How do I source route packets originating from the proxy

RouterOS General
1

I’m trying to direct traffic to different links based on source address originating from the local squid proxy.

;;; First mark all traffic from this subnet to port tcp 80 destinations - this works

ip firewall mangle
chain=prerouting src-address=172.16.130.0/24 protocol=tcp dst-port=80 action=mark-connection new-connection-mark=ThisNetConn passthrough=yes

;;; Intercept packets destined to port 80 - this works as well
ip firewall nat
chain=dstnat src-address=172.16.130.0/24 dst-address=!RouterIPAddress protocol=tcp dst-port=80 action=redirect to-ports=8080

;;; Here is the next rule in the mangle - this rule gets exectuted as well, note the output chain and “ThisNetConn” connection-mark
ip firewall mangle
chain=output src-address=192.168.50.1 connection-mark=ThisNetConn action=mark-routing new-routing-mark=CustomRouting passthrough=no

;;; Then force the traffic over a specific link - this does not work! The route falls through to the end of the policy table!
ip route rule
routing-mark=CustomRouting action=lookup table=Router#3

My suspicion is that source routing only works if you mark-routing on the pre-routing chain, and not the output chain, but I would like clarification on this.

Problem with http-downloads via loadbalanced lines
2

Hi,
I have the same issue.
I found on the manual that the flow used by the MT provides destination NAT and after no the mange.

But I’m working on it. I will provide new if any.

Max

3

I use that type of thing but on a 2.8 system. assuming you already have 2 routes setup in your routeing table then for that only 2 more rules are required. First mangle all traffic with a dst port 80 with mark http-conn. Then in policy routing add a rule with the src-address of your web proxy and mark http-conn to be sent through your second route table.

4

relax guys its not working i do a search 6 months ago fianly i become tired of it

5

It's always difficult when two guys dissagree if something is possbile or not. On 2.9 it won't be possible because policy routing is not picking up the connection marks. My system is running on 2.9 so I'll have to downgrade to 2.8 to find out if spire2z's method is possible. It certainly sounds plausible.

If I don't get it right I would appreciate it if someone could take it up May 5th at the MUM meeting Dallas, because after all this meeting is about:

MikroTik announces an additional presentation on:

Bonding, Load Balancing, and Fail-over with MikroTik

  • Practical examples and configurations for:
    - multiple DSL or Ethernet lines
  • multiple Wireless interfaces (wireless backbone)
  • multiple VLANs and EoIP tunnels
  • different bonding techniques

May 5th, 11AM - by MikroTik staff

I have multiple DSL lines (with no fixed IP, no availability of bonding at upstream ISP) and the only form of load balancing I have been able to get right is source routing - without the use of a transparent proxy :frowning: