Firewall Rule problem.

rednetwifi · September 8, 2008, 10:08am

Hi,

I have RouterOS 3.1 and using it to dst nat traffic to my Squid server.I bet this is going to be a stupid question but here goes.

In the Firewall NAT i forward all port 80 traffic to Squid (192.168.0.4) on port 3128, and squid sends it out to the internet on gateway 192.168.0.1

However and i am adding failover to the network and i would like to add squid to it. So if one of the internet lines dies squid can still connect on the other Cable Modem

Squid Server
IP:192.168.0.4 - GW: 192.168.0.1

If it had the gateway as 192.168.0.251 and with failover scripts then the MT Router will handle the gateway if 192.168.0.1 fails it will redirect to 192.168.0.252 (Cable Modem)

However here is the problem.

If i dst-nat all traffic from 192.168.0.0/24 to squid dst-nat 192.168.0.4 to-port=3128
Then on the squid server set the internet gateway to 192.168.0.251 (MT Rotuer) i get this error

While trying to retrieve the URL: http://www.hotmail.msn.com/cgi-bin/sbox?

The following error was encountered:
Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
The cache administrator does not allow this cache to make direct connections to origin servers, and
All configured parent caches are currently unreachable.

I need it to pass the request back though the MT to which ever gateway is being used, so what rule would i add to make the traffic come back in to the MT and out to the correct gatway.

I hope this makes sence to people.

Here is my Firewall NAT Setup
_0 ;;; Allow connections from proxy
chain=srcnat action=accept src-address=192.168.0.4

1 ;;; Join Networks
chain=srcnat action=masquerade

2 ;;; Route Port 80 to Squid
chain=dstnat action=dst-nat to-addresses=192.168.0.4 to-ports=3128
dst-port=80 protocol=tcp_

I am really not sure what to do can someone point out a wiki that could help, or just some advise.

Thanks.

Muhammad · September 8, 2008, 6:55pm

AOA

http://wiki.mikrotik.com/wiki/How_to_use_external_open_source_caching_server

lonthong · May 24, 2009, 7:00am

i think that squid problem.. which version squid do you use ?.. try with old version e.g = squid 2.5 or 2.6
i have problem like that with squid 3.0.. but is work perfect with squid 2,5

rednetwifi · May 24, 2009, 10:16am

I am running squid 2.6 Stable however the only way I seem to be able to make it work is to set squid with a different gateway other than the MT. We are using a RB600.

We have the WAN and the LAN setup as described here

http://forum.mikrotik.com/t/how-to-setupu-dhcp-client/23848/1

Here is a network layout plan attached.

If I have the gateway of squid as 192.168.0.1 which is the RB600 and enable the firewall NAT rule I get this error:

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.google.co.uk

The following error was encountered:

Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

The cache administrator does not allow this cache to make direct connections to origin servers, and
All configured parent caches are currently unreachable.

Your cache administrator is email:info@rednetwifi.com.
Generated Sun, 24 May 2009 10:11:16 GMT by squid (squid/2.6.STABLE18)

However if I configure my browser to use a proxy server and don’t enable the NAT it works perfectly.

Also if I set the gateway of one of the cable modems as 192.168.0.6 and then configure the squid to use that as the gateway it works fine.

What would be the most correct way of connecting squid in to the network…? As the way I had the network configured before was incorrect and now it’s corrected I can’t seem to get squid back working.

Any advice would be appreciated.

Regards

D
Layout.pdf (81.5 KB)