Need help regarding proxy.

RouterOS Beginner Basics
1

Could anyone please explain to me what’s the difference between

→ ip proxy vs ip web proxy

I’m currently using the latter.

For Web Proxy configurations is as follows (number 3):

0   ;;; Masquerade
     chain=srcnat action=masquerade 

 1   ;;; Web
     chain=dstnat dst-address=118.96.xxx.xxx protocol=tcp dst-port=80 
     action=dst-nat to-addresses=192.168.2.3 to-ports=80 

 2   chain=srcnat dst-address=192.168.2.3 protocol=tcp dst-port=80 
     action=src-nat to-addresses=192.168.2.3 to-ports=80 

 3   ;;; Transparent Proxy
     chain=dstnat src-address=192.168.2.0/24 protocol=tcp dst-port=80 
     action=redirect to-ports=3128 

 4   ;;; POP SMTP
     chain=dstnat dst-address=118.96.xxx.xxxprotocol=tcp dst-port=110 
     action=dst-nat to-addresses=192.168.2.4 to-ports=110 

 5   chain=dstnat dst-address=118.96.xxx.xxx protocol=tcp dst-port=25 
     action=dst-nat to-addresses=192.168.2.4 to-ports=25

 6   ;;; VNC pt-xxxxxx.com
     chain=dstnat protocol=tcp dst-port=5900 action=dst-nat 
     to-addresses=192.168.2.3 to-ports=5900 

 7   ;;; CCTV Besar
     chain=dstnat protocol=tcp dst-port=83 action=dst-nat 
     to-addresses=192.168.2.2 to-ports=80 

 8   chain=dstnat protocol=tcp dst-port=4550 action=dst-nat 
     to-addresses=192.168.2.2 to-ports=4550 

 9   chain=dstnat protocol=tcp dst-port=5550 action=dst-nat 
     to-addresses=192.168.2.2 to-ports=0-65535 

10   ;;; CCTV Kecil: 19 atas - 18 bawah
     chain=dstnat protocol=tcp dst-port=84 action=dst-nat 
     to-addresses=192.168.2.18 to-ports=80 

11   chain=dstnat protocol=tcp dst-port=85 action=dst-nat 
     to-addresses=192.168.2.19 to-ports=80

Another question:

If I want to take pessimistic approach - BLOCK ALL SITES and allow only some I select, how to do that?

EDIT:

My simple network diagram…

Internet → ADSL MODEM (Bridge mode) → Mikrotik → LAN
(------)_____________________________(192.168.2.1)_ (192.168.2.0/24)

192.168.2.2-> CCTV Server
192.168.2.3-> Web server
192.168.2.4-> Email server

I’ve got a couple of NAT’ing problem as well for those servers, but I’ll keep it for later. =\ Probably it’s about Hairpin Nat I’ve been reading but can’t understand a thing about it.

Thanks in advance.

2

They are the same thing. Winbox just has it labeled differently than what is in the CLI.

I don’t use the proxy much, so I’m not 100% on this, but this is the rule you should need to deny all web sites.

/ip proxy access
add action=deny disabled=no dst-address=0.0.0.0/0

Put your accept rules above it.

Hairpin NAT is an ugly hack and you shouldn’t use it unless you absolutely have to. It is a much better design to give your servers their own routed interface and own subnet. As long as you have a RouterBoard with more than 2 interfaces you can do this. This way you can more effectively firewall your servers and end users from each other for more security.

3

Thank you for your clear explanation and your solution is working.


Another question,

I set up NTP server on Mikrotik like this:

http://imageshack.us/photo/my-images/193/mikrotik.jpg/

but my client (Windows 7 Ultimate 32 bit SP1) can’t reach the NTP server. I make sure I put the correct IP Address, in this case my Mikrotik’s LAN card IP (192.168.2.1) but it says ‘An error is occured while Windows was synchronizing with 192.168.2.1. The peer is unreachable.’.

Clue please of what I did wrong?

4

You’re running a very old version, so that could be part of the problem with the NTP server and Windows. I’m not sure about the settings on a version that old so I can’t be much help there.

5

Thanks. I’ll post a new topic then for another issues.