How to transfer http traffic fro MT to squid

I have been long searching for a solution to no avail and would really appreciate it if you could assist me here. My setup is as follows:

Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink switch


I have added a squid with its input from the Wan directly and then I have put the squid directly to the mikrotik.

I did the following configurations:


Wan:

Wan → mikrotik 172.16.10.1/24
Wan → squid 172.16.11.1/24


Mikrotik


Ether1
172.16.10.2/24 Via setup CLI


Ether2 (Hotspot)
10.5.50.1/24


Ether3 to squid
192.168.50.2 Via setup CLI


Squid


Ether1 from Wan
172.16.11.2


Ether2 from mikrotik
192.168.50.1:3128


The squid is configured transparently.


Now I have tried several CLI commands I have seen online and still yet I am yet to find one that will eventually push the http traffic to the squid.

The last set of CLI commands i used that i thought will get me up and running is as follows:

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) routing-mark=http scope=30 target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) scope=30 target-scope=10

/ip firewall nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=80 src-address=10.5.50.0/24 to-addresses=192.168.50.1 to-ports=3128
add chain=dstnat action=dst-nat protocol=tcp dst-port=80 src-address=192.168.50.0/24 to-addresses=192.168.50.1 to-ports=3128


I am not sure what exactly it is i am doing wrong!

I would appreciate any help that I can get to make this happen.


Thanks in advance.

What is the squid server ip?

192.168.50.1:3128

Have you tried using the router’s onboard proxy? It may not look as clean as the direct method, but it may work for your setup.

/ip firewall nat
add chain=dstnat protocol=tcp src-address=192.168.50.0/24 dst-port=80 action=redirect to-ports=8080
add chain=dstnat protocol=tcp src-address=10.5.50.0/24 dst-port=80 action=redirect to-ports=8080

/ip proxy
set enabled=yes
set parent-proxy=192.168.50.1
set parent-proxy-port=3128

This redirects the localnet port 80 requests to the onboard proxy, which will then forward that request to the squid proxy.

Thank you, do i include this with all My CLI commands that i showed or i should start fresh again?

You do not need to start out fresh. Just remove any other port 80 dstnats from “/ip firewall nat”, and use those new rules.

Thanks i will have to wait till off-peak hour to try this.
I will get back to you surely.
Thanks.

OH, WAIT!! I see a potential loopback problem here! This may have been your problem.

If your squid server is on the 192.168.50.0/24 network, that will cause an endless loop with this rule:

add chain=dstnat protocol=tcp src-address=192.168.50.0/24 dst-port=80 action=redirect to-ports=8080

You must exclude your squid server ip from that redirect or dstnat with a rule like this:

add chain=dstnat protocol=tcp src-address=192.168.50.1/32 dst-port=80 action=accept

Then move this rule above the other two redirect rules.

Okay but why dst port 80? i thought it should be dst port 3128 as the squid’s port is 3128!
Please correct if i am wrong.

Your are wrong. Port 3128 is the port that the squid server gets requests from its clients on. Port 80 is used by the squid server to get the webpage for the port 3128 requests. If you redirect port 80 from the squid server, it cannot get the webpages for the clients.

Hi,

I tried it out and got the following error:

ERROR: Gateway Timeout

While trying to retrieve the URL http://www.cnn.com/:

Connection timed out
Your cache administrator is webmaster@xxxxxxxxxxx.

Generated Fri, 02 Jan 1970 09:28:12 GMT by 10.5.50.1 (Mikrotik HttpProxy)

But if i connect a Pc directly to the squid i can browse no problems at all!
I really don’t know what it is i a doing wrong at this junction!

I don’t either. I don’t have a problem with the internal proxy. I don’t have a problem with redirects and dstnats.

The only think I can suggest is post “/ip firewall nat print” and let me see what you currently have set there.

Thanks for your response. The output of what you asked for is as follows:

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0

1 ;;; masquerade hotspot network
chain=srcnat action=masquerade to-addresses=0.0.0.0
src-address=10.5.50.0/24

2 chain=srcnat action=accept protocol=tcp dst-port=80

3 chain=dstnat action=accept protocol=tcp src-address=192.168.50.1 dst-port=80

4 chain=dstnat action=redirect to-ports=8080 protocol=tcp
src-address=192.168.50.0/24 dst-port=80

5 chain=dstnat action=redirect to-ports=8080 protocol=tcp
src-address=10.5.50.0/24 dst-port=80
[admin@MikroTik] >


Or do i do an ‘export’ command for you to have a total picture of the router?

Have you tried this from the hotspot (10.5.50.0/24) network? It has a hairpin nat masquerade. If the squid server can access the internet now, then it must be a problem with routing a wan ip request back to a lan.

I just noticed you do not have a masquerade either.

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

I think thats odd as when i am creating the hotspot the second or so step asks me if i want to masquerade and i said yes!

But even without masquerading the network seems to browse till i add the CLI commands and the all i get from the page is the waiting message; then next the thing i get is the error message:

ERROR: Gateway Timeout

While trying to retrieve the URL http://www.cnn.com/:

Connection timed out
Your cache administrator is webmaster@xxxxxxxxxxx.

Generated Fri, 02 Jan 1970 09:28:12 GMT by 10.5.50.1 (Mikrotik HttpProxy)

Ok. Then remove these two redirect rules to the proxy and see if you can access the internet.

4 chain=dstnat action=redirect to-ports=8080 protocol=tcp
src-address=192.168.50.0/24 dst-port=80

5 chain=dstnat action=redirect to-ports=8080 protocol=tcp
src-address=10.5.50.0/24 dst-port=80

Hi,

thanks for the tip! i have been able to get it working but i have another problem, its so slow!!

i a constantly having a look at the Tail command in the squid/linux box and it shows that there is a lot of activity going on there! it sees like a lot of files are being cached but when i try to browse those particular sites its so darn slow!

What do i do?

I would appreciate any form of assistance here.

I see to have gotten it to work at a better pace with the following CLI commands:

#Mark All HTTP Port 80 Traffic, so that you can use these Marked Packets in Route section.

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) routing-mark=http scope=30 target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) scope=30 target-scope=10


/ip firewall mangle add chain=postrouting tos=48 action=mark-packet new-packet-mark=proxy-hit passthrough=no


/ip firewall mangle add chain=postrouting action=mark-packet new-packet-mark=proxy-hit passthrough=no

/queue tree add name=“pmark” parent=global-out packet-mark=proxy-hit \ limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s



/ip firewall filter

add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input
comment=“Add Syn Flood IP to the list” connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment=“Drop to syn flood list” disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=“Port Scanner Detect”
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“Drop to port scan list” disabled=no src-address-list=Port_Scanner
add action=jump chain=input comment=“Jump for icmp input flow” disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=input
comment="Block all access to the winbox - except to support list
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment=“Jump for icmp forward flow” disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=“Drop to bogon list” disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment=“Add Spammers to the list for 3 hours”
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment=“Avoid spammers action” disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment=“Accept DNS - UDP” disabled=no port=53 protocol=udp
add action=accept chain=input comment=“Accept DNS - TCP” disabled=no port=53 protocol=tcp
add action=accept chain=input comment=“Accept to established connections” connection-state=established
disabled=no
add action=accept chain=input comment=“Accept to related connections” connection-state=related disabled=no
add action=accept chain=input comment=“Full access to SUPPORT address list” disabled=no src-address-list=support
add action=drop chain=input comment="Drop anything else!
disabled=yes
add action=accept chain=ICMP comment=“Echo request - Avoiding Ping Flood” disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment=“Echo reply” disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment=“Time Exceeded” disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment=“Destination unreachable” disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment=“Drop to the other ICMPs” disabled=no protocol=icmp
add action=jump chain=output comment=“Jump for icmp output” disabled=no jump-target=ICMP protocol=icmp




ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=10.5.50.5 to-ports=8080


ip firewall nat add action=dst-nat dst-port=80 protocol=tcp src-address=10.5.50.0/24 to-addresses=10.5.50.5 to-ports=8080 chain=dstnat

ip firewall nat add chain=dstnat src-address=10.5.50.0/24 in-interface=ether1 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080

ip firewall nat add chain=dstnat src-address=10.5.50.5 dst-port=80 protocol=tcp action=accept

ip firewall nat add chain=dstnat src-address=10.5.50.0/24 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080

But the issue i have now is that at times it just seems to slow down totally and drag and sometimes ask users to re-login again and other times tell them that no more sessions are available for them!

I have to reboot the router practically every 2 hours or so to get the network browsing okay! is there something i can do? i really would like to have a smooth network!

Thanks.

The network is not really faster is just that dynamic pages like yahoo.com, gmail.com open fast but when i try opening normal pages i get an error message as follows:

ERROR

The requested URL could not be retrieved

Die volgende fout is teëgekom tydens verkryging van die URL: http://www.slotlimited.com/categories/TECNO/

Verbinding na 198.154.223.237 het misluk

Die stelsel het die volgende teruggestuur: (110) Connection timed out

Die afgeleë gasheer of netwerk is dalk af. Probeer die navraag gerus weer.

Die kasbediener se administrateur is webmaster.


Gegenereer op Fri, 07 Mar 2014 14:37:58 GMT deur squid.squidoz (squid/3.2.11)



I really wonder if the problem is from the mikrotik or from the squid?

https://www.youtube.com/watch?v=bQ-0-Rf0CW4