Hello.
Even if I have read a lot of docs, I have managed to get it work partially.
My configuration is the following:
CPE:
100.64.7.1/24
Tower router RB850 ROS 6.24: 100.64.7.254/24 (ether2) to the cpe
100.64.0.79/23 (ether1) to the backbone and WAN
The tower router is connected to the backbone using this addresses:
Tower Router WAN: 100.64.0.79/23 (ether1)
MAIN GW: 100.64.0.241/23
Everything is working fine.
I have added a squid box on the backbone, to 100.64.0.39 - its GW is 100.64.0.241
On the Tower router I want to put some customers via trasparent proxy, so I do the following:
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=80,443 in-interface=
ether2 new-routing-mark=TPROXY passthrough=no protocol=tcp
then
/ip route
add check-gateway=ping disabled=no distance=1 gateway=172.16.0.39
routing-mark=TPROXY
add distance=1 gateway=172.16.0.1 (default GW)
THE PROBLEM IS:
ALL CPEs 100.64.7.0/24 goes now via proxy. that’s OK since I did not set a source address or source address list… (untrue!!)
Even if I disable the mangle rule, all traffic goes via PROXY. Even if I set a source IP address in the mangle rule (example 100.64.7.1), all addresses go via proxy. The only way to disable proxy for that group of users, is to disable the network route to the proxy.
How can I do ?
Where am I wrong?