Trasparenting with squid remote box (TUTORIAL)

RouterOS General
1

my topoligy :


[INTERNET]
||
[ C I S C O ]
||
||====[Squid FreeBSD]
||
[MT-GW]
||
[my client]


pls try my configuration :

_- ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-routing
new-routing-mark=mark-squid passthrough=yes

  • ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=accept
  • ip firewall nat add chain=dstnat dst-address=!your-network protocol=tcp dst-port=80 routing-mark=mark-squid action=dst-nat
    to-addresses=squid-box to-ports=squid-box-port
  • ip route add gateway=squid-box mark=mark-squid_

FreeBSD Squid configuration (transparent) :
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

DON’T FORGET to enable with transparent when installing squid
pls send your feedback

2

So… What’s the problem? If you’re simply asking if it’s correct, then yes, and no.

I wouldn’t be bothered with the overhead of actually marking the packets…

add chain=dstnat in-interface=Internal src-address=x.x.x.2 \
    protocol=tcp dst-port=80 src-address-list="Everyone" \
    dst-address-list="!Everyone" action=accept comment="Transparent \
    Cache Service is excepted from the dst-nat rule" disabled=no 
add chain=dstnat in-interface=Internal protocol=tcp dst-port=80 \
    src-address-list="Everyone" dst-address-list=!noHTTPProxy \
    action=dst-nat to-addresses=x.x.x.2 to-ports=3128 comment="" \
    disabled=no

First rule allows the Squid box to pass through the MT without going in the dst-nat - otherwise, you’ll have proxy loops. Second one dst-nat’s everything going to port 80/tcp, to the proxy server.

From the looks of it, your squid config looks fine, you obviously need the correct ACLs in squid and all that, but I suspect you know that :wink: