Hi,
can somebody advise, how to setup hotspot+cache-proxy+upstream-proxy in 3.30 ?
Somehow I got it to work on 3.23, but on 3.30 no idea, because hotspot+proxy-conf somehow changed.
It looks like, web-proxy is running automatically when hotspot is enabled; however, I do not see any caching in the statistics.
On top of that: No option to specify a transparent proxy.
Alrighy then. This is a setup for Hotspot+Transparent Proxy. I do not use the parent proxy feature. Also, this is for a transparent proxy setup for both a Hotspot and a non-Hotspot VLAN.
RB1000 running 3.30, two ethernet interfaces used - inside and outside. Inside is a trunk to a Cisco switch with Hotspot VLAN 902 on it, the native VLAN on the trunk is used for wired connections that do not go through a Hotspot:
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R outside ether 1500 1600
1 R inside ether 1500 1600
2 X ether3 ether 1500 1600
3 X ether4 ether 1500 1600
4 R Hotspot vlan 1500 1596
[admin@MikroTik] > /interface vlan print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R Hotspot 1500 enabled 902 inside
Standard scenario with publics on the outside interface, and private IPs on the inside:
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; Admin IP
1.1.1.1/24 1.1.1.0 1.1.1.254 outside
1 ;;; NAT IP
1.1.1.2/24 1.1.1.0 1.1.1.254 outside
2 10.1.0.1/24 10.1.0.0 10.1.0.255 inside
3 10.2.0.1/23 10.2.0.0 10.2.1.255 Hotspot
Standard DHCP setup for the Hotspot only, the network on the inside interface is static:
[admin@MikroTik] > /ip pool print
# NAME RANGES
0 DHCP-Pool-Hotspot 10.2.0.2-10.2.1.254
[admin@MikroTik] > /ip dhcp-server print detail
Flags: X - disabled, I - invalid
0 name="DHCP-Hotspot" interface=Hotspot lease-time=3h
address-pool=DHCP-Pool-Hotspot bootp-support=static authoritative=yes
[admin@MikroTik] > /ip dhcp-server network print detail
0 address=10.2.0.0/23 gateway=10.2.0.1 dns-server=10.1.0.1
domain="example.com"
Standard DNS setup:
[admin@MikroTik] > /ip dns print
primary-dns: 1.1.1.3
secondary-dns: 1.1.1.4
allow-remote-requests: yes
max-udp-packet-size: 512
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 67KiB
Enable the web proxy:
[admin@MikroTik] > /ip proxy print
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: "webmaster"
max-cache-size: unlimited
cache-on-disk: no
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-drive: system
Make sure the clients are permitted to access the proxy through the firewall - rule number 4 permits traffic to port 8080 on the local host. Yes, it’s only a very basic firewall:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 ;;; allow established incoming traffic
chain=input action=accept connection-state=established
2 ;;; allow related incoming traffic
chain=input action=accept connection-state=related
3 ;;; allow service UDP ports from LAN
chain=input action=accept protocol=udp src-address-list=""
in-interface=!outside dst-port=53,67
4 ;;; allow service TCP ports from LAN
chain=input action=accept protocol=tcp in-interface=!outside
dst-port=53,67,8080
5 ;;; allow rate-limited ICMP
chain=input action=accept protocol=icmp limit=50,50
6 ;;; allow everything from admin networks
chain=input action=accept src-address-list=Administrative_Networks
7 ;;; drop everything else
chain=input action=drop
8 ;;; forward established traffic
chain=forward action=accept connection-state=established
9 ;;; forward related traffic
chain=forward action=accept connection-state=related
10 ;;; drop worms TCP
chain=forward action=drop protocol=tcp dst-port=135-139,445,1434,4444
11 ;;; drop worms UDP
chain=forward action=drop protocol=udp dst-port=135-139,445,1434,4444
12 ;;; forward traffic from customer interfaces to wan
chain=forward action=accept out-interface=outside
13 ;;; drop everything else
chain=forward action=drop
The NAT rules - standard src-nat and the redirect to port 8080 for traffic destined to port 80:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 chain=srcnat action=src-nat to-addresses=1.1.1.2
src-address-list=Local_NAT_Networks out-interface=outside
2 chain=dstnat action=redirect to-ports=8080 protocol=tcp
in-interface=Hotspot dst-port=80
Standard Hotspot setup:
[admin@MikroTik] > /ip hotspot profile print
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=https
ssl-certificate=none split-user-domain=no use-radius=no
1 name="Hotspot" hotspot-address=0.0.0.0 dns-name="hotspot.example.com"
html-directory=MyHotspot rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=https,http-pap ssl-certificate=wildcard
split-user-domain=no use-radius=yes radius-accounting=yes
radius-interim-update=received nas-port-type=wireless-802.11
radius-default-domain="" radius-location-id=""
radius-location-name="Hotspot" radius-mac-format=XX:XX:XX:XX:XX:XX
[admin@MikroTik] > /ip hotspot print detail
Flags: X - disabled, I - invalid, S - HTTPS
0 S name="Hotspot" interface=Hotspot profile=Hotspot idle-timeout=30m
keepalive-timeout=5m ip-of-dns-name=10.1.0.1 proxy-status="running"
A test user and a test user profile - the test user profile has transparent-proxy set to ‘yes’, and I believe you do not need NAT rules redirecting if this is enabled and you don’t need to proxy non-Hotspot users:
[admin@MikroTik] > /ip hotspot user profile print
Flags: * - default
0 * name="default" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=unlimited rate-limit="64k/64k"
transparent-proxy=no
1 name="Hotspot" idle-timeout=none keepalive-timeout=15m
status-autorefresh=1m shared-users=unlimited rate-limit="256k/512k"
transparent-proxy=yes
[admin@MikroTik] > /ip hotspot user print
Flags: X - disabled, D - dynamic
# SERVER NAME ADDRESS PROFILE UPTIME
0 test Hotspot 33m10s
Proof that the proxy is actively caching:
[admin@MikroTik] > /ip proxy cache-contents print
URI FILE-SIZE LAST-MODIFIED LAST-ACCESSED
http://www.google.com/favicon.ico 1KiB oct/02/2009 oct/02/2009
http://l.yimg.com/a/i/pulse/09q4/c... 5KiB oct/02/2009 oct/02/2009
http://update.macromates.com/versi... 0KiB oct/02/2009 oct/02/2009
http://l.yimg.com/a/i/mntl/per/09q... 7KiB oct/02/2009 oct/02/2009
http://www.apple.com/ 4KiB oct/02/2009 oct/02/2009
[admin@MikroTik] >
For the proxy-parent feature it should be sufficient to specify the parent-proxy IP and possibly the src-address under “/ip proxy”, and to make sure that the traffic for those connections is permitted in the firewall rules. The set posted here should work as there’s no filtering in the output chain, and related/established traffic is permitted in the input chain.
Thanx for your detailed description. And I thought, it might be a bit easier 
Will take some time, until I understand, how this works
This is exactly what i want to achieve, hotspot and transparent proxy in one MT box. Pls can u include in it traffic shaping, mostly to limit p2p limiting.
Thanks
I have not looked at traffic shaping at all - it’s enough for me to limit the bandwidth of each user via the Hotspot. It doesn’t matter to me what traffic they run within their channel.
Thinking about it a little bit I am not sure you can do shaping at all. The Hotspot creates a dynamic simple queue for each user. I am not sure how additional queues would interact with that.
hello Fewi,
I dont seems to understand your setup as it is not working for me.
Thanks
It’s going to be hard to change that without specific information on what isn’t working (you’re not getting DHCP? you’re not getting a login page? the proxy isn’t logging any hits), troubleshooting steps already taken by you and the relevant configuration from your devices.