CHR - Access Internet via external Proxy

huntah · May 18, 2018, 1:34pm

Hi,

I have a Dude Server installed on a CHR (Hyper-V) which is working. ROS 6.42.2.
There is only one ether interface name=ether1.
IP and Default GW, DNS is configured and I can ping and traceroute everthing as I should.
But the Main Firewall is blocking internet acess directly and I have to use Proxy server (ProxyIP:8080).
If I enable IP-WebProxy and specify ParentProxy it is not enough.
I have tried with dst-nat but nothing happens (
There are no other Ip firewall rules.

Can some one tell how to write a rule so that the download.mikrotik.com and license.mikrotik.com are accessable via my external proxy from CHR.

CZFan · May 18, 2018, 5:38pm

You can try something like below:

ip firewall nat add in-interface=eth1 src-address=!<IP of Proxy> protocol=tcp action=dst-nat to-addresses=<IP of Proxy> to-ports=8080

huntah · May 21, 2018, 1:52pm

Hi CZFan,

first sorry for late reply. I think you have just pasted the same answer which I already tried and found on forum. And It is missing a chain.
But it does not work (it does not count the packets).

So here is the complete ip firewall export:
/ip firewall address-list
add address=download.mikrotik.com list=Mikrotik
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp src-address=!10.140.10.240 to-addresses=10.140.10.240 to-ports=8080

The counters are not increasing.

CZFan · May 21, 2018, 4:04pm

Maybe reason is it is secure traffic, have you tried with TLS-Host, something like (have not tested it and not sure if the TLS host is specified correctly)

add action=dst-nat chain=dstnat dst-port=443 protocol=tcp src-address=127.0.0.1 tls-host=mikrotik.com to-addresses=<Ext Proxy IP> to-ports=8080