Hairpin and use of built-in squid

swenske · March 19, 2017, 10:49am

Hi Forum,

I have an Hairpin setup with a wan dynamic IP who works very well, dst-nat works from internals networks and from internet.

;;; http(s) → macmini
chain=dstnat action=dst-nat to-addresses=10.11.10.11 protocol=tcp dst-address-list=Hairpin dst-port=80,8082,443 log=yes log-prefix=“”
;;; http(s) → macmini
chain=srcnat action=masquerade to-addresses=10.11.10.11 protocol=tcp dst-address=10.11.10.11 out-interface=ether6 dst-port=80,8082,443 log=no log-prefix=“”

But, when users use the web-proxy of the router, they hit a “Connection refused error page” from the proxy:

–2017-03-19 11:48:00-- http://xx.xx.xx.xx/
Resolving proxy.int.xxxx.xx… 10.11.0.1
Connecting to proxy.int.xxxx.xx|10.11.0.1|:3128… connected.
Proxy request sent, awaiting response… 504 Gateway Timeout
2017-03-19 11:48:00 ERROR 504: Gateway Timeout.

Does someone already have this case ?

Many Thanks,
Seb

swenske · March 19, 2017, 11:14am

in addition, when i set an intput filter rule (for log) :
chain=input action=accept protocol=tcp in-interface=!internet dst-port=80,8082,443 log=yes log-prefix=“”

it shows:
firewall,info input: in:(unknown) out:(none), proto TCP (SYN), <wan_ip>:42469-><wan_ip>:80, len 60

input interface is “unknwon”

Sob · March 20, 2017, 11:37pm

It looks like proxy connects to router for some reason. But it can’t be your dnsnat rule, because that doesn’t apply to router output. I’m not very familiar with web proxy settings, but it does support some redirection, so it might be some bad config there.

ZeroByte · March 21, 2017, 3:27pm

/ip firewall nat export
/ip firewall filter export

Post the results here inside of

 brackets so we can read your configuration. There's probably something just a tad incorrect.