You cannot have the Squid proxy and the clients on the same network and see their real IP while using destination NAT. The proxy server must be on a different network for that. Once that is in place add an “out-interface=[name of WAN interface]” qualifier to your existing source NAT rule.
Squid and hotspot users are not in same network. But my Squid is using just one NIC only. But my understanding is that there are many work around with single NIC.
Then all you need to do is edit your source NAT rule to not source NAT traffic flowing from the router to the Squid server to the router’s interface IP. The best way to do that are ‘out-interface’ modifiers, as posted. That works fine with a single NIC.
If you need help with that post the output of “/interface print detail”, “/ip address print detail”, and “/ip firewall nat export”.
You will need to add a route to 10.5.0.0/16 via 192.168.15.100 so that the WAN network knows how to reach your Hotspot network. You then also need to configure the main router for 192.168.15.0/24 to NAT 10.5.0.0/16 towards its upstream routers. Then you can delete the masquerade rule on the Mikrotik router that implements the Hotspot, and the Squid box will see a 10.5.0.0/16 address from the client. Right now you’re telling the router specifically to source NAT - and you probably have to, since the rest of the 192.168.15.0/24 network wouldn’t have any idea how to get back to 10.5.0.0/16.
What about following routing, as per this hotspot client can access the net,
but my lack of knowledge in firewall rules to access the squid box.
I have already done the pre routing in my squid box to accept any hit from the Mikrotik.
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 red ir ports 3128
\
/ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=192.168.15.50
gateway-status=192.168.15.50 reachable ether2wan distance=1 scope=30
target-scope=10
I am talking about routing on the upstream network, 10.5.0.0/16.
Think about it this way: does the Squid box know how to get back to 10.5.0.0/16?
Right now the answer appears to be no. So how can you have the 10.5.0.0/16 address of a client in the source address field of a packet going to the Squid box if the Squid box could never send a packet back because 192.168.15.0/25 doesn’t know how to reach 10.5.0.0/16?
In this way i tried many rules in Mikrotik to reach to the squid, but unfortunately i could not make it coz of my lack of knowledge in this area…
can you please guide me to create a proper rule here.
Again: the problem isn’t the Mikrotik router. The problem is the OTHER NETWORK. The 192.168.15.0/24 network the Mikrotik router connects to. Fix THAT network and make sure it has routes to 10.5.0.0/16. I can’t help you with that because you haven’t posted any details regarding that network.
Once you have fixed THE OTHER network you can then simply remove the masquerade rule on the Mikrotik router. If you cannot fix the other network then you have to keep that masquerade in place, and will only see 192.168.15.100 as the source IP address on the Squid host. There is no other workaround.
This is the route specified in my squid box: (192.168.15.250), so you are telling i want to create another route here to reach 10.5.0.0/16 network, right ?
[root@hotspot ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.15.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.15.50 0.0.0.0 UG 0 0 0 eth0
Yes. That would be one option. Ideally all devices in 192.168.15.0/24 should be able to route back to 10.5.0.0/16, so you’d also want to put such a route on all other routers on that network.
You initially said that the Squid logs are showing the Mikrotik router IP (192.168.15.100) - how is that traffic getting there right now? Because you said that I had assumed that you already have something set up to get traffic to the Squid proxy.
If you want to punt just all HTTP traffic there you can search the wiki and find countless articles for RouterOS and external proxies that include rules like this:
Next time you ask for help this will be easier if you include ALL the relevant details at the beginning. This has been much more complicated than it needed to be.
The rules you have would forward all traffic from 10.5.0.0/16 to tcp/80 to port tcp/3128 on 192.168.15.250.
You have since removed the source NAT rules. If you didn’t implement routing back to 10.5.0.0/16 in ALL of the 192.168.15.0/25 network (and you said you wouldn’t) that would make all other traffic, including DNS lookups, impossible. You’d want to have these source NAT rules: