Hi Guys,
We are wanting to setup Squid as a transparent proxy on our network. I have squid 2.6 running, and if i set my browser to look at it as a proxy, it works.
I have searched the forums, and tried the dst nat rules to forward traffic from our MT router to the Squid box, but when i enable this rule, all HTTP traffic stops dead, unless i set my browser to look at the proxy address. I disable the rule, and it works fine.
What am i doing wrong guys?
in 2.9 set a proxy on routeros and set parent proxy up. for more information see this link:
http://www.mikrotik.com/testdocs/ros/2.9/ip/webproxy.php
Hi Janisk,
I’ve tried that as well, and i CANNOT make it work. If i could, i wouldnt have posted on the board for help
Whoa, take a chill pill dude.
janisk was just trying to help you.
Post your config and people will take a look at it.
lol, sorry, im not angry! Just had a bad day (3 RB333’s turned up DOA) AND i cant make this work
I have squid with the transparent option working, as stated. The whole config might be a bit much to post, but we have the eth interface (internal) in a bridge with vlans, and the PPPoE interface out over another Eth interface
the NAT rule ive created is:
add chain=dstnat in-interface=OfficeLan-Bridge protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.10.104 to-ports=3128 comment=“” disabled=no
when i enable this rule, the internet stops, completely, if i enable it on the internal interface the internet works, but proxy doesnt.
add this rule above your rule:
/ip firewall nat
add chain=dstnat action=accept src-address=10.10.10.104 protocol=tcp dst-port=80
Hey,
THat worked a charm, thanks heaps!
Ok, i take that back, It seems to be working for me here (at home) though i am bridged in to the lan in question by vlans (bridged with the internal ethernet interface) but the clients that connect to the ETH are dropped as soon as i enable that rule. Ideas?
expand the src-address
can you please be more specific? The src address shown there is that of our squid box
try to masquerade your proxy ip too.
Hey, could you provide a working example?
this is my working setup ROS V2.9.51
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.1.1.2 to-ports=8080
src-address=10.0.8.0/22 dst-port=80 protocol=tcp comment=“redirect to
proxy for pppoe network” disabled=yes
add chain=srcnat action=masquerade src-address=10.1.1.2 comment=“MasQ
for local” disabled=no
does this mark all connections as having come from the router though?
[quote=“dawam”]
add chain=dstnat action=dst-nat to-addresses=10.1.1.2 to-ports=8080
src-address=10.0.8.0/22 dst-port=80 protocol=tcp comment=“redirect to
proxy for pppoe network” disabled=yes
add chain=srcnat action=masquerade src-address=10.1.1.2 comment=“MasQ
for local” disabled=no[/quote]
Ah, so the direct rule must be BEFORE the masquerade rule?
Also I’m sure that disabled=yes should be disabled=no?
and then where does your previously mention rule go?
what im not understanding is why the rule i have now works for me at home (over the vlans) but not to any machine connected to the eth interface. that seems mighty strange.
sorry guys. none of that works. as soon as i enable
“chain=dstnat in-interface=OfficeLan-Bridge protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.10.104 to-ports=3128 comment=”" disabled=no"
port 80 traffic connected to the lan stops. But it works perfectly fine at home, through the proxy and all. Completely bizzare!
and you have same version on both routers?
You need to post all your NAT/firewall rules and in what order they are in.
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.1.1.2 to-ports=8080
src-address=10.0.8.0/22 dst-port=80 protocol=tcp comment=“redirect to
proxy for pppoe network” disabled=noadd chain=srcnat action=masquerade src-address=10.1.1.2 comment=“MasQ
for local” disabled=no
.
I have corrected what hilton commented, just in case someone someone would like to use this config, which is not rocket science.
If you are into RouterOS, you could have easily figure that out. The above is a working setup , for my network ros2.9.51 with Squid proxy before my upgrade to RB1000 ros v3.9, replace what ever ip you have.
Not sure Masquerade position, if not after then before, maybe I could double check later.
The purposed is to share a configuration that works for me at least.and yes it a municipal network hotpsot and pppoe running on vlan.