Web proxy & Static dns

avihu · August 2, 2020, 6:09pm

Hello everyone,

i try to make transparent web proxy (https://wiki.mikrotik.com/wiki/How_to_make_transparent_web_proxy)

I have 3 servers in my office, I set a static ip address for each of them in the dns.
My PC is on network 10.0.0.0/24
and the server is on 172.16.88.0/24
Before I set up the proxy server I could to reach all the 3 server from my PC, now the dns work just in the same network(10.0.0.0/24) and i cant reach to the server in the different network (172.16.88.0/24)
from the wan (outside) all work fabulous.

For now i just remove the in-interface=ether1 from the next roll

ip firewall nat add in-interface=ether1 dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat
ip proxy set enabled=yes port=8080

and it work again.
I want to know if it ok? or there is another problem i need to solve
tnx

Sob · August 2, 2020, 7:05pm

If I understand correctly what you’re doing, then it’s not ok.

You are trying to make reverse proxy (https://wiki.mikrotik.com/wiki/Multiple_Web_Servers), right? That alone is kind of hack, because it wasn’t made for that, but ok. But if you transparently redirect everything to it, including your outgoing traffic, and everything still works, then there’s high chance that you didn’t bother with configuring access list, which would make you open proxy (not good).

If you must do this, instead of using proper reverse proxy, then don’t redirect everyting, but only the one public address you have:

/ip firewall nat
add dst-address=<your public address> dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat

And configure access list properly, to only allow your servers and nothing else (see the end of linked article).

avihu · August 2, 2020, 7:59pm

Thanks for the quick reply,
I configure the access list, the wan interface work great,
The problem is just get the server from not same network. before the proxy all work fine, without the wan.
Tomorrow I test it again.

Sob · August 2, 2020, 10:04pm

This part is not clear. If it worked before, there’s no reason why proxy with your original config (with in-interface=ether1) would influence it at all. Maybe there are some details missing in your description.

avihu · August 3, 2020, 6:02am

Before I setup the proxy server I could reach through the static DNS to any server on any network (172.16.88.0/24) from my local network (10.0.0.0/24)
And now that I’ve setup the proxy server, I can only access the servers on my network (10.0.0.0/24)

Sob · August 3, 2020, 10:29am

Then try to remember all things you changed when you enabled proxy. Because proxy alone doesn’t influence any traffic and your original dstnat rule affects only traffic from ether1, which I assume is WAN.