I did patch Linux kernel, I pached squid with needed patch.
I set Squid to work as transparet proxy, I tasted squid putting proxy IP and port in Internet Explorer and it worked perfectly with squid connected in switch with my clients, but after I connected in the second interface of Mikrotik it does not work, I need help for this problem, how to config rules in Mikrotik, do I need to add any queue for squid IP address, any redirect http rule or mangle rule?
If any can help me thanks very much I am waiting a long time for this to work but could not make it work?
I’m running this for a Chistian school here in town
I run the squid/dansgaurdian on the same physical port as the schools lan- but a different network
I set up the webproxy on the MT box:
port:8080
parent proxy: 10.1.2.2 (ip of squid box)
Parent Proxy Port: 8080 (that is for dansguardian you might use 3128 for squid)
In the firewall I setup to redirect port 80 to port 8080
/ip firewall nat chain=dstnat action=redirect to-ports=8080 src-address=10.1.1.0/24 dst-port=80 protocol=tcp
masquerade both the squid /30 net and the schools /24 as normal.
try out this with policy routing setup you linux external server with transparent proxy with NAT and mark 80 traffic and redirect to the linux gateway
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-routing new-routing-mark=HTTP
passthrough=yes comment=“” disabled=no
/ip route add gateway=x.x.x.x/x routing-mark=HTTP comment=“HTTP Traffic” disabled=no
replace x.x.x.x/x with your linux gateway ip
Let me clear something.
My Mikrotik has 5 LAN Ports:
WAN, ether1…ether4
ether1-ether3 are Bridge, and I have configured Mikrotik as web proxy. But I want to use my Squid box, it is configured as needed but it does not work. Do I need to set any queue for squid IP, and squid box has only one Lan configured. I want to use it as transparent proxy. I dont have public IP. But maybe we can use teamviewer to get connected to my pc than to Mikrotik.
Ok, first, what I see from your config is, Squid Proxy and the MT are connected to a switch, which in turn is connected to your uplink. What you should ensure first is:
You have a working squid. For this, try connecting a PC to the same “uplink switch”, and use IP 10.10.10.2 or some other in the same subnet as your Squid. Now:
. a) Use your PC first without any manual Proxy Config. That ensures that your 10.10.10.0/24 block is routable to the internet. Make sure your Natting rules are working.
. b) Now, manually put a Proxy Config in your browser on that PC, and see if it works. If it does, check your squid config for the ACL and HTTP_ACCESS settings. This is an important step and should work before moving forward.
Now that we’ve got a working squid, next step would be to check MT and squid is able to talk to each other. For this:
. a) Assign 10.10.10.3 to your MT’s WAN interface (same as the 80.x.x.x you put on the diagram). See if your MT is able to ping squid.
. b) Change Squid config to allow transparent proxying.
. c) Change Squid config for the appropriate ACLs and HTTP_ACCESS. A most likely problem could be to have allowed 192.168.1.0/24 subnet in Squid, but using SRCNAT as packets move out of MT. Then, your Squid will never see the 192.168.1.0/24 IP block.
. d) Then, use a simple dst-nat as follows:
/ip fir nat add action=dst-nat chain=dstnat comment=“HTTP routed through Proxy01” disabled=no dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-addresses=10.10.10.1 to-ports=3128
The 3128 port# on the 2d assumes you’re using Squid’s default port configuration.
The #1 section mentioned above is mentioned as it looks like there is no device doing Nat for your Squid box. That is why these steps are there to ensure you’ve got that working without problems.
My mikrotik has 3 interfaces:
WAN
LAN(ether1,ether2,ether3 are bridget)
SQUID
I am not using any switch, and squid box has only one LAN card.
What if Squid has only one interface how to make it work, do I need to create any queue in Mikrotik for squid IP address and any NAT or mangle rule to allow traffic through Mikrotik for squid box?
What IP to put in Squid box?
If I put any e.g. 10.0.0.100/24 will it work without PPPoE setup on squid box?
I have configured my squid box and tasted it, it is working I tried by putting IP and port on internet explorer and it works, in this case my pc and squid were connected by switch. I changed access list in squid to allow 192.168.0.0/24 and 192.168.1.0/24 and 10.0.0.0/24.
than I configured squid to work in transparent mode.
http_port 3128 transparent
always_direct allow all
I have put masquerade rule for 10.0.0.0/24 and 192.168.1.0/24 on Mikrotik but with PPPoE(10.0.0.0/24) I can access internet but from squid box not.
Do I need to make any queue for suid in order to set limit for it e.g. 512/512 for its IP or it will have unlimited speed? I tried to create a queue for squid IP 192.168.1.1/32.
But after I moved squid to my environment it does not worked. When I tried to ping 192.168.1.1 from my clients I can not, from Mikrotik I can ping 192.168.1.1. I have put routes on Mikrotik: routes add gatteway 192.168.1.1 int=squid .
I will try to see if it works based on your suggestions.
Put manual proxy on your PC and test if browsing is working.
Now, put the following dst-nat on your MT in
/ip firewall nat add chain=dstnat src-address=192.168.100.0/24 dst-address=!10.100.100.0/29 protocol=6 dst-port=80 action=dst-nat to-addresses=10.100.100.2 to-ports=3128
Remove manual proxy from your PC and test if browsing is working now.
These steps should work, AFAIK. Please let me know how it went.
First of all I check my Squid box for configuration and I added default route to squid and now I can ping from my pc to squid. I can ping from squid to Mikrotik, My network, and Internet.
I added this two subnets to squid configuration file:
http_port 3128 transparent
always_direct allow all
Without any redirect rule on Mikrotik it is working when I put IP and port of squid in internet explorer it works but if I remove it is not working.
After I tried to redirect HTTP traffic to my proxy but does not work.
I tried this one:
/ip fir nat add action=dst-nat chain=dstnat comment=“HTTP routed through Proxy01” disabled=no dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-addresses=10.10.10.1 to-ports=3128
Than this one:
/ip firewall nat add chain=dstnat src-address=192.168.100.0/24 dst-address=!10.100.100.0/29 protocol=6 dst-port=80 action=dst-nat to-addresses=10.100.100.2 to-ports=3128
![[img=http://img166.imageshack.us/img166/7009/sqjp6.th.jpg]](http://img166.imageshack.us/my.php?image=sqjp6.jpg){kind=link}