I want to redirect outgoing web traffic through a linux server on my local network, instead of directly through a router. Below is a diagram for clarity.
The first diagram shows the default network. Router is HAP AX3 with router os7.
In the second diagram, the Linux server is the default gateway, not the router.
The linux server is debian 12, with one network interface, freshly installed with no additional software.
The only changes are:
net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE
sudo iptables -A FORWARD -i enp6s18 -o enp6s18 -j ACCEPT
On the above diagrams(1,2) everything works without problems. HTTP and HTTPS sites work without problems.
But I would like to send only web traffic through the linux server, not all of it.
I am trying to implement the third scheme, where the router redirects web traffic to the linux server. For all clients on the local network, the router is the default gateway
I mark and redirect the traffic in the router.
chain=prerouting action=accept protocol=tcp src-address=192.168.0.10 in-interface=bridge dst-port=80 log=no log-prefix=""
chain=prerouting action=accept protocol=tcp src-address=192.168.0.10 in-interface=bridge dst-port=443 log=no log-prefix=""
chain=prerouting action=mark-routing new-routing-mark=to_proxy passthrough=yes protocol=tcp src-address-list=to_proxy_list in-interface=bridge dst-port=80 log=no log-prefix=""
chain=prerouting action=mark-routing new-routing-mark=to_proxy passthrough=yes protocol=tcp src-address-list=to_proxy_list in-interface=bridge dst-port=443 log=no log-prefix=""
chain=prerouting action=accept routing-mark=to_proxy in-interface=bridge log=no log-prefix=""
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.10 routing-table=to_proxy scope=30 suppress-hw-offload=no target-scope=10
Web works only partially: HTTP works, half of HTTPS sites do not open, browser throws err_connection_reset for half HTTPS sites.
Please help me to figure it out and make it work.
I’m new to networking and I don’t understand can 3rd scheme work at all. Do I have to use a real proxy like squid on a linux server? Can simple ip forwarding solve this task or not?
Here is active config, rules for third diagram are disabled but present here for testing purposes.
[admin@MikroTik] > export hide-sensitive
# 2024-08-26 08:32:59 by RouterOS 7.15.2
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=78:9A:18:8C:F4 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wifi
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.antenna-gain=3 .country=Other .mode=ap .ssid=test2 disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .wps=disable
/interface pppoe-client
add add-default-route=yes comment="To make sfp working change interface to VLAN10" disabled=no interface=ether5 name=pppoe-out1 user=pppoe
/interface wireguard
add listen-port=1337 mtu=1420 name=wireguard1
/interface vlan
add interface=ether5 name=sfp-vlan10 vlan-id=10
/interface wifi
add configuration.mode=ap .ssid=test3 disabled=no mac-address=7A:9A:18:8C:24 master-interface=wifi2 name=test3 security.authentication-types=\
wpa2-psk,wpa3-psk .wps=disable
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add disabled=no frequency=5180-5320,5580-5785 name=ch-5ghz width=20/40/80mhz
/interface wifi
set [ find default-name=wifi1 ] channel=ch-5ghz channel.band=5ghz-ax .skip-dfs-channels=all .width=20/40/80mhz configuration.antenna-gain=5 .country=\
Other .mode=ap .ssid="test" disabled=no security.authentication-types=wpa2-psk,wpa3-psk .wps=disable
/ip pool
add name=default-dhcp ranges=192.168.0.20-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/routing table
add disabled=no fib name=to_proxy
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=test3
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
add interface=pppoe-out1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.10/32 interface=wireguard1 name=peer1 public-key=""
add allowed-address=192.168.100.11/32 client-address=192.168.100.11/32 interface=wireguard1 name=peer2 preshared-key=\
"" private-key="" public-key=\
""
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
add address=172.168.0.2/24 interface=ether5 network=172.168.0.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether5
/ip dhcp-server lease
add address=192.168.0.6 client-id=1:b8:27:eb:94:ae mac-address=B8:27:EB:94:AE server=defconf
add address=192.168.0.25 mac-address=90:48:9A:03:02 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=192.168.0.10
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=to_proxy_list
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=1337 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward disabled=yes dst-port=443 out-interface-list=WAN protocol=udp src-address-list=to_proxy_list
/ip firewall mangle
add action=mark-packet chain=prerouting comment="NAT Loopback detect" connection-state=new dst-address=1.2.3.4 in-interface-list=LAN new-packet-mark=\
nat-loopback passthrough=yes
add action=accept chain=prerouting disabled=yes dst-port=80 in-interface=bridge protocol=tcp src-address=192.168.0.10
add action=accept chain=prerouting disabled=yes dst-port=443 in-interface=bridge protocol=tcp src-address=192.168.0.10
add action=mark-routing chain=prerouting disabled=yes dst-port=80 in-interface=bridge new-routing-mark=to_proxy passthrough=yes protocol=tcp \
src-address-list=to_proxy_list
add action=mark-routing chain=prerouting disabled=yes dst-port=443 in-interface=bridge new-routing-mark=to_proxy passthrough=yes protocol=tcp \
src-address-list=to_proxy_list
add action=accept chain=prerouting disabled=yes in-interface=bridge routing-mark=to_proxy
add action=change-mss chain=forward disabled=yes new-mss=1000 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=mark-routing chain=prerouting in-interface=wireguard1 new-routing-mark=to_proxy passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="FRP reverse proxy" dst-address=1.2.3.4 dst-port=7000-7100 protocol=tcp to-addresses=192.168.0.9 to-ports=\
7000-7100
add action=dst-nat chain=dstnat comment="FRP reverse proxy" dst-address=1.2.3.4 dst-address-list="" dst-port=7000-7100 protocol=udp to-addresses=\
192.168.0.9 to-ports=7000-7100
add action=dst-nat chain=dstnat comment="Rust Desk" dst-address=1.2.3.4 dst-port=21114-21120 protocol=tcp to-addresses=192.168.0.9 to-ports=\
21114-21120
add action=dst-nat chain=dstnat comment="Rust Desk" dst-address=1.2.3.4 dst-port=21114-21120 protocol=udp to-addresses=192.168.0.9 to-ports=\
21114-21120
add action=dst-nat chain=dstnat comment="Gotify notification" dst-port=9999 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.6 to-ports=9999
add action=dst-nat chain=dstnat comment="Gotify notification" dst-port=9999 in-interface-list=WAN protocol=udp to-addresses=192.168.0.6 to-ports=9999
add action=dst-nat chain=dstnat comment="Wireguard raspberry" disabled=yes dst-address=1.2.3.4 dst-port=8080 protocol=tcp to-addresses=192.168.0.6 \
to-ports=8080
add action=dst-nat chain=dstnat comment="Wireguard raspberry" dst-port=51820 in-interface-list=WAN protocol=udp to-addresses=192.168.0.6 to-ports=51820
add action=masquerade chain=srcnat comment="NAT Loopback replace address" packet-mark=nat-loopback
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.10 routing-table=to_proxy scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=
/system note
set show-at-login=no
/system routerboard wps-button
set enabled=yes on-event="/system/script/run wps-wifi-off"
/system script
add dont-require-permissions=yes name=wps-wifi-off owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":if ([/inter\
face wifi get wifi1 disabled]=no) do={\r\
\n\t/interface wifi disable [find]\r\
\n\t:log info message=\"Wifi turned off\"\r\
\n\t} else={\r\
\n\t/interface wifi enable [find]\r\
\n\t:log info message=\"Wifi turned on\"\r\
\n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
So I finally bruteforced this issue.
I forgot to enable masquerade for marked traffic:
add action=masquerade chain=srcnat comment="to proxy" routing-mark=to_proxy
After that, all previously non-working sites began to load but very slowly. I don’t fully understand why but it was caused by default fasttrack rule, modified it to exclude any non default traffic.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related hw-offload=yes packet-mark=no-mark routing-mark=main
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-mark=no-mark connection-state=established,related,untracked packet-mark=no-mark routing-mark=main