Community discussions

 
ddell
just joined
Topic Author
Posts: 2
Joined: Sat Jan 10, 2015 7:11 pm

Passing all traffic on to proxy server

Wed Feb 17, 2016 9:14 pm

Greetings,

Here is what I'm trying to accomplish. I am on a network that requires the use of a proxy server. I would prefer to not enter all the settings for the proxy into every device. Thus I want to use my mikrotik to forward all traffic to the proxy server. On my rb750, I will have one port connecting to the network, the other ports I would like to function as simple switch ports and then rules for all those ports to forward traffic to ip server. I found the article in the wiki on making a transparent web proxy but that's not exactly what I'm trying to do. Any advice would be greatly appreciated.
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Passing all traffic on to proxy server

Thu Feb 18, 2016 9:15 pm

You need to create a dstnat rule with

/ip firewall nat
add chain=dstnat action=dst-nat to-address=proxyIP to-ports=8080 protocol=TCP, dst-port=80,443 in-interface=bridge-lan

This will redirect any HTTP and HTTPS to your proxy on port 8080.

Change settings to suit your proxy :-)
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Passing all traffic on to proxy server

Fri Feb 19, 2016 4:50 am

/ip firewall nat
add chain=dstnat action=dst-nat to-address=proxyIP to-ports=8080 protocol=TCP, dst-port=80,443 in-interface=bridge-lan

This will redirect any HTTP and HTTPS to your proxy on port 8080.
Doesn't transparent proxy give certificate issues with SSL?
I am on a network that requires the use of a proxy server.
You might try setting up WPAD so browsers will automatically detect proxy settings.

Here is a page that covers the steps to deploy WPAD which is how browsers automatically detect proxy server settings.
http://findproxyforurl.com/deploying-wpad/

The format of the PAC file (which is named wpad.dat on your website) is also discussed on the page.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Passing all traffic on to proxy server

Fri Feb 19, 2016 5:28 am

/ip firewall nat
add chain=dstnat action=dst-nat to-address=proxyIP to-ports=8080 protocol=TCP, dst-port=80,443 in-interface=bridge-lan

This will redirect any HTTP and HTTPS to your proxy on port 8080.
Doesn't transparent proxy give certificate issues with SSL?
I am on a network that requires the use of a proxy server.
You might try setting up WPAD so browsers will automatically detect proxy settings.

Here is a page that covers the steps to deploy WPAD which is how browsers automatically detect proxy server settings.
http://findproxyforurl.com/deploying-wpad/

The format of the PAC file (which is named wpad.dat on your website) is also discussed on the page.
I agree proxying 443 is not at all possible on Mikrotik's own proxy, but apparently some proxies claim they can handle this such as Squid using whats called the CONNECT Tunnel method (RFC2817) - http://wiki.squid-cache.org/Features/HTTPS

I included TCP 443 just to capture all browser traffic.

The WPAD idea is excellent as I have used that for PC's in a school environment. The one glitch with that method is that Tablets dont recognise it - (at least they didnt when we tried ...hehe ) so for that we used a dstnat rule to force them to use Squid.

The Squid site had some interesting stuff on WPAD too - http://wiki.squid-cache.org/SquidFaq/Co ... D_with_DNS :-)
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Passing all traffic on to proxy server

Fri Feb 19, 2016 5:31 am

Yup - WPAD for the willing, and dstnat for the clueless or mischievous. :mrgreen:

I never set it up myself, but I did configure a ROS proxy manually in my browser one time helping in another thread here, and SSL worked without certificate issues when I did that. (explicitly set the router as my proxy)
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 31 guests