With your given rules still i can access net without squid,

So i think the issue is with my following rule to access the squid (firewall export details given below is without this entries):-

/ip firewall nat
add chain=dstnat src-address=192.168.15.250 dst-port=80 protocol=tcp action=accept
add chain=dstnat src-address=10.5.0.0/16 dst-port=80 protocol=tcp action=dst-nat to-address=192.168.15.250 to-port=3128

/ip firewall export

jan/02/1970 14:21:21 by RouterOS 5.6

software id = 51KH-93NN

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=srcnat disabled=no dst-address=192.168.15.250 src-address=10.5.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether2wan
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

Please check my firewall rules:-

by using this Forward proxy is working well by putting proxy address in the browser, but it’s not working as transparent.
Is it the problem with routing or any changes to be done in squid ?

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp src-address-list=10.5.0.0/16 to-addresses=192.168.15.250 to-ports=3128
add action=masquerade chain=srcnat disabled=no out-interface=ether2wan

Can anybody help me, still i am getting log in my transparent proxy with the IP of Mikrotik router only, not the hotspot users IP.

I posted to use these source NAT lines:

/ip firewall nat
add chain=srcnat src-address=10.5.0.0/16 dst-address=192.168.15.250 action=accept
add chain=srcnat out-interface=ether2wan action=masquerade

As I explained several times the ‘accept’ rule makes sure that the traffic from 10.5.0.0/16 to the Squid proxy doesn’t have source NAT applied to it.
You only seem to have the bottom one in your configuration.
Also, again - and for the last time: that will also require that your Squid box has a route back to 10.5.0.0/16. At this point I’ve lost any and all overview of what you’ve changed where.

Thanks Fewi for your wonderful support,

I have done it with few changes, pls see the diagram:

ADSL router
|
|
Proxy
|
|
Mikrotik
|
|
Switch for hotspot users

/ip firewall export
add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp src-address=10.5.0.0/16 to-addresses=192.168.1.250 to-ports=3128

Thank again for your time, but i think it can be done with single NIC in the squid server, right ?

Good evenig,

I have the same problem like “nbsdubai”, I solved it by removing the masquerade from MKT router as indicated and I see the clients web pages log in my squid, until here everything perfect. The problem is that my paypal payment system does not work, I mean: it’s a Hotspot to which the clients connect, pay via paypal and begin to surf. The problem is then that when the client has paid, (with masquerade disabled) the system cannot load the success.php which is in my server, but when I enable the masquerade, everything works fine, but of course I cannot log the information of the clients in my squid, I just get it but with the ip of the Hotspot.

Internet—Squid proxy—hotspot (10.139.88.4)-----clients (10.5.50.0/24)


Thanks for your help

Regards