Web Proxy in RB450G

starwinX · March 21, 2013, 3:54am

Hi everyone!

I’m a newbie here, and also its my first time to handle a Mikrotik Routerboard, mine is RB450G, i already setup the basic installation for my network, its up and running. I want to use the Web Proxy to block some sites in our office, but i encounter a problem.

You see, I have 2 ISP’s, ISP1 is to be use by our clients and guests, ISP2 is for office use. I already set it up in the routes and its working properly.

Then to use the Web Proxy, I enabled the Web Proxy, set the port to 8080, then created a NAT Rule like this:
Action:redirect To Port: 8080 Chain:dstnat Protocol: 6(tcp) Dst. Port: 80

At Web Proxy, i add some sites to be block/deny for our office. It works just fine, but the problem is, in which i overlook after i set it up, is the suppose ISP to be use for office was redirected to ISP for clients and guests.

e.g.

Web Proxy and NAT Rule disabled:
Office=ISP2
Clients=ISP1

Web Proxy and NAT Rule enabled:
Office=ISP1
Clients=ISP1

I can’t figure out what to do about this, i’ve been trying for some days now, still i can’t make it work, i hope anyone can help me with this.

Thank you

temka · March 21, 2013, 6:01am

i think you can choose your ethernet port or ip addresses for deny web pages.

Markut · March 21, 2013, 9:14pm

Export your settings for better analysis…

starwinX · March 22, 2013, 1:15am

ok, i’ll post my settings later.

starwinX · March 22, 2013, 6:50am

here’s my settings:

/ip route

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 ...1 1
1 X S ;;; pantelco_1st-route
0.0.0.0/0 .96..1 1
2 A S ;;; pantelco_1st-route
0.0.0.0/0 .96..1 1
3 X S ;;; http_to2nd_ISP
0.0.0.0/0 192.1..1 1
4 X S ;;; ssl_to2nd_ISP
0.0.0.0/0 192.1**..1 1
5 A S 0.0.0.0/0 .96..1 2
6 A S 0.0.0.0/0 .28..1 1
7 A S ;;; KCTN_2nd-route
0.0.0.0/0 .54..1 2
8 A S ;;; ACE_3rd-route
0.0.0.0/0 .28..1 1
9 X S 0.0.0.0/0 .212..1 1
10 ADC .28..0/30 .28..2 ether3-gateway 0
11 ADC .96..0/24 .96..202 ether2-gateway 0
12 ADC .54..0/24 .54..236 ether4-local 0
13 ADC 192.1..0/24 192.1..1 office vlan 0
14 ADC 192.1.*.0/24 192.1*..1 hotspot vlan 0
15 ADC 192.1**..0/24 192.1**..1 voip vlan 0
16 ADC 192.1**..0/24 192.1**.*.1 cctv vlan 0
17 ADC 192.1**..0/24 192.1.**.1 ether3-gateway 0

/ip firewall nat

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; to_pantelco_src
chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.1.x out-interface=ether4-local

1 I chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=26

2 I chain=dstnat action=jump jump-target=hs-smtp protocol=tcp dst-port=26

3 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

4 X ;;; 1st_pantelco
chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.1.x out-interface=ether3-gateway

5 chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.2.x out-interface=ether3-gateway

6 chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.3.x out-interface=ether3-gateway

7 chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.4.x out-interface=ether3-gateway

8 X ;;; ACE gateway
chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.1.x out-interface=ether3-gateway

9 X chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.2.x out-interface=ether3-gateway

10 X chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.3.x out-interface=ether3-gateway

11 X chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.4.x out-interface=ether3-gateway

12 X ;;; 2nd_pantelco
chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.1.x out-interface=ether4-local

13 X chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.2.x out-interface=ether4-local

14 X chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.3.x out-interface=ether4-local

15 X chain=srcnat action=masquerade src-address-list=allowed_xxx.xxx.4.x out-interface=ether4-local

16 ;;; cctv ip base
chain=dstnat action=dst-nat to-addresses=192.1**..254 to-ports=4550 protocol=tcp dst-address=.54.*.236
in-interface=ether4-local dst-port=4550

17 chain=dstnat action=dst-nat to-addresses=192.1**..254 to-ports=80 protocol=tcp dst-address=.54.*.236
in-interface=ether4-local dst-port=80

18 chain=dstnat action=dst-nat to-addresses=192.1**..254 to-ports=5550 protocol=tcp dst-address=.54.*.236
in-interface=ether4-local dst-port=5550

19 chain=dstnat action=dst-nat to-addresses=192.1**..254 to-ports=6550 protocol=tcp dst-address=.54.*.236
in-interface=ether4-local dst-port=6550

20 ;;; CCTV_Kalibo
chain=dstnat action=dst-nat to-addresses=192.1**..240 to-ports=8181 protocol=tcp dst-address=.54.*.236
in-interface=ether4-local dst-port=8181

21 ;;; sip
chain=dstnat action=dst-nat to-addresses=192.1**..100 to-ports=5060 protocol=udp dst-address=.96..202 dst-port=5060

22 chain=dstnat action=dst-nat to-addresses=192.1**..100 to-ports=5061 protocol=tcp dst-address=.96..202 dst-port=5061

23 ;;; Genesis Port Forward
chain=dstnat action=dst-nat to-addresses=192.1**..254 to-ports=3306 protocol=tcp dst-address=.54.*.236
in-interface=ether4-local dst-port=3306

24 X ;;; HP switch remote access
chain=dstnat action=dst-nat to-addresses=192.1**..11 to-ports=80 protocol=tcp dst-address=..22.**

25 X ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.1**.*.0/24

26 X ;;; office proxy
chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80
27 X ;;; dns_force
chain=dstnat action=dst-nat to-addresses=.67..123 to-ports=53 protocol=tcp in-interface=office vlan dst-port=53

28 X chain=dstnat action=dst-nat to-addresses=.67..123 to-ports=53 protocol=udp in-interface=office vlan dst-port=53

29 ;;; remote_desktop
chain=dstnat action=dst-nat to-addresses=192.1**..52 to-ports=3389 protocol=tcp dst-address=.28..2
in-interface=ether3-gateway dst-port=3389
– [Q quit|D dump|up]

/ip firewall mangle

Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=KCTN_route passthrough=no src-address-list=testing

1 chain=prerouting action=mark-routing new-routing-mark=KCTN_route passthrough=yes src-address-list=allowed_xxx.xxx.1.x

2 chain=prerouting action=mark-routing new-routing-mark=KCTN_route passthrough=no src-address-list=allowed_xxx.xxx.1.x
in-interface=office vlan

3 X ;;; change MSS
chain=forward action=change-mss new-mss=1448 tcp-flags=syn protocol=tcp tcp-mss=!0-1448

4 ;;; p2p_rules
chain=prerouting action=mark-connection new-connection-mark=p2p passthrough=yes p2p=all-p2p

5 chain=prerouting action=mark-packet new-packet-mark=p2p passthrough=yes connection-mark=p2p

6 X ;;; per_traffic_devide
chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=yes src-address-list=ISP1

7 X chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes src-address-list=ISP2

8 X ;;; http_2ndline
chain=prerouting action=mark-routing new-routing-mark=HTTP traffic passthrough=no protocol=tcp dst-port=80

9 X ;;; https_2ndline
chain=prerouting action=mark-routing new-routing-mark=SSL traffic passthrough=no protocol=tcp dst-port=443

10 X ;;; unknown_traffic
chain=prerouting action=mark-routing new-routing-mark=Unknown traffic passthrough=no

11 X chain=prerouting action=mark-routing new-routing-mark=KCTN_route passthrough=no src-address-list=testing