Hi all in need of some help.
finding it hard to direct mikrotik http traffic to squid server. it works directly via manual browser proxy settings really well.
it is possibly my network design.
WAN - cable router 192.168.1.2 ( 4 port) - eth0 (192.168.1.70 - mikrotik - eth1 (dhcp) - hotspot users (10.5.50.0/24)
eth0 - squid server (192.168.1.78)
is this setup doable seems to work ok through manual proxy settings through browser i want to push mikrotik traffic to squid server (already set as transparent)
I think (haven’t tried it yet) you must:
- set the hotspot user profile to use the proxy
/ip hotspot user profile
set 0 transparent-proxy=yes
- enable proxy
/ip proxy
set enabled=yes
- enter your squid server settings
/ip proxy
set parent-proxy=192.168.1.78
set parent-proxy-port=8080
If 8080 isn’t the squid port, change that.
Hi surfertim thanks for that lad it worked for me as well as the nat chains.
really impressed with squid massive improvement especially on a satillite connection.
ive a lot of learning to do yet but i notice i have security flaw i can access the local network from the hotspot ip address how do i prevent users accessing another subnet.
once i have this done my hotspot not far off from deployment. its max 200 users a caravan site 
J
You can block that with the firewall, but I don’t know how that might affect the proxy. I will add a rule to allow the proxy access. Order is important here. If 192.168.1.0/24 is the localnet you want to restrict 10.5.50.0/24 from accessing except the proxy, then:
/ip firewall filter
add chain=forward action=accept src-address=10.5.50.0/24 dst-address=192.168.1.78
add chain=forward action=drop src-address=10.5.50.0/24 dst-address=192.168.1.0/24
It may not require that first rule. Like I said, I haven’t tried it with squid, just the router proxy.
the rules make sense to me i put in the filter but its still allowing me access what chain should it be in?
keen to keep this blocked.
When you set up the hotspot, did you select the default for “masquerade network=yes”. I change that to “no”. That is the only thing I can think of that would interfere with that rule.
Take a look in “/ip hospot host”. Are the ips being translated to other than 10.5.50.x? That would be the “to-address” entry in that table.
That was a lie! There is one thing that affects the forward chain. You must move those two rules above the rule that has the comment “place hotspot rules here”. Otherwise the hotspot rules change the chain.
Change X to the line number of the accept rule and Y to the line number of the drop rule.
/ip firewall filter
move X 0
move Y 1
so you want me to move those two rules on top of list? i moved them but i think it still letting me access it. however hotspot rules are under masquarade rules in NAT
Thanks for your help tonight as well Tim
J
moving the rules didnt help either. the first rule gets a lot of traffic through but the drop one doesnt do they have to be in forward chains?
If the traffic comes in one interface and out another, that is forward.
If traffic comes in one interface to the router, that is input.
If traffic comes from the router and out an interface, that is output.
Do a little experimenting with it.
going to work on this a wee bit today. try and get the local network unaccessable to hotspot users.
is there any advantage of the squid server working on 2 NICs? its running on one NIC at the mo.
You could try it with 2 NICs. With 200 users, it could make a difference.
I might even try to get your firewall filter rules to work here also. Maybe one of us will find the solution.
edit: I tried the rules I originally suggested, and it worked here.
I have a hotspot on a 192.168.1.0/24 network.
I have a server on a 192.168.2.0/24 network.
This rule blocked access from the hotspot network to the server network.
/ip firewall filter
add chain=forward action=drop src-address=192.168.1.0/24 dst-address=192.168.2.0/24
move X 0
With that rule enabled, the server became unreachable.
the rule makes sense to me and it still doesnt work but perhaps i have placed it in the wrong line in the filter page.?
add chain=forward action=drop src-address=10.5.50.0/24 dst-address=192.168.1.0/24
itll be 200 users PEAK in the first summer of use on the caravan site will let me know how it goes.
Insure you are blocking the correct ip network. Take a look in “/ip hotspot host”. Insure the “to-address” ip entries are 10.5.50.x.
I have got somewhere but its not complete.
what I did was put the ! next to ipaddress in winbox with the filter rule you gave me.
it blocked webmin for me which it is at 192.168.1.78:10000
it seems to allow http traffic through but not by any other port. so i can still pick up other devices
If that worked, you have the wrong src-address in your forward chain drop rule.
edit: Did you check “/ip hotspot host” and the “to-address” column? The “address” column means nothing to the router. The hotspot is between the client and the router interface.
its seems to be partial dropping of packets and the rule is generating traffic
there is timeouts but still lets me through everything except the webmin.
source address should be 10.5.50.0/24
and destination 192.168.1.0/24
and the hotspot host list looks ok.
/ip hotspot host> print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
MAC-ADDRESS ADDRESS TO-ADDRESS SERVER IDLE-TIMEOUT
0 A 08:00:27:B7:6C:74 10.5.50.253 10.5.50.252 hotspot1 5m
Just out of curiosity, when you set up the hotspot, how did you set the prompt “masquerade network”. The default is “yes”. I select “no”. That could make a difference on how the router sees the hotspot ip addresses.
it is masquaraded hotspot but i dont know how to deselect it. id have to set up hotspot again?
I haven’t tried disabling it after the setup. It should insert a rule like this in “/ip firewall nat”:
chain=srcnat action=masquerade src-address=10.5.50.0/24
You might try disabling that rule.