Mikrotik Squid origin IP problem

bnmtl · October 13, 2012, 9:48am

Hello, I have problem with Mikrotik - Squid proxy origin ip , can anybody give advice for it ?

Firstly I am using Mikrotik as main router for my Internet gateway.

I am using 3 interface on it,
eth1 - Internet (78.135.x.xx)
eth2 - Offices1network (192.168.10.0/24)
eth3 - Offices2network (192.168.11.0/24)

And I am reaching mikrotik from 192.168.10.10 IP addres from office1network, 192.168.11.1 IP from office2network

My routing on mikrotik;

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 78.135.x.xx 1
1 ADC 78.135.9.88/30 78.135.x.xx eth1-Internet 0
2 ADC 192.168.10.0/24 192.168.10.10 eth2-Office1 0
3 ADC 192.168.11.0/24 192.168.11.1 eth3-Office2 0

My firewall rules on mikrotik;
0 chain=srcnat action=masquerade out-interface=eth1-Internet
1 chain=srcnat action=masquerade src-address=192.168.11.0/24
2 chain=srcnat action=masquerade src-address=192.168.10.0/24
.. and other port forwardings.

My question is ;
I installed a PC running debian - squid - dansguardian on 192.168.10.55 IP address on Office1network. Squid proxy running on 3128, dansguardian 8080, so if i give any of client in my office1 network proxy ip im giving 192.168.10.55 8080, and proxy working perfectly.
I am getting client IP address on ACCESS.LOG for example " 2012.10.12 18:22:50 192.168.10.82 192.168.10.82 http://www.google.com/complete/search?sugexp=chrome |

But if I enter proxy IP on any of clients from office2network (11.0/24) I am getting Mikrotik Router IP 2012.10.12 18:10:01 - 192.168.10.10 http://www.google.com.tr

And for more information, I am using my own DNS server on 192.168.10.7 , is it problem about my configuration?

If you can help me about it, I really appreciated it , since long time I am trying to solve this problem but no success .

Regards,

regardtv · October 13, 2012, 9:56am

Hi

I presume you directly typing the address of the proxy into the user’s browsers?

The reason for this is that the users in 10.0/24 do not go via the router to get to the squid box – since they are on the same subnet they simply directly speak to the box and the box responds directly to them.

Customers on the office2 network DO route via the mikrotik and more than likely your NAT rules apply there.

One solution would be to put the squid on a seperate ip subnet and interface/vlan. Configure the router to not nat to the squid. In this way all customers will have to make use of the router to get to the squid and if you don’t nat to the squid specifically you will get the correct client IP addresses in the access logs.

Hope this helps

bnmtl · October 13, 2012, 10:02am

Yes I am directly typing the address of proxy into browsers, but if I add rule to Nat and forward all incoming 80 ports to 10.55 8080 , result is same.
I will try to put squid on new network and try your advice.
Thank you.

bnmtl · October 16, 2012, 11:59am

Hello, I changed my configuration like this, i put proxy server on different network.

eth1 - Internet (78.135.x.xx)
eth2 - Offices1network (192.168.10.0/24)
eth3 - Offices2network (192.168.11.0/24)
eth4 - ProxyNetwork (192.168.9.0/24)

And I am reaching mikrotik from 192.168.10.10 IP addres from office1network, 192.168.11.1 IP from office2network

My routing on mikrotik;

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 78.135.x.xx 1
1 ADC 78.135.9.88/30 78.135.x.xx eth1-Internet 0
2 ADC 192.168.10.0/24 192.168.10.10 eth2-Office1 0
3 ADC 192.168.11.0/24 192.168.11.1 eth3-Office2 0
4 ADC 192.168.9.0/24 192.168.9.1 eth4-Proxy 0

My firewall rules on mikrotik;
0 chain=srcnat action=masquerade out-interface=eth1-Internet
1 chain=srcnat action=masquerade src-address=192.168.11.0/24
2 chain=srcnat action=masquerade src-address=192.168.10.0/24
3 chain=srcnat action=masquerade src-address=192.168.9.0/24
.. and other port forwardings.

I installed proxy on 192.168.9.10 and seperated networks.
And still i cant get origin IP address for access.log
shows like ;
2012.10.16 14:38:33 - 192.168.9.1 http://www.google.com

any advice ?

regardtv · October 16, 2012, 12:18pm

Why are you still using:
1 chain=srcnat action=masquerade src-address=192.168.11.0/24
2 chain=srcnat action=masquerade src-address=192.168.10.0/24
3 chain=srcnat action=masquerade src-address=192.168.9.0/24

? You have a NAT on anything going out to the internet, so no need to NAT anything else. Once you drop those rules I believe issue will be done.