Dear Mikrotik Wizards
I hope that someone can help me - I'm so frustrated I'm ready to roar! I've asked many people I know who use RouterOS, but nobody seems to be able to solve this little problem. I've been trying for almost two months with no success, so it must be something really simple.
I have a RB750G with default setup (port 1 WAN, DHCP - ports 2-5 switched internal, 192.168.88.0/24) and I am trying to re-route all internal http traffic (port 80) to my squid proxy which is sitting on a separate box also on the internal network. There are so many examples of this working for people and I've tried each one, but with no luck! I've also tried another RB750G and another squid proxy, but same symptoms persist.
The problem is that the router is not routing the outgoing requests to the squid proxy succesfully. If I manually set the browser to use it, the proxy works fine. If I turn off the proxy and listen on the port with netcat ($netcat -l 3128), I get no incoming traffic to the server. If I click on the Connections tab under Firewall in winbox, I can see the ougoing "syn" on port 80, but thereafter no handshake follows (no ack).
I therefore come to the conclusion that the router is not forwarding the request correctly.
My router: 192.168.88.1
My proxy: 192.168.88.228 (port 3128)
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=\
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=\
add action=drop chain=forward comment=";;; drop insecure mail port 25" disabled=no dst-address=0.0.0.0/0 dst-port=25 \
out-interface=ether1-gateway protocol=tcp src-address=192.168.88.0/24
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=accept chain=dstnat comment=";;; accept proxy through firewall" disabled=no dst-port=80 protocol=tcp src-address=\
add action=dst-nat chain=dstnat comment=";;; but re-route everyone else through proxy" disabled=no dst-port=80 protocol=tcp \
src-address=192.168.88.0/24 to-addresses=192.168.88.228 to-ports=3128
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
If anyone could please help me, I would be truly grateful. I have work which urgently needs this to function, and whilst I know this is not anyone else's problem, I've exhausted all my options of support over here. Please help!
Thanks for a fantastic product - this is the only problem I've had with RouterOS. Everything else about it is simply fantastic.