PCC and Web Proxy

marquino1981 · December 20, 2009, 5:30am

Hi friends.

I need your help.

I have a micrktoik 3.28 with PCC, now I'd like to apply WebProxy, but that is not working... I read in a past post one way to do that but I couldn't do it.

This is my configuration:

[marco@MikroTik] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2M

0 R RedInterna ether 1500
1 R Internet1 ether 1500 160
2 R Internet2 ether 1500 160

[marco@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=mark-connection new-connection-mark=Internet1_conn passthrough=yes in-interface=Internet1

1 chain=input action=mark-connection new-connection-mark=Internet2_conn passthrough=yes in-interface=Internet2

2 chain=output action=mark-routing new-routing-mark=to_Internet1 passthrough=yes connection-mark=Internet1_conn

3 chain=output action=mark-routing new-routing-mark=to_Internet2 passthrough=yes connection-mark=Internet2_conn

4 chain=prerouting action=accept dst-address=172.168.1.0/24 in-interface=RedInterna

5 chain=prerouting action=accept dst-address=172.168.2.0/24 in-interface=RedInterna

6 chain=prerouting action=mark-connection new-connection-mark=Internet1_conn passthrough=yes dst-address-type=!local in-interface=RedInterna
per-connection-classifier=both-addresses:2/0

7 chain=prerouting action=mark-connection new-connection-mark=Internet2_conn passthrough=yes dst-address-type=!local in-interface=RedInterna
per-connection-classifier=both-addresses:2/1

8 chain=prerouting action=mark-routing new-routing-mark=to_Internet1 passthrough=yes in-interface=RedInterna connection-mark=Internet1_conn

9 chain=prerouting action=mark-routing new-routing-mark=to_Internet2 passthrough=yes in-interface=RedInterna connection-mark=Internet2_conn

[marco@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=Internet1

1 chain=srcnat action=masquerade out-interface=Internet2

[marco@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 reachable 172.168.2.1 1 Internet2
1 A S 0.0.0.0/0 reachable 172.168.1.1 1 Internet1
2 A S 0.0.0.0/0 reachable 172.168.1.1 1 Internet1
3 S 0.0.0.0/0 reachable 172.168.2.1 2 Internet2
4 ADC 172.168.1.0/24 172.168.1.2 0 Internet1
5 ADC 172.168.2.0/24 172.168.2.2 0 Internet2
6 ADC 192.168.1.0/24 192.168.1.254 0 RedInterna

That's all

First, I don't understand Why do appear the lines 4,5 and 6 in the route section?
Second, there is not the webproxy configuration, now is disabled.
Third, I'm using simple queue.

Well, I hope this is all you need...
Thanks for your help

fewi · December 20, 2009, 5:46am

Items 4, 5 and 6 are there because any directly connected networks (networks that your router has an IP address on) are valid routes for those networks.

When you use the web proxy, the actual traffic fetching the web pages for the client is in the ‘output’ chain as that has all traffic caused by the router (and therefore the web proxy running on the router). The rules you have filter by in-interface and don’t catch that traffic. So, in order to balance the web proxy you need to insert additional PCC lines to mark connections in the ‘output’ chain that aren’t marked yet my items 0 and 1.

If you upgrade to 4.x that’s relatively easy to do because it has a feature that can match connections that do not yet have a connection mark. You’d insert two rules above your existing mangle rules 2 and 3 that look like this:

/ip firewall mangle
add chain=output connection-mark=no-mark action=mark-connection new-connection-mark=Internet1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add chain=output connection-mark=no-mark action=mark-connection new-connection-mark=Internet2_conn passthrough=yes per-connection-classifier=both-addresses:2/1

On 3.28 the rule set would be quite much more complicated to make sure you don’t interfere with potentially existing connection marks that must not be changed, so hopefully you can upgrade to 4.x

marquino1981 · December 20, 2009, 2:57pm

Then, I have to change a 4.x version…
It’s impossible to do that in 3.28 version. This lines you wrote are for 4.x version really?

marquino1981 · December 21, 2009, 2:01pm

Please.. I understand not very well, because I don’t speak English fluently and I don’t know much about mikrotik..
Help me with easy examples..
Thanks

eugenevdm · December 30, 2009, 7:41am

I think the answer is you have to upgrade to 4.x to use

"… a feature that can match connections that do not yet have a connection mark

kazanova · September 1, 2010, 7:43pm

it wil work on 3.30 right???

ooops it does’t work
it work only if i set ip and port of webproxy for explorer