Dear Mikrotik gurus,
I know this question has been asked dozens of time and I’m so sorry to ask it again but nothing I tried worked.
I want to set up a squid proxy with squidguard for URL filtering, and set the whole thing transparent for users thanks to Mikrotik.
As everyone on the topics I read, everything is working fine if I set up the proxy in firefox configuration selecting “use this proxy for all protocols” and without exception. But nothing is working as soon as I play with NAT rules.
Servers are on 10.0.0.0/8
Few users and servers on 172.16.0.0/12
Users on 192.168.0.0/16
Mikrotik:
WAN - eth6
LAN - eth1,2,3
Proxy:
10.0.1.24/24
squid 3.4.8
squidguard 1.5 Berkeley DB 5.3.28
root@proxy:/etc/squid3# cat squid.conf| grep -v "^#" | grep -v "^$"
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
...
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
cache_dir ufs /var/spool/squid3 100 16 256
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log daemon:/var/log/squid3/access.log squid
cache_store_log daemon:/var/log/squid3/store.log
cache_log /var/log/squid3/cache.log
coredump_dir /var/spool/squid3
url_rewrite_program /usr/bin/squidGuard
url_rewrite_children 100 startup=20 idle=1 concurrency=0
url_rewrite_access deny localhost
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname proxy
root@proxy:/var/log/squid3# cat /etc/squidguard/squidGuard.conf | grep -v "^#" | grep -v "^$" 10:50 0
...
src admin {
ip 192.168.130.61
}
src all {
ip 192.168.0.0/16
ip 10.0.0.0/8
ip 172.16.0.0/12
}
... dest definitions
acl {
admin {
pass !adult !lingerie !porn !mixed_adult !ads !warez !malware !phishing !social_networks all
redirect http://10.0.1.24/url_block.html
}
all within workhours {
pass !adult !lingerie !porn !mixed_adult !ads !warez !malware !phishing !social_networks all
redirect http://10.0.1.24/url_block.html
}
else {
pass !adult !lingerie !porn !mixed_adult !ads !warez !malware !phishing all
redirect http://10.0.1.24/url_block.html
}
default {
pass none
}
}
The above configuration is working when you set up proxy in firefox. Everything is okay, URL are blocked if not allowed in squidguard, I can see the access.log being updated and everything.
Now I added the rule 4 in Mikrotik (rules from 1 to 3 are disabled, no rules after 7):
4 ;;; Proxy test for 130.61
chain=dstnat action=dst-nat to-addresses=10.0.1.24 to-ports=3128 protocol=tcp src-address=192.168.130.61 dst-port=80 log=no log-prefix=""
5 ;;; Weather
chain=dstnat action=dst-nat to-addresses=192.168.2.186 to-ports=22222 protocol=tcp dst-address=x.x.x.x dst-port=22222 log=no log-prefix=""
6 ;;; NEW_Masquerade_All_Network
chain=srcnat action=masquerade src-address=0.0.0.0/0 out-interface=ether6 log=no log-prefix=""
7 chain=srcnat action=masquerade out-interface=V1100_SWITCHES log=no log-prefix=""
I put also the following in squid3.conf and restarted squid3 service
http_port 3128 intercept
Now I don’t see anything more in squid log.
If the URL doesn’t start with https:// I got an error from squid “The request URL could not be retrieved”
Https sites are working and the filter of squidguard doesn’t work anymore (I can access facebook even if it’s blocked).
So I guess it’s because I only redirected 80 port to the proxy and not 443. So ok let’s redirect 443 also:
(I also excluded proxy redirection for internal servers access)
4 ;;; Proxy test for 130.61
chain=dstnat action=dst-nat to-addresses=10.0.1.24 to-ports=3128 protocol=tcp src-address=192.168.130.61 dst-address=!10.0.0.0/8 dst-port=80,443 log=no
log-prefix=""
With this rule, I don’t have access to URL not starting with HTTP, and HTTPS website are complaining about Secure Connection Failed (which I understand since there is a man in the middle). But how it worked before with firefox though ?!
So this rule is not the right one. Let’s try something else and set up the proxy in Mikrotik with squid as a parent proxy:
ip proxy print
enabled: yes
src-address: 192.168.130.61
port: 8080
anonymous: no
parent-proxy: 10.0.1.24
parent-proxy-port: 3128
cache-administrator: support@xxxxxx
max-cache-size: unlimited
max-cache-object-size: 1024KiB
cache-on-disk: no
max-client-connections: 800
max-server-connections: 800
max-fresh-time: 1d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-path: web-proxy
And new rule 5
4 chain=dstnat action=accept protocol=tcp src-address=10.0.1.24 dst-address=!10.0.1.24 log=no log-prefix=""
5 chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80 log=no log-prefix=""
Well it…works… i can access every website. But URL filtering doesn’t work anymore and I can access facebook. It’s like there is no connection to squid proxy.
Sooo I’m pretty stuck with this…
Any help would be appreciated !
Thank you in advance !