Interesting redirect issue

qwbillings · September 5, 2012, 12:39am

I will do my best to explain the situation I am working with, and hopefully someone out there in the Internets can help.

I have a private network (10.1.1.0/24) that is routing through a squid proxy box. This proxy book has an inside interface (10.1.1.1) and an outside interface (66.x.x.244/27) and it works nicely in this configuration.

What I am trying to do is insert a RB inbetween the public interface and the ISP. I have configured ether2 as the “inside” interface (66.x.x.246/27) and set the default gateway of the squid box tooint to that address. I then have a “outside” interface (66.x.x.245/27) that routes to the ISP.

This works nicely as is passing traffic to and for as expected. Now, what I need help with is that I want to take all port 80 traffic and direct it to a proxy server that lives outside of the network. The reasons for me doing this are not the issue, what is the issue is that when I put a ip firewall mat rule in to redirect, nothing happens. Traffic still flows, but port 80 traffic is not being directed.

I wonder if the squid proxy is causing an issue or if there is something else at play. I am onside with the customer for the next day, so any ideas would be welcome.

If you made it this far, congrats and thanks.

cbrown · September 5, 2012, 1:06pm

The action of “redirect” redirects to the router itself. You need to use dst-nat for what you are trying to do.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Properties

qwbillings · September 8, 2012, 9:43am

cbrown, thank you for your reply. After reading up on the issue, I do not believe that is going to solve my issue. Here is why; I am wanting to use the proxy within the RB to handle the redirect for me. Here is some config for you to look at:

*** of note .. ether2 is the slave of ether1, when I turn this off, traffic stops flowing and I would like to understand why. Second, I am wanting to take all port 80 traffic and send it to a proxy server that is off net. I have had this configuration working before, but the network routing was between two subnets and not in this configuration ***

/interface ethernet
set 2 arp=enabled auto-negotiation=no bandwidth=unlimited/unlimited disabled=\
    no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:xx:xx:7D master-port=\
    none mtu=1500 name=ether1 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:xx:xx:7E \
    master-port=ether1 mtu=1500 name=ether2 speed=100Mbps

/ip address
add address=66.x.x.245/27 disabled=no interface=ether1 network=\
    66.x.x.224
add address=66.x.x.246/27 disabled=no interface=ether2 network=\
    66.x.x.224
add address=66.x.x.227/27 disabled=no interface=ether1 network=\
    66.x.x.224

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid disabled=no
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no
add action=accept chain=input disabled=no protocol=icmp
add action=accept chain=input comment="SSH for secure shell" disabled=no \
    dst-port=22 protocol=tcp
add action=drop chain=input comment="default configuration" disabled=no

/ip firewall nat
add action=redirect chain=dstnat comment="port 80 redirect rule" \
    disabled=no in-interface=ether2 port=80 protocol=tcp src-address=\
    66.x.x.244 to-addresses=0.0.0.0 to-ports=8080

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=\
    600 max-fresh-time=3d max-server-connections=600 parent-proxy=\
    107.x.x.232 parent-proxy-port=8080 port=8080 serialize-connections=no \
    src-address=0.0.0.0

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=66.x.x.225 \
    scope=30 target-scope=10