Squid Transparent Proxy + Mikrotik 4.5 Webproxy + Bridge

CristianDeluxe · February 12, 2010, 10:40am

Hello, I have my RouterOS (version 4.5) configured in bridge mode, with traffic prioritization (mangle rules, queues)

But now I’d like to insert a transparent squid proxy to cache the client traffic.

This image explains how I configured my network

I already have a server running squid in transparent mode, if I set it up (192.168.1.111:3128) in my browser works correctly.

I configured the proxy that comes with RouterOS and I’ve defined my squid server as a parent, if I configure this proxy in my browser (192.168.1.130:8080) also works well and requests are sent correctly to the squid server (I can see them in the log).

The problem is to redirect http traffic to the proxy since I can not configure the proxy on all browsers of my clients.

I’m using NAT rules to try to redirect this traffic, but is not working properly, the router intercepts packets to port 80 and sends the ROS proxy, and this, send the packet to the squid proxy (I can see the requests in the squid log), but in the browsers of clients the page does not load

Here is my config:

NAT

add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp to-ports=8080

PROXY

/ip proxy
set always-from-cache=no cache-administrator="mE <mymail@gmail.com>" cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none \
    max-client-connections=3600 max-fresh-time=3d max-server-connections=3600 parent-proxy=192.168.1.111 parent-proxy-port=3128 port=8080 \
    serialize-connections=no src-address=222.222.222.21
/ip proxy access
add action=allow comment="" disabled=no dst-address=0.0.0.0 dst-port=0-65535 src-address=0.0.0.0

SQUID LOG

1265969180.926    273 222.222.222.21 TCP_MISS/302 566 GET http://mikrotik.com/ - DIRECT/159.148.147.196 text/html
1265969218.747     99 222.222.222.21 TCP_MISS/200 590 GET http://clients1.google.es/complete/search? - DIRECT/209.85.229.101 text/javascript
1265969219.112      0 222.222.222.21 TCP_MEM_HIT/200 595 GET http://clients1.google.es/complete/search? - NONE/- text/javascript
1265969219.313      0 222.222.222.21 TCP_HIT/301 677 GET http://google.es/ - NONE/- text/html

What am I doing wrong?

Aug · February 12, 2010, 2:51pm

If it’s the router os bridge that is redirecting traffic then how is squid going to fetch the web pages? Looks like squid traffic would be redirected as well.

Put a switch between router os bridge & atm router. Then plug the squid box into that switch.

CristianDeluxe · February 12, 2010, 4:52pm

if I set it up as you tell me I could not prioritize traffic from the proxy, or control the download speed, no?

Aug · February 14, 2010, 12:38am

Correct… you wouldn’t be able to prioritize traffic from the proxy to the internet.
But… you would be able to prioritize traffic to/from clients.

CristianDeluxe · February 15, 2010, 12:00pm

I also could insert the proxy between my switch and the ros, and could limit the bandwidth used by the proxy. Is that correct?

fredalfad · February 22, 2010, 5:39pm

Im am intending doing this on network also, but can you help me with the Squid Installation and the Configuration procedures

Thanks.