Mikrotik+squid=users src ip will change on squid log! why?

mohsen1981 · February 10, 2010, 6:25am

I’m using mikrotik as pppoe server and squid as cache server.
mikrotik is redirecting traffic to port 80 to port 8080 of squid(using dst-nat)
everything works fine except one:
when I check squid access log, all requests come from mikrotik ip not users own ip!
I’ve also used mangle and policy route to route traffic to port 80 to squid but the access log on squid shows mikrotik ip as src ip!
dst-nat means change dst-address.Isn’t it?
any solution?

mohsen1981 · February 10, 2010, 2:46pm

nobody concerns?
anybody help

netrat · February 10, 2010, 2:59pm

Mark routing on outgoing packets to port 80 to your squid proxy. Then use iptables to redirect traffic on the linux box to port 8080. Make sure it’s setup for transparent redirect.

Where 192.168.1.2 is the squid server…

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=80 in-interface=LAN new-routing-mark=main passthrough=no protocol=tcp src-address=192.168.1.2
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=80 in-interface=LAN new-routing-mark=squid-redirect passthrough=yes protocol=tcp src-address=192.168.1.0/24

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 routing-mark=squid-redirect scope=30 target-scope=10

On your linux box

iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

mohsen1981 · February 10, 2010, 4:20pm

netrat:

Mark routing on outgoing packets to port 80 to your squid proxy. Then use iptables to redirect traffic on the linux box to port 8080. Make sure it’s setup for transparent redirect.

Where 192.168.1.2 is the squid server…

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=80 in-interface=LAN new-routing-mark=main passthrough=no protocol=tcp src-address=192.168.1.2
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=80 in-interface=LAN new-routing-mark=squid-redirect passthrough=yes protocol=tcp src-address=192.168.1.0/24

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 routing-mark=squid-redirect scope=30 target-scope=10

On your linux box

iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

thanks netrat
is this solution to my problem? after this config my squid log will show clients ip addresses not mikrotik ip. right?
I’ll test it…
P.S
when I mangle web traffic that comes to LAN and route it to squid, evrythings works fine. access log shows clients ip addresses.
BUT the problem arises when clients connect to mikrotik using pppoe or pptp. squid access log shows mikrotik ip address as src address and I cannot analyze a specific user ip log…

Chupaka · February 10, 2010, 10:04pm

it means that you do src-nat of pppoe clients, and nothing else. disable src-nat for redirected traffic - and all will be fine

mohsen1981 · February 14, 2010, 7:49am

thanks Chupaka
so why this will not happen for LAN clients?
and by the way, mangle is before src-nat.this means port 80 traffic should be mangled and send to squid before it will be processed by other rules…

Chupaka · February 14, 2010, 8:02pm

Mangle cannot stop packet from processing it by NAT until you make it explicitly. for example, set ‘routing-mark=!squid-redirect’ in src-nat rule