hi, telegram twitter and many social app blocked in iran
i have windows server in iran datacenter ( connect with pptp to out side country germany england vpn ) and ccproxy for using socks 5 in my devices but uses high cpu task
now i try to running socks5 in mikrotik but how to redirect socks5 traffic to another gateway ( pptp ) ?
i try to add mangle prerouting and not sloved problem
please see pic
help plz
SOCKS proxy is server, service running on router. Client connects to router, router then connects to requested destination and relays traffic between the two. Your rule in prerouting could see incoming traffic from client to router, but that’s useless, you need to work with traffic from router to destination, and that would be in output chain. I’m not aware of any method how to identify connections from SOCKS server, so you may need to take all router’s output, and optionally only exclude some things where you’re sure it’s not from SOCKS. For example:
/ip firewall mangle
add chain=output connection-state=new dst-address=x.x.x.x action=accept comment="target address to exclude"
add chain=output connection-state=new protocol=tcp action=mark-connection new-connection-mark=socks passthrough=yes
add chain=output connection-mark=socks action=mark-routing new-routing-mark=vpn passthrough=no
thanks for replay
socks mikrotik server port 27015
how to config mikrotik server
what is that mean dst address ? which address ? telegram servers ?
add chain=output connection-state=new dst-address=x.x.x.x action=accept comment=“target address to exclude”
mikrotik socks server port 27015 is ok and connect to mikrotik default gateway ( iran gateway )
i need socks server 27015 connect to pptp out
Port of SOCKS server doesn’t matter. Clients connect to that port, but server creates new outgoing connections, and they look like any other connection from router itself. You can’t tell if some outgoing connection is from SOCKS server, or if it’s e.g. router checking for updates. Good news is that router itself usually don’t need to connect anywhere, so you can take all connections from router (tcp should be enough). The address you’re asking about is example how to exclude some connections and do not route them via VPN. If you don’t have any such requirement, you don’t need this rule.
First of all, you may want to hide the public IP of the device from the screenshots in your OP (at least you haven’t left Winbox open to the world on the default port, good).
Second, the SOCKS5 is easy to be identified, so it may not be the safest one to use for the purpose. The actual destination address of the remote server, can be seen in plaintext, so it is easy to find out where your clients are actually connecting. And if the actual traffic is not encrypted itself, it can also be seen in plaintext, so the DNS requests will also reveal what is going on to the authorities if the client will send them via the SOCKS5.
PPTP has some encryption but it has also been considered weak since years ago.
Next, as @Sob has explained, the SOCKS5 server on the Mikrotik sends all the requests in its own name, and there is no way the firewall rules could find out which outgoing traffic of the Mikrotik itself is actually the traffic forwarded by the clients via SOCKS5 and which is its own one. So you can route all the output traffic of the Mikrotik to the VPN tunnel, and only provide exceptions as @Sob has suggested.
Most important, the exceptions have to be the addresses of the remote VPN servers, but for that in particular, you don’t need firewall rules and dedicated routing tables - dedicated routes are enough.
An example of another exception may be the addresses of the servers from which Mikrotik downloads the RouterOS upgrades, but if you don’t mind that the download also goes via the VPN, there is no need for such exception.
If you replace the SOCKS5 idea by a VPN one, the Mikrotik will treat the clients’ traffic as a router, not as a proxy, so you will be able to handle all traffic from the clients one way (forwarding it to the other VPN) and other traffic the other way, using other routing table(s). But it has to be something better than PPTP if it should serve the purpose.
you have telegram id?
my id is @megasoheilsh
can any one help me?
Do you have access to another Mikrotik device? I would run the SOCKS proxy on a different Mikrotik device and in the main Mikrotik router direct traffic from the SOCKS device to the vpn. In that case it’s would be easy to isolate the traffic from the SOCKS proxy. It should also be possible to run a metarouter inside the Mikrotik with the SOCKS proxy to remove the need for an additional Mikrotik but I’m not sure the metarouter package is available on x86. More info on the metarouter is available here: https://wiki.mikrotik.com/wiki/Manual:Metarouter
I have the same problem and I want the connections that come in from socks to go out from another gateway.
There is no one to help us