hello, i am facing this problem:
ROS 3.10 - Web Proxy enabled, external squid parent proxy, all request sent to the external box are from the same address ( the address of Mikrotik external interface ), i am not masquerading my customers;
I searched the forum and found that this problem is known so please I am asking Mikrotik team if there is a way to know exactly what is the source address the request is coming from, in this moment is not possible to do a detailed squid report since all the requests are from the same address.
This is my config:
/ip proxy pr
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 192.168.0.200
parent-proxy-port: 3128
cache-drive: system
cache-administrator: “webmaster”
max-cache-size: 4000KiB
cache-on-disk: no
/ip firewall nFlags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
Hello people, I am correcting my previous post: customers are MASQUERADED; I made some checks and removing the masquerade from the AP and leaving the masquerade only to the main internet gateway, lead my customers to receive a GATEWAY TIMEOUT, I think because the request returning from squid server is to DST-ADDRESS equal to the xternal interface of AP but the request was from the original customer source address, to be more clear I need:
NOT masquerade customer address to have on squid box all the original SRC-ADDRESS, in this manner I can make all the statistics on squid
I need WEB-PROXY activated so all the visited sites are logged into remote box, this is for legal reasons, obviously as per #1 above, the request coming from
Mikrotik web proxy, and going to squid parent proxy, should not have all the same address but the original customer’s IP address, this is mandatory for me.
Thanks againg for your help
regards
Alessandro
are you saying you want to proxy but use the original ip as the src-address? I dont think that is possible. You would break TCP connections and the replies would go directly back to the end user rather than the proxy. If you want them to use their original IP then turn off the proxy.
Changeip: thanks for your reply but, please explain why it is not possible; proxy should not do a nat, is it thrue? it should only accept connections on the port it is listening ( I redirected all traffic directed to port 80 to port 8080 ); if you search in the forum, other people are asking mikrotik to NOT masquerade the original client address to the external ip address of router, it should be extremely transparent, i don’t think that masquerading is a common “feature” of a proxy server, at least it should be disabled.
amidkosari: thanks again but squid is ok for me without any patch to make it transparent, it is already transparent if you put in it’s configuration TRANSPARENT mode, am I wrong?
Regards
Alessandro
you can contact Sunday Idajili, the author of that presentation, who is one of our best consultants. He will be able to help you improve your proxy setup: http://www.mikrotik.com/consultants.html (choose Nigeria)
Hi Normis and many thanks for your reply;
let me summarize what and where the problem is:
the problem is the fact that Mikrotik web proxy forwards all the requests coming from clients to the external parent-proxy, with the same src-address ( it’s external interface ip address ), so the problem is not on squid, probably I don’t need Balabit, I need that Mikrotik web-proxy forwards all the requests with the original source ip address, is it possible? If not ok, I will arrange my proxy layout in another manner.
Many thanks
Alessandro