Web Proxy - Two Wan-s trouble with redirect http traffic.

ITway · February 26, 2008, 11:09am

Hello
I want to add proxy serwer on MT.
I have two WAN-s and one Lan and i want redirect proxy traffic to wan when i have only http traffic.
When I add web proxy serwer all traffic go to my primary Wan wher is other traffic.
I have ROS ver 3.3.
When i type in web proxy src address -address Wan where is traffic for http then can't open any web sides.
What is the reason of that situation?
Thank's for help.
This is my config:
Wan1 - for http, web proxy, dns services and other important
Wan2 - for other traffic
LAN - to to another MT

Ip addreses:
/ip address> pr
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; DSL 4Mb WWW
83.19.100.82/29 83.19.100.80 83.19.100.87 ether2_DSL4Mb
1 ;;; DSL 4Mb
83.15.248.202/29 83.15.248.200 83.15.248.207 ether3_DSL4Mb
2 ;;; LAN
192.168.1.1/24 192.168.1.0 192.168.1.255 LAN

Ip firewall Nat:
chain=srcnat action=masquerade src-address=192.168.1.0/24

chain=dstnat action=redirect to-ports=3128 src-address=192.168.1.0/24 in-interface=LAN
dst-port=80 protocol=tcp

/ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Oznaczenie ruchu proxy
chain=output action=mark-packet new-packet-mark=proxy-hit passthrough=no
out-interface=LAN dscp=4

1 ;;; ICMP
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=no in-interface=LAN protocol=icmp

2 X ;;; FTP
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=yes in-interface=LAN dst-port=20-21 protocol=tcp

3 X ;;; SMTP
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=yes in-interface=LAN dst-port=25 protocol=tcp

4 ;;; DNS
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=yes in-interface=LAN dst-port=53 protocol=udp

5 ;;; HTTP
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=yes in-interface=LAN dst-port=80 protocol=tcp

6 ;;; Proxy
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=yes in-interface=LAN dst-port=3128 protocol=tcp

7 chain=output action=mark-routing new-routing-mark=DSL1 passthrough=no
out-interface=LAN dst-port=80 protocol=tcp

8 chain=output action=mark-routing new-routing-mark=DSL1 passthrough=no
out-interface=LAN dst-port=3128 protocol=tcp

9 X ;;; HTTP proxy
chain=output action=mark-routing new-routing-mark=DSL1 passthrough=no
dst-port=80 protocol=tcp

10 X ;;; POP3 Secure
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=yes in-interface=LAN dst-port=110 protocol=tcp

11 ;;; SSL
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=yes in-interface=LAN dst-port=443 protocol=tcp

Proxy:

/ip proxy> pr
enabled: yes
src-address: 0.0.0.0
port: 3128
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: secondary-master
cache-administrator: "webmaster"
max-cache-size: unlimited
cache-on-disk: yes
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
IP route

/ip route> pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 reachable 83.19.100.81 1 ether2_DSL4Mb
1 A S 0.0.0.0/0 reachable 83.15.248.201 1 ether3_DSL4Mb
2 ADC 83.15.248.200/29 83.15.248.202 0 ether3_DSL4Mb
3 ADC 83.19.100.80/29 83.19.100.82 0 ether2_DSL4Mb
4 ADC 192.168.1.0/24 192.168.1.1

Table:
/ip route rule> pr
Flags: X - disabled, I - inactive
0 routing-mark=DSL1 action=lookup table=DSL1

1 routing-mark=main action=lookup table=main

Best regards
Tom

anscs · February 28, 2008, 9:13pm

dear Tom

show me /ip route print detail

ITway · February 29, 2008, 9:09pm

That is my ip route

/ip route> print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=83.19.100.81 interface=ether2_DSL4Mb
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=DSL1

1 A S dst-address=0.0.0.0/0 gateway=83.15.248.201 interface=ether3_DSL4Mb
gateway-state=reachable distance=1 scope=30 target-scope=10
routing-mark=main

2 ADC dst-address=83.15.248.200/29 pref-src=83.15.248.202
interface=ether3_DSL4Mb distance=0 scope=10

3 ADC dst-address=83.19.100.80/29 pref-src=83.19.100.82
interface=ether2_DSL4Mb distance=0 scope=10

4 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 interface=LAN
distance=0 scope=10

That is mangle:
/ip firewall mangle> print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; HTTP
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=yes in-interface=LAN dst-port=80 protocol=tcp

1 chain=output action=mark-routing new-routing-mark=DSL1 passthrough=yes
dst-port=80 protocol=tcp

2 ;;; Proxy
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=yes in-interface=LAN dst-port=3128 protocol=tcp

3 chain=output action=mark-routing new-routing-mark=DSL1 passthrough=no
dst-port=3128 protocol=tcp

4 ;;; mark proxy traffic
chain=output action=mark-packet new-packet-mark=proxy-hit passthrough=no
out-interface=LAN dscp=4

5 ;;; ICMP
chain=prerouting action=mark-routing new-routing-mark=DSL1
passthrough=no in-interface=LAN protocol=icmp

I got working web proxy on second wan but
I have another problem when I enable web proxy i have many times out connection.
Web sides loading and sometimes connections break and web side don’t responding.
What is the reson off that?

Thank’s for help.
Tom

xrtc · March 4, 2008, 8:30am

i got the the same prob … how did do that??

ITway · March 4, 2008, 8:34am

You need to add two routing marks in mangle. Make sure these rules are numbers 0 and 1 in your mangle list.

/ip firewall mangle
add action=mark-routing chain=prerouting comment=“” disabled=no dst-port=80 new-routing-mark=HTTP passthrough=yes protocol=tcp place-before=0
add action=mark-routing chain=output comment=“” disabled=no dst-port=80 new-routing-mark=HTTP passthrough=yes protocol=tcp place-before=1

Try this.

skillful · March 4, 2008, 11:19am

ITway, this is PLAGIARISM. You should have quoted the source or better still, paste a link to the original source.

ITway · March 4, 2008, 11:45am

Sorry

http://forum.mikrotik.com/t/help-please-mikrotik-v3-x86-webproxy-issue-using-2wans/19211/1

That is better:) ?

But I have still the some problem, when web proxy is enablet are to many timeouts connection.

ITway · March 7, 2008, 6:09pm

In ver of MT 3.4 is the some, when i type src address in web proxy src address then proxy don’t working.
I’m tyred of try and try againg.
Something in that config is bad.
Mybe something in MT version.

Can anyone help me with that problem?
Best regards
Tom

ITway · March 11, 2008, 7:49pm

I don’t have any idea what to do which that problem.

How solve in web proxy src address to redirect trafic on second wan?

Any idea?

Thank’s
Best regards