Mikrotik + external Squid proxy

To add SQUID Proxy Caching Server support in Mikrotik Router os 5.1, Assuming the following Scenario.


MIKROTIK WAN IP For All = 126.22.20.82/29
MIKROTIK LAN IP For F1 = 192.168.0.5/24
MIKROTIK LAN IP For F2= 192.168.5.1/24
MIKROTIK LAN IP For SQUID = 192.168.9.1/24


SQUID LAN IP = 192.168.9.2/24

SQUID WAN IP = 126.22.20.85/29



/ip firewall nat
add action=src-nat chain=srcnat disabled=no dst-address=!192.168.0.0/16
src-address=192.168.0.0/24 to-addresses=126.22.20.82
add action=src-nat chain=srcnat disabled=no dst-address=!192.168.0.0/16
src-address=192.168.5.0/24 to-addresses=126.22.20.82

New to add this [or] what ?
add action=dst-nat chain=dstnat comment=Forward_WWW_to_proxy disabled=no dst-address-list=!WWW-No-proxy
dst-port=8080,3128,80 protocol=tcp src-address=192.168.0.0/24 src-address-list=!Direct-No-Proxy
to-addresses=192.168.9.2 to-ports=3128
add action=dst-nat chain=dstnat comment=Forward_WWW_to_proxy disabled=no dst-address-list=!WWW-No-proxy
dst-port=8080,3128,80 protocol=tcp src-address=192.168.5.0/24 src-address-list=!Direct-No-Proxy
to-addresses=192.168.9.2 to-ports=3128



Squid Conf… i have
acl localnet src 192.168.9.0/24 # Local Lan


Ip Tables & route in linux

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 126.22.20.85:312
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I INPUT -s 192.168.9.0/24 -p tcp --dport 3128 -j ACCEPT

iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited



But having problems, not working. can anyone help me to short out, where is the problems ?

First you have to be sure if squid I working without miktotik . I have a working squid server with 2tb , he caches perfectly , but I worked relly hard to make It work. My advice is not forward the http… etc. just create a simple firewall mangle rule to forward port 80 request (http) to squid proxy adress & port . I use a rb450g only for this traffic.

Only being an amateur regarding MT, but having several complicated squids up and running as (caching-)proxies, I would keep your config as simple as possible.
Reason is, that squid should work as a transparent proxy in your config. The setup for this, which is not the standard, is different between squid 2.x and 3.x and not always easy, depending upon your network.
And there are special requirements regarding NAT.

So I only used it in a very simple config together with MT box, which was acting as WiFi hotspot. In this config, I had the MT-proxy installed, and for this I configured the squid-box as an upstream (or parent) proxy. That was everything special for the MT-box to use squid.
(Which means, you can test your config first without this upstream squid configured. When this works, then add squid.)

On the squid-box, squid was running as a standard, non-transparent proxy with a more ore less default squid,conf. Simple job, when squid is installed from RPM or using apt-get install.
So you can setup the squid-box, and test it even from your network with a client. On the client, the browser simply has to be explicitly configured to use the squid-box as a proxy.
When this also works, configure the squid-box as upstream proxy for the proxy in the MT-box.
And then everything should work like a charm.

Good morning,

I have been trying unsuccessfully for a while now to introduce a
transparent squid proxy onto my network. If I leave it as a non-transparent proxy
everything goes well excepting that I would have to go around all the
clients and input the proxy details. Also I discovered that I don’t really
know enough of Linux to dabble into the IPTables area to open the required
ports; eg port 25 for smtp then 110 for pop etc.

Now on transparent with the various CLI commands I see online I don’t get
to push the required http traffic thru from the MikroTik to the squid like it does when running on non-transparent. Also there is a mistake in the diagram, the IP of
the eth2 of squid is 192.168.50.1 the the IP of the corresponding eth on
the MikroTik is 192.168.50.2 and not 10.5.50.x series as shown in the
diagram.

Attached are the following, the network topography, the squid conf file &
the Mikrotik output file.

I just tried this morning to with a RB1100 to set it up and i used the below CLI commands and i will paste the error message i got while running the tail command on the squid box! the CLI commands are as follows:

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) routing-mark=http scope=30 target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) scope=30 target-scope=10

When i try to browse from any Pc on the network it doesn’t open pages, and when i do run the tail command i get the following message:

sudo tail -f /var/log/squid/access.log


1389344059.262 1 192.168.50.2 TCP_MISS/502 4044 GET http://client.freecause.com/Sharethis/sharethis.xml - HIER_DIRECT/192.168.50.1 text/html
1389344059.263 1 192.168.50.2 TCP_MISS/502 4053 GET http://client.freecause.com/Sharethis/sharebuttons.xml - HIER_DIRECT/192.168.50.1 text/html
1389344064.607 0 192.168.50.2 TCP_MISS/502 4044 GET http://client.freecause.com/Sharethis/sharethis.xml - HIER_DIRECT/192.168.50.1 text/html
1389344064.608 0 192.168.50.2 TCP_MISS/502 4041 GET http://client.freecause.com/Sharethis/sharecmd.xml - HIER_DIRECT/192.168.50.1 text/html
1389344064.613 0 192.168.50.2 TCP_MISS/502 4053 GET http://client.freecause.com/Sharethis/sharebuttons.xml - HIER_DIRECT/192.168.50.1 text/html

I would appreciate it if you could please point me in the right direction as i have been on this for quite a very long time taken quite a few insults from everyone possible and decided to to wait.


I await your response. Thank you.

squid conf.txt (1.69 KB)
Mikrotik Export.txt (23.3 KB)

Is it really impossible to have a simpler setup: To install the squid-box 172.16.11.2 just in-between the MT-hotspot 10.5.50.1 and gateway. And then use the squid-box as an upstream-proxy for MT-hotspot, which can be explicitly defined there. No need to define proxy in hotspot-clients, though.

Thank you for your prompt response but i would appreciate it if you could just do perhaps a rough diagram of what am expected to do so that i wont make any more mistakes as i am prone to making mistakes.

I will really appreciate it.

Thank you.

Like this (explicit upstream proxy for MT). Or to let squid run on your gateway, transparent.

Thanks for your usual prompt response,
Please don’t take it that i am being argumentative or whatnot; but i would like to know a few more things:

1. inserting the squid before the Mikrotik; would it still be able to perform the full capability of caching and full speed delivery of cached objects to users?

2. would i still be able to monitor the squid network with the tail command?

Thank you.

1.)Sure. squid will do only the caching of port80-html-traffic. If you want, you might use MTs caching as well, up to you. Although squids cache is much flexible.
2)squid only works on port 3128-traffic. (Assuming, you configute MTs-proxy to use upstream port 3128)
When using squid first time, just stick with the dafult squid.conf, only to modify port/cache_dir, may be. As it has a lot of knobs to turn, only try to optimize after the default squid.conf works ! As you only want simple caching, you might start with latest squid2.7 to work, as there are much less bells-and-whistles as in the newer versions. I have several of them still running.

Thanks for your ever kind and evr patient manner in responding to my am very sure annoying questions.

I have already configured the squid as it is so, are you saying that i should just reset it and plug it in direct?

Now if i use the MT’s proxy would that not conflict with the squid in anyway?

Also i am using Opensuse 12.3 i would like to know if the Linux commands in the above example are OK for me to use or i should just do my thing as i have been doing?

Am grateful for you great responses

In the MT you have to use the Proxy (transparent), and for this MT then to define the squid(SuSE, routing) as parent/upstream proxy. And the squid(Suse) as default gateway. SusE is fine, I have also 11.4 running. No problem. You can generate squid from source, or use a package, which is easier, as it also generates /etc/int.d/squid.
(Your original diagram is also possible to be implemented, but more complicated. Only advantage of it: Only http-traffic passes squid-box, whereas in my simple setup all traffic passes the squid-box. But should not be noticable, unless you have huge traffic. First, keep it simple. Optimizations you can do later on.)
As for more squid-specific issues go here:
http://squid-web-proxy-cache.1019090.n4.nabble.com/
I am also there
Sorry, preparing now for overseas-trip.

I know this is 2 years late but I did find a syntax error on the script provided by the Marthur dot com website.

add action=drop chain=input dst-port=8080 in-interfacet=ether1 protocol=tcp log=yes log-prefix=“Drop_Web Proxy” comment=“Drop Web Proxy requests from WAN.”

being “interfacet” it didn’t provide the protection as the rule intended, exposed my proxy to the internet and me being a newbie I didn’t catch it until I had a problem.

Stumbled across this subject, thought I would share.