Mikrotik and Squid

RouterOS General
1

I am running parallel to mikrotik squid.

My settings:

IP configuration

ether1 = 200.200.200.202 (WAN)
ether2 = 192.168.25.1 (LAN)
ether3 = 10.0.0.1 (interface to squid)

Web Proxy Setting

Enabled = yes
Port = 3128
Parent proxy = 10.0.0.2 (my squid)
Parent proxy port = 3128

Firewall>NAT

  1. redirect to squid
    chain = dstnat
    src address = 192.168.25.0/24
    dst addres !10.0.0.2
    protocolo = 6 (tcp)
    dst port = 80
    in interface = ether2
    action = redirect
    to ports = 3128

  2. NAT for squid
    chain = srcnat
    src address = 10.0.0.0/24
    action = masquerade


    Navigation is working perfectly, however the squid gets the ip 10.0.0.1 and not ips LAN (192.168.25.0).

So I can not make specific ACLs, such as a lock only for the ip 192.168.25.10.

Can anyone help me make the squid see the ips network 192.168.25.0?

2

Your Mikrotik Configuration will be:

Mark All HTTP Port 80 Traffic, so that we can use these Marked Packets in Route section.

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp

Masquerade all traffic (Except http] on ether1 Only, which is connected with DSL Router. This is important to masquerade traffic on WAN Interface only, otherwise http packets will also be masqueraded with mikrotik ip.

add action=masquerade chain=srcnat disabled=no out-interface=ether1

Define Route for HTTP Marked packets, and set default rule for all other traffic, This is called policy base or pre traffic base routing

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.2 routing-mark=http scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.200.200.XXX scope=30 target-scope=10

(Where 10.0.0.2 is the Squid Proxy Server IP , and 200.200.200.XXx is our DSL Router IP or Fiber Connectivity)

That’s all for MIKROTIK, Now Mikrotik will Redirect HTTP Traffic to Squid Proxy via interface ether3. and all rest of traffic will be masqueraded/nat to WAN (ether1) which is connected with DSL or Optical Fiber Connectivity.

Now moving on to SQUID section .......

For example: (squid.conf)
#==============================
#Transparent Mode & Example ACL
#==============================
http_port 3128 transparent
acl mylocalnet src 0.0.0.0/0.0.0.0
http_access allow mylocalnet

and IPTABLES example:

DNAT port 80 request comming from LAN systems to squid 3128 aka transparent proxy

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.2:3128

###In this example, Squid proxy server have 2 Interface cards:

eth0: LAN (connected with Mikrotik’s PROXY INTERFACE ether3) = 10.0.0.2

eth1: WAN (connected with DSL Router or internet) = 200.200.200.203 / Default GW = 200.200.200.XXX / DNS = 200.200.200.XXX , 8.8.8.8

###It is necessary that SQUID can directly communicate with the users by setting ROUTE to communicate user subnet via mikrotik, otherwise it won’t be able to communicate with the user , Issue the following command :

route add -net 192.168.25.0 netmask 255.255.0.0 gw 10.0.0.1 dev eth0