Web proxy not forwarding Https and ftp request...

amansubhan · August 5, 2010, 7:01pm

Hello im using ROS v3.00, its been 1 year im using ROS with basic config, i use normal proxy for caching purposes only!!
But now my friend and i have launched a network ISP, a very small version suporting upto 300 clients only!
My question is, when running normal proxy, every thing is fine, but when i make it transparent, it only shows http accessed pages like google, mikrotik, etc… but when i try to access any ssl page like hotmail login etc… i dsnt shows nything!!! after browser waites and “cannot find server”!!!

Ive masqueraded my public networks and added nat rule of:

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=pptp-out1 

 1   chain=srcnat action=masquerade out-interface=ether2 

 2   chain=dstnat action=redirect to-ports=8080 protocol=tcp port=!8291,22,23

Now im able to open http request, but with https and ftp here is no good!!!

Please Help fast!!

Updated!!

I forgot to mention that i use pptp client to connect to my isp and then only i can recieve the internet bandwidth!!
I ve used every thing on dhcp, like my isp give me dhcp ip then i connect to pptp server which also gives me dhcp ip… then it automatically adds the dns and routes…

fewi · August 6, 2010, 6:47pm

You should only redirect HTTP traffic to the proxy. It’s an HTTP proxy so it doesn’t do FTP, and it can’t do HTTPS because it can’t negotiate an SSL certificate for a domain it doesn’t have a certificate for.

amansubhan · August 7, 2010, 2:54pm

Yes i know every thing about ftp and https traffic, ok im not redirecting ftp and https to proxy… now how do i tunnel traffic to directly deliver it to the client??

i need firewall rules here!!

fewi · August 7, 2010, 4:00pm

So what are your changed rules now?

chain=dstnat action=redirect to-ports=8080 protocol=tcp port=!8291,22,23

What did you use instead? It should be something along the lines of

chain=dstnat action=redirect to-ports=8080 protocol=tcp port=80,8080,3128

amansubhan · August 7, 2010, 4:20pm

Hey ive added the firewall rule but no good… same situation again!! i can access http, but https and ftp by default!! i am able to use all things by entering proxy server in browser, but i dont want dat to be done!!

Plz help…

fewi · August 7, 2010, 4:28pm

I don’t understand what you’re asking.

So now FTP works, but with the real public IP? If you want to proxy FTP, you have to find and install some FTP proxy outside of RouterOS and dstnat tcp/20,21 traffic through it.

You can’t proxy HTTPS without generating a LOT of certificate errors (one for every HTTPS resource accessed) unless you have a root certificate on every customer’s computer.

amansubhan · August 7, 2010, 5:34pm

ok let me give you the complete scenario…

I get dhcp lease from ISP on Public interface
I get routes and dns from ISP
Then i configured pptp client to get connected to the internet server of the ISP
Now enabled proxy at port 8080
I want to setup transparent proxy: for that

a) I masqueraded the Public and PPTP interfaces with Private network
b) Redirected 80,8080,3129 ports to proxy

/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=pptp-out1
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether2
add action=redirect chain=dstnat comment=“Transparent Web Cache” disabled=no port=80,8080,3128 protocol=tcp to-ports=8080

>
> c)Added mangle rule to take output connection
>
> ```text
/ip firewall mangle
add action=accept chain=output comment="" disabled=no dscp=4 protocol=tcp

Now i am able to access HTTP pages…
Cannot access HTTPS pages
Cannot access FTP pages
NEED HELP