Routing from proxy to specific port

mbole · August 31, 2014, 10:36pm

Hello,

I’m new in Mikrotik world, but few months ago I’m come to company that already have MT deployed and working.
We have RB 600 and os v 4.17.

Currently there is one LAN port and one WAN1 (internet, static IP) port on my MT.
Few servers, few tunnels on the network and of course lot of users.

I plan to add another WAN2 interface (internet pppoe with static IP), and redirect all web (HTTP) traffic to it.
I already have transparent proxy enabled, all http traffic redirected to it, blocked outside traffic to proxy, firewall rules for servers, simple queues for traffic limits for clients, proxy rules to limit access to specific sites, etc.

As I can see, easiest way to do it, is to route all traffic passing thru proxy to specific port (WAN2 in this case), and leave everything else as is.
But I can’t figure how to do it.

Any help?

mbole · September 6, 2014, 11:19pm

Nobody?
OK I give some swet to mu brain cells, but I’m not sure if it’s working solution (and I can’t just try it on live network).

This is current configuration:

WOut - interface to internet (fixed IP, wless connection to ISP)
lan - interface to Lan (192.168.1.0/24 and few other 192.168.x.0/24 networks, all clients on 192.168.1.0/24)
pppoe-ADSL - second connection to ISP (fixed IP)
MT lan address - 192.168.1.254 (and few more on same interface for other 192.168.x.0/24 networks)
Wan IP on WOut interface - xxx.xxx.xxx.xxx

/ip firewall filter
add action=accept chain=forward comment=“Web proxy” disabled=no src-address=
192.168.1.254
add action=drop chain=forward comment=“Drop HTTP” disabled=no dst-port=80
protocol=tcp src-address=192.168.1.0/24
add action=add-src-to-address-list address-list=ExitWebProxyUserAccess
address-list-timeout=0s chain=forward comment=“” disabled=no dst-port=
8080 out-interface=WOut protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat comment=“Nat WOut” disabled=no
out-interface=WOut src-address=192.168.0.0/16
add action=redirect chain=dstnat comment=
“Redirect port 80 to 8080 proxy”
disabled=no dst-port=80 in-interface=lan protocol=tcp to-ports=8080

/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
xxx.xxx.xxx.xxx scope=255 target-scope=10

I do not understand what any of ip firewall filter rules do
First one with “Web proxy” comment, I have no idea what it will do.
Second one… why it exist? There is NAT rule that redirect port 80 to port 8080. So there should not be traffic on port 80.
Third one add src to address list. Ok, but this address list is not in use anywhere else. And list timeout is 0sec???

Many setting on this MT are legacy.many changes on network, few people come and leave company, no documentation of course…

ip firewall nat is ok, ip route also

My idea (added lines are blue)

/ip firewall mangle
add action=mark-routing chain=prerouting comment=“Proxy to Adsl” disabled=no
dst-address=0.0.0.0/0 dst-port=80 new-routing-mark=ToAdsl passthrough=
no protocol=tcp src-address=192.168.1.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment=“Proxy to ADSL” disabled=no
out-interface=pppoe-ADSL routing-mark=ToAdsl src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“Nat WOut” disabled=no
out-interface=wlizlaz src-address=192.168.0.0/16
add action=redirect chain=dstnat comment=
“Redirect port 80 to 8080 proxy”
disabled=no dst-port=80 in-interface=lan protocol=tcp to-ports=8080

/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
xxx.xxx.xxx.xxx scope=255 target-scope=10
add comment=“Proxy to ADSL” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=pppoe-ADSL routing-mark=ToAdsl

Shuld it work?