I cannot get online. I tried playing with bridging but I assume that is just layer 2. Do I need to give each interface an ip to make nat work? I know the smaller units just work right out of the box. Not sure if this is different.
As mentioned above, write a netwatch script that enables/disables the NAT rule that sends traffic to the proxy on host up/down.
If you want eth2-5 to all be on the same network, add them to a bridge and put the inside IP address on the bridge itself. If you want them all to be on different networks, they each need IPs for the respective networks.
When I enable the proxy I can no longer manage the web interface. How do I exclude local addresses when I do that?
Add dst-address-type=!local