Squid Proxy

fiberhaus · January 27, 2010, 5:00am

I have just setup Squid as a transparent proxy. I need to figure out how to configure my network to send all clients to it.

My mikrotik is being used as our core router for our ISP.

We accept our internet connection on eth2 and our network is on eth4. All of our servers and clients are on public ips and we have a /21 subnet. Ethernet 1 and 3 are reserved for expansion.

So we need all customers on our network to be redirected to our squid server which is located at 190.3.160.15 and is listening on port 8080. Our customer addresses start at 190.3.161.1 and end at 190.3.167.254.

We are running an RB1000 on 4.5

Any help would be appreciated. I just love Mikrotik!

Chupaka · January 27, 2010, 4:08pm

I’d rather route all http traffic to squid and use TProxy feature (so users’ addresses not change to squid’s address for websites)

something like

/route add gateway=190.3.160.15 routing-mark=to-squid
/ip firewall mangle add chain=prerouting src-address=client_address_pool src-mac-address=!squid_MAC protocol=tcp dst-port=80 action=mark-routing new-routing-mark=to-squid
/ip firewall mangle add chain=prerouting dst-address=client_address_pool src-mac-address=!squid_MAC protocol=tcp src-port=80 action=mark-routing new-routing-mark=to-squid

fiberhaus · January 27, 2010, 9:11pm

How do I exclude the SQUID ip address from there?

Chupaka · January 27, 2010, 10:02pm

sorry, mistyped. I edited my post, ‘src-address=!squid_ip’ should also work for the first rule

fiberhaus · January 27, 2010, 11:00pm

Do I need to change any of this statement or enter it as it is?

fiberhaus · January 28, 2010, 1:19am

This makes no sense…do I add the mac address or not? Where does it to forward the traffic to the listening port of 8080…I feel those statements are incomplete or inaccurate.

Chupaka · January 28, 2010, 2:05am

http://wiki.squid-cache.org/Features/Tproxy4

xezen · January 28, 2010, 9:21am

thanks
do you use it like that?

Chupaka · January 28, 2010, 11:28am

no, unfortunately I didn’t see such setup, only read about it. we don’t use proxy at all

fiberhaus · January 28, 2010, 3:45pm

I dont think you are understanding me…I have squid installed and it is operating…I need to know the proper statement in the mikrotik to route to it. I also dont know whether I need to add the MAC address instead of the ip of the squid server, etc. Also, this doesnt mention anything about sending calls to 8080, which is the port that my squid box is listening on…

TGF

fiberhaus · January 28, 2010, 6:31pm

Any help from the MT gods?

Chupaka · January 28, 2010, 9:23pm

well, you can simply setup transparent proxy on RouterOS, and set Parent Proxy of your WebProxy to Squid’s address. but in that case all your users will have address of Squid for any website

fiberhaus · January 28, 2010, 9:55pm

Well that would defeat the need for a transparent proxy.

I am wanting to transparently route all http traffic to port 8080 on the Squid machine… I dont want any user intervention.

fewi · January 28, 2010, 10:37pm

The rules Chupaka gave you would route all traffic marked as traffic to be proxied (i.e. all traffic destined to port 80, but not traffic that carries the Squid proxies MAC address as source or destination so that routing loops are prevented) towards the Squid box. The T-Proxy feature on the Squid box would intercept that traffic automatically (you do not need to redirect to port 8080, it would simply inspect all traffic and automagically find it) and proxy it transparently.

Chupaka · January 29, 2010, 1:57am

no user intervention at all. read the manual about parent proxy and transparent mode: http://www.mikrotik.com/testdocs/ros/3.0/pnp/proxy.php

fiberhaus · January 29, 2010, 2:50am

So I am going to have to enable ip chains, add a 2nd ethernet device on the machine, and put the machine between our client devices?

Umm… Or do I just have to enable parent proxy and create a rule to point the traffic to the Squid machine?

Do I have to enable bridging?

xezen · January 29, 2010, 4:32am

whats the reason for no proxy setup are your lines fast enuff or what as i have problems with my type setup

5 adsl lines 1mb/4mb lines
and a proxy always pic up problems

and cant seem to get a work around on it

as a proxy will help me a lot as i dont have speed to work with

gmidia · March 2, 2010, 6:03pm

what did you mean by this. And you say that there is an adjustment to be done on the squid server. It is currently operational with parent proxy and when i manually input the proxy address on the proxy. Another way is i have have been able to redirect traffic using the hotspot profile by inputting the http-proxy
as below (yyy.yyy.yyy.yyy:8080)
name=“hsprof1” hotspot-address=10.0.0.2 dns-name=“” html-directory=hotspot rate-limit=“”
http-proxy=yyy.yyy.yyy.yyy:8080 smtp-server=0.0.0.0 login-by=mac,cookie,http-chap,https mac-auth-password=“”
http-cookie-lifetime=3d ssl-certificate=none split-user-domain=no use-radius=yes radius-accounting=yes
radius-interim-update=5m nas-port-type=wireless-802.11 radius-default-domain=“” radius-location-id=“”
radius-location-name=“” radius-mac-format=XX:XX:XX:XX:XX:XX

Chupaka · March 2, 2010, 6:39pm

parent proxy ~= redirection = most of websites will see proxy’s ip, not client’s ip

squid should work in TProxy mode: http://wiki.squid-cache.org/Features/Tproxy4

csickles · March 5, 2010, 3:29am

Has anyone looked at SafeSquid ?
They have expressed an interest in building a VM for RouterOS…