Transparent Proxy with parent-proxy for a bridge network

RouterOS General
1

(I am a newbie!)

I have a scenario where I want to use RouterOS to sit inline on an Internet conenction and transparently pass all HTTP traffic to an external proxy server (as in a proxy server at another site). The original client address should be maintained for the packets sent to the proxy server.

Using a RB450 running 3.10 and have set up bridged ports for Eth1 and Eth5 so that it passes traffic. I have tested this and it is fine.

I have enabled proxy access using a parent-proxy and used IP Proxy Direct to make sure that all traffic is sent to the parent-proxy.

[admin@MikroTik] /ip proxy> print
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 194.116.198.40
parent-proxy-port: 3128
cache-drive: system
cache-administrator: "webmaster"
max-cache-size: none
cache-on-disk: no
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4

and IP PROXY DIRECT PRINT shows

DST-PORT DST-HOST PATH METHOD ACTION HITS

0 ... deny 0

So I think the proxy side is set up correctly.

To get traffic to be redirected I have told IP FIREWALL NAT to redirect packets:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=redirect to-ports=8080 in-interface=ether5 dst-port=80
protocol=tcp

However nothing seems to be sent to the parent proxy, and I don't understand what I have missed?

Can anyone help?

2

yessss…

bridge - settings - use IP firewall =)

3

aha I didn’t realise I might need this but it makes sense. The ‘bridge’ documentation for 3.0 is missing/not yet completed, and the 2.9 documentation doesn’t mention this setting.

Anyway I made the change you suggested but it didn’t appear to divert the traffic or at least that is what /ip proxy monitor shows.

I added:
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=no

(I have wondered whether I had mis-formated the IP PROXY DIRECT string so I removed it but it also made no difference).

Any other suggestions?

4

I have tried a few more things - though nothing has helped.

I tried swapping the connections I had made to Eth1 and Eth5 in case I had got my “in” direction wrong for redirection. It didn’t make a difference.

If I give the bridge interface an IP address and then specifically set a client machine browser proxy I get a returned page which shows that it is being stopped by the Microtik cache - so at least I know the proxy server is running!

Only in this last scenario can I get IP PROXY MONITOR to show any hits. It just doesn’t seem to want to permit transparent proxy…?