redirect only marked traffic to proxy.

Hello everybody!

I’m trying to redirect particular web traffic to a web proxy. Redirection does not work, mikrotik just filters matched traffic.. I can redirect all traffic to the proxy, but I really need to redirect only part of traffic.

/ip firewal mangle add chain=prerouting action=mark-packet new-packet-mark=kids content=sex.com
/ip firewall filter add chain=forward action=drop packet-mark=kids protocol=tcp dst-port=80
/ip firewall nat add chain=dstnat action=redirect to-addresses=1.1.1.1 to-ports=8080 protocol=tcp packet-mark=kids dst-port=80

enabled: yes
src-address: 1.1.1.1
port: 8080
anonymous: no
parent-proxy: ::
parent-proxy-port: 0
cache-administrator: webmaster
max-cache-size: unlimited
max-cache-object-size: 2048KiB
cache-on-disk: no
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-path: web-proxy

Could someone help me with it, please.

The problem is, when you see some content of tcp connection, it’s already established and can’t be redirected anymore.

True. It cannot be done because you match on content.
Also, it would not be useful to mark packet, because what you want to redirect is a connection.
Maybe it could be done when you can match on IP address (e.g. via DNS based address list), so you can
do the match on the connection setup.
Of course then you still have the problem that you cannot “redirect to a proxy” that way, because a
proxy uses a different protocol than a direct connection. It is only possible when the proxy is configured
to be a “transparent proxy”.