How to set my mikrotik proxy as transparent?
I’ve created NAT rule:
ip firewall nat add in-interface=LAN dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat
And enabled web proxy:
ip proxy set enabled=yes port=8080
But my client didn’t find the proxy automatically. I have to set it manually in web browser
He doesn’t have to find it. The name “transparent” means exactly what it says. It will be INVISIBLE to customer. He doesn’t need to configure anything. Once you have added the rules you mentioned, data already comes through proxy. No interaction from customer is needed.
jj, that’s how I understand it. But if I keep the browser “without proxy”, internet is unavailable..
apparently you are missing some other configuration, maybe there is no SRC-NAT rule?
http://wiki.mikrotik.com/wiki/Manual:RouterOS_FAQ#TCP.2FIP_Related_Questions
masquerade is set, but I still have to tell my web browser, which proxy has to use (no matter which port)…
if you don’t, what is the error message? can you ping sites like google.com from the PC’s command line?
might be that the PC is set to use some non existing DNS server. check that too. if the PC is set to use the router as the DNS server, make sure you have this:
/ip dns set allow-remote-requests=yes
No message, it doesn’t find proxy, it doesn’t know, where is the internet… so no connection to mikrotik proxy server (connection timeout)
please post exact message or screenshot. the browser will not even attempt to look for proxy server if it’s not configured that way. the error will be different than what you wrote. apparently you still have proxy configured in the browser.
Really nothing, browser is trying to connect, there is “connecting” in the header of selected browsers bookmark, but the page is blank…
and when i set the ip of proxy manually (no matter which port), it works fine..
the mikrotik is an alternative of our company proxy server, so we have two proxies in domain, but each of them is connected to the separated outgoing port…
to the previous - I’ve set the public DNS 8.8.8.8
after couple of experiments, transparent proxy still does’t work 
In your DST NAT rule make sure that you are setting the To Address as well as the To Port. Based on the original post it looks as if only the port is being changed. Typically the To Address will be the relevant LAN address of the router.
Does a basic traceroute work?
My routeOS doesn’t support to-address option for NAT 
No matter if I choose mikrotik router or not, tracert gets domain gateway only (not the mikrotik).
If I set the mikrotik IP in browser, it works fine, but I still have to set it manually..
If I change the previous NAT (remove dst-port):
ip firewall nat add in-interface=LAN dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat
to
ip firewall nat add in-interface=LAN protocol=tcp action=redirect to-ports=8080 chain=dstnat
I don’t have to choose the port manually, only IP of mikrotik
OK - I see you are using the REDIRECT action rather than DST-NAT. Are you waiting for a full minute to see if you ever get an error message from the proxy?
You mention that the proxy works if you point straight to it so it sounds as if the proxy is set up correctly.
You could also try a DST-NAT rule instead of REDIRECT. Make sure that you use a To-Address which is visible to the client using the proxy. REDIRECT should work but trying DST-NAT might help pin down the problem.
Thanks, I’ve tried something like (not using CLI, proxy is on 10.0.0.50:8080):
ip firewall nat add in-interface=LAN dst-port=80 protocol=tcp action=dst-nat to-ports=8080 to-addresses=10.0.0.50 chain=dstnat
but it’s completelly the same (connection timeout message, server is temporary unavailable, and so on), I have to set the proxy IP to network settings of browser…
But the rule is working, because if I disable NATs, proxy refuse connection. So I have to be close
To be clear:
EVERYTHING what I needed is working fine, but it’s not transparent :-/
type “/export compact” in the command line of RouterOS, and post full output here. We need to see all config to solve this
proxy problem related settings:
# may/09/2012 10:32:32 by RouterOS 5.15
# software id = PN9S-WL33
#
/interface ethernet
set 0 name=INTERNET
set 1 name=LAN
set 2 name=MGMT
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" unicast-ciphers=""
/ip hotspot profile
set [ find default=yes ] http-cookie-lifetime=1m
/ip hotspot user profile
set [ find default=yes ] name=PR-admin session-timeout=4h shared-users=unlimited
/ip address
add address=10.0.0.50/16 interface=LAN
add address=xx.xx.xx.101/32 interface=INTERNET network=xx.xx.xx.100
/ip dns
set max-udp-packet-size=512 servers=8.8.8.8
/ip firewall filter
... some disabled chains ...
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=INTERNET
add action=redirect chain=dstnat dst-port="" in-interface=LAN protocol=tcp to-ports=3128
add action=dst-nat chain=dstnat disabled=yes protocol=tcp to-addresses=10.0.0.50 to-ports=3128
/ip proxy
set enabled=yes port=3128
/ip proxy access
……. some rules …..
add action=deny comment="DENY THE REST"
/ip route
add check-gateway=ping distance=1 gateway=xx.xx.xx.100
/queue interface
set INTERNET queue=ethernet-default
set LAN queue=ethernet-default
set MGMT queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
/system lcd page
...