Hello,
I am trying to setup transparent web proxy. This is how it is setup:
# 2023-08-08 19:39:09 by RouterOS 7.10.2
# model = RB4011iGS+
/ip proxy
set cache-administrator=peter@gmail.com enabled=yes parent-proxy=0.0.0.0
/ip proxy access
add action=deny dst-host=*.facebook.com
enabled: yes
src-address: ::
port: 8080
anonymous: no
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: peter@gmail.com
max-cache-size: unlimited
max-cache-object-size: 2048KiB
cache-on-disk: no
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-path: web-proxy
# 2023-08-08 19:41:52 by RouterOS 7.10.2
# model = RB4011iGS+
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5353 in-interface=ether1 protocol=tcp src-port="" to-addresses=192.168.3.2 to-ports=5353
add action=redirect chain=dstnat comment="Redirect to proxy" dst-port=80 log=yes log-prefix=redirect protocol=tcp src-address=192.168.3.0/24 to-ports=8080
add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address=192.168.4.0/24 to-ports=8080
add action=redirect chain=dstnat dst-port=80 in-interface=ether4 protocol=tcp to-ports=8080
add action=redirect chain=dstnat dst-port=80 in-interface=ether3 protocol=tcp to-ports=8080
this is pc connection
IPv4 Address. . . . . . . . . . . : 192.168.3.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
# 2023-08-08 19:45:38 by RouterOS 7.10.2
# model = RB4011iGS+
/ip firewall filter
add action=accept chain=forward dst-address-list=talk2m_addresses dst-port=443 log=yes log-prefix="talk 2 m" protocol=tcp
add action=accept chain=output dst-address-list=talk2m_addresses dst-port=443 log=yes log-prefix="talk 2 m" protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=invalid_fwd
add action=jump chain=input comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN log=yes log-prefix=WAN_not_DSTNATed_fwd
add action=accept chain=input comment="Open VPN" dst-port=1194 log=yes log-prefix="Second OVPN" protocol=tcp
add action=accept chain=input dst-port=1194 protocol=udp
add action=accept chain=input comment="l2tp ports" port=1701,500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment=ipsec-esp protocol=ipsec-esp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop tries to reach not public addresses from Private Network" dst-address-list=\
not_in_internet in-interface-list=Private_NT log=yes log-prefix=!public_from_private_NT out-interface-list=!Private_NT
add action=accept chain=input comment="accept input from local NON Guest interfaces" in-interface-list=LAN_LocalLan_Ext_WAP
add action=accept chain=input comment="allowed to router" src-address-list=allowed_to_router
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="drop ICMP from GUEST" in-interface-list=Guest_WAP protocol=icmp
add action=drop chain=input comment="disable winbox and ssh for GUEST" in-interface-list=Guest_WAP port=8291,22,2221 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!Private_NT
add action=drop chain=input comment="drop ssh brute forcers" dst-port=2221 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=\
2221 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=2221 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=2221 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=2221 \
protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
The problem is that the transparent web proxy is not working => facebook.com is not blocked. But when I do the regular web proxy => set web proxy in browser or pc to the gateway IP (192.168.3.1) then the web proxy is working => facebook.com is blocked. To me it looks like the NAT redirect for 192.168.3.0/24 is not working but not sure how can I make it work. Does someone has any ideas what is wrong in the transparent web proxy configuration?