Can not implement transparent proxy on Hotspot Enabled MT

luckybuilding · February 14, 2014, 9:38am

Dear all,
I have a MT with different output vlans.
I have enabled Hotspot for couple of them. They work perfectly.
However, there is another vlans where I don’t like to use hotspot. But, I wanna use transparent proxy for them for caching purposes.

I tried using: http://wiki.mikrotik.com/wiki/How_to_make_transparent_web_proxy

But, there is no luck! Enabling the NAT rule, the users on that vlan lose their internet browsing. Is there any conflict between Hotspot & this implementation(considering that hotspot have nothing to do on the vlan and enabled on different vlan)?

Thanks

/ip firewall filter
add chain=input src-address-list=AllowedAdmin
add chain=forward src-address-list=AllowedAdmin
add chain=input comment=Tunnels protocol=gre src-address-list=TunnelAllowed
add chain=forward out-interface=DMZ src-address-list=ExcludedForward
add action=drop chain=input in-interface=PenTest
add action=drop chain=forward in-interface=PenTest
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
    protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
    protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
    protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
    protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
    tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
    tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
    tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
    protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
    protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
    tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
    tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
    tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
    tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
    tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
    65506 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
    virus
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=input comment="Port scanners to list" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=input comment="NMAP FIN Stealth scan\
    \n" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=forward comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=forward comment="NMAP FIN Stealth scan\
    \n" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=forward protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=forward comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=forward comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=forward comment="FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=forward comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1w chain=forward comment="NMAP NULL scan" protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="dropping port scanners" \
    src-address-list="port scanners"
add action=jump chain=forward jump-target=restrict-tcp protocol=tcp
add action=jump chain=forward jump-target=restrict-udp protocol=udp
add action=jump chain=forward jump-target=restrict-ip
add action=reject chain=restrict-tcp connection-mark=auth
add action=jump chain=restrict-tcp comment="anti-spam policy" \
    connection-mark=smtp jump-target=smtp-first-drop
add action=add-src-to-address-list address-list=approved-smtp \
    address-list-timeout=5s chain=smtp-first-drop src-address-list=first-smtp
add action=return chain=smtp-first-drop src-address-list=approved-smtp
add action=add-src-to-address-list address-list=first-smtp \
    address-list-timeout=5s chain=smtp-first-drop
add action=reject chain=smtp-first-drop
add action=jump chain=restrict-tcp connection-mark=other-tcp jump-target=drop
add action=jump chain=restrict-udp connection-mark=other-udp jump-target=drop
add action=jump chain=restrict-ip connection-mark=other jump-target=drop
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="Drop Neighboor Discovery" dst-port=5678 \
    protocol=udp
add chain=input protocol=udp
add chain=input limit=50/5s,2 protocol=icmp
add action=drop chain=input protocol=icmp
add action=drop chain=input
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-state=new in-interface=DMZ \
    src-address-list=!AllowedAdmin

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add chain=pre-hotspot dst-address=192.168.5.5 dst-port=53 protocol=udp
add chain=pre-hotspot dst-address=192.168.5.5 dst-port=53 protocol=tcp
add action=dst-nat chain=dstnat dst-address=192.168.5.2 dst-port=666 \
    protocol=tcp to-addresses=192.168.6.2 to-ports=666
add action=redirect chain=dstnat  in-interface=F-Users dst-port=80 \
    protocol=tcp to-ports=8080

SurferTim · February 14, 2014, 11:09am

You can enable a transparent proxy in “/ip hotspot user profile”. Set “transparent-proxy=yes” for the profiles you want to use the proxy. Insure you enable the proxy in “/ip proxy”.

luckybuilding · February 14, 2014, 12:56pm

Dear SurferTim,
I was aware some friends might think that I wanna this feature for users on the hotspot! However, the MT has hotspot enabled on the MT for different interface; but, the users I’m talking about are users of different interface which doesn’t see the hotspot! I mentioned the hotspot because it might be because of it!

SurferTim · February 14, 2014, 1:03pm

My bad. Then you should post the nat rule you tried and the interface your clients are on.

luckybuilding · February 14, 2014, 3:30pm

Thanks

I updated the main post including the filter & nat rules (verbose)

The last rule is for the users on F-Users vlan that are the target users.
As I enable this rule, they lose their net connection!

SurferTim · February 14, 2014, 10:33pm

The export is unreadable in verbose.
Can you post “/ip firewall filter print”?

luckybuilding · February 15, 2014, 4:55pm

I edited the main post for that purpose

SurferTim · February 15, 2014, 5:43pm

Now I can read it. Add this rule and move it to the top of your filter rules.

/ip firewall filter
add chain=input action=accept in-interface=F-Users dst-port=8080 protocol=tcp
print
move X 0

Change X to the line number of this new rule.

luckybuilding · February 16, 2014, 10:52pm

SurferTim:

Now I can read it. Add this rule and move it to the top of your filter rules.
/ip firewall filter
add chain=input action=accept in-interface=F-Users dst-port=8080 protocol=tcp
print
move X 0
Change X to the line number of this new rule.

Dear ST,

it didn’t work!

I think it should have something to do with co-existence of hotspot rules

SurferTim · February 16, 2014, 11:19pm

What physical interface is the hotspot on? What physical interfaces are the vlans on?

luckybuilding · February 17, 2014, 7:22am

All of them are on different vlans of a physical interface!

This is why I suspect hotspot! However, I have 5 vlans on that interface & two hotspot on two of the vlans! All working cool!

SurferTim · February 17, 2014, 11:15am

Do you have the hotspot universal NAT disabled on those hotspots?

/ip hotspot print

luckybuilding · February 17, 2014, 5:12pm

yes, I don’t NAT on the mikrotik & I disabled any ip pool on hotspots.

Flags: X - disabled, I - invalid, S - HTTPS 
 #   NAME        INTERFACE        ADDRESS-POOL        PROFILE        IDLE-TIMEOUT
 0   hs-RC-Users RC-Users                             RC-hsprof      5m          
 1   hs-R&D-U... R&D-Users                            R&D-hsprof     5m