Community discussions

MUM Europe 2020
 
Glamplitude
just joined
Topic Author
Posts: 10
Joined: Thu Sep 16, 2010 7:08 pm
Location: South Africa

NAT re-route to squid proxy not working!

Thu Sep 16, 2010 10:08 pm

Dear Mikrotik Wizards

I hope that someone can help me - I'm so frustrated I'm ready to roar! I've asked many people I know who use RouterOS, but nobody seems to be able to solve this little problem. I've been trying for almost two months with no success, so it must be something really simple. :)

I have a RB750G with default setup (port 1 WAN, DHCP - ports 2-5 switched internal, 192.168.88.0/24) and I am trying to re-route all internal http traffic (port 80) to my squid proxy which is sitting on a separate box also on the internal network. There are so many examples of this working for people and I've tried each one, but with no luck! I've also tried another RB750G and another squid proxy, but same symptoms persist.

The problem is that the router is not routing the outgoing requests to the squid proxy succesfully. If I manually set the browser to use it, the proxy works fine. If I turn off the proxy and listen on the port with netcat ($netcat -l 3128), I get no incoming traffic to the server. If I click on the Connections tab under Firewall in winbox, I can see the ougoing "syn" on port 80, but thereafter no handshake follows (no ack).

I therefore come to the conclusion that the router is not forwarding the request correctly.

My router: 192.168.88.1
My proxy: 192.168.88.228 (port 3128)

My config:

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=\
ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=\
ether1-gateway
add action=drop chain=forward comment=";;; drop insecure mail port 25" disabled=no dst-address=0.0.0.0/0 dst-port=25 \
out-interface=ether1-gateway protocol=tcp src-address=192.168.88.0/24
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway

/ip firewall nat
add action=accept chain=dstnat comment=";;; accept proxy through firewall" disabled=no dst-port=80 protocol=tcp src-address=\
192.168.88.228
add action=dst-nat chain=dstnat comment=";;; but re-route everyone else through proxy" disabled=no dst-port=80 protocol=tcp \
src-address=192.168.88.0/24 to-addresses=192.168.88.228 to-ports=3128
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

If anyone could please help me, I would be truly grateful. I have work which urgently needs this to function, and whilst I know this is not anyone else's problem, I've exhausted all my options of support over here. Please help!

Thanks for a fantastic product - this is the only problem I've had with RouterOS. Everything else about it is simply fantastic.

Yours,
Gareth
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: NAT re-route to squid proxy not working!

Sat Sep 18, 2010 1:02 am

http://wiki.mikrotik.com/wiki/Hairpin_NAT
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.228 action=masquerade
You will be unable to log access on the proxy as all access will appear to come from the router. The only way to work around that is to not put the Squid proxy on the same network as the clients that are to be proxied. This would be trivial to do on the RB750G by taking one port out of the switch group and building a second LAN dedicated to the Squid box. Still, if you want the Squid box to stay on the internal network and can live with access logs being useless hairpin NAT will make this work.
 
Glamplitude
just joined
Topic Author
Posts: 10
Joined: Thu Sep 16, 2010 7:08 pm
Location: South Africa

Re: NAT re-route to squid proxy not working!

Mon Sep 20, 2010 1:23 pm

Dear fewi

Thank-you so much for your quick and informative reply. I really appreciate that you explained to me WHY the problem exists, as well as what I can do about it. I tried your suggestion of creating a separate LAN on port 5 of the RB750G and it seems to be working... access via proxy is slightly slower than direct access, but proxied pages are faster. (I'm not sure if I should be able to notice the difference on my little home network - is my setup very clumsy?)

Anyway, in the same spirit of sharing by which you have really helped me (I can't thank you enough!), I've copied the important parts of my config from "/export file=config" below. So, for all new readers, this is what I've done to create a separate logical LAN on a separate physical port. Here is my setup, to make it easy for newcomers and Google spiders to find:

Routerboard 750G
Port 1: WAN, dhcp-client
Port 2: local master for 192.168.88.1/24 network - this is my client network
Port 3: switching Port2
Port 4: switching Port3
Port 5: local master for 192.168.222.0/24 network - this is my server network

I am using the .88.1/24 network for all clients, and I have a dumb switch in the next room connected to Port2 which then connects to 5 other computers . I also have another client in the server room connected to Port3, incidentally.

I am using the .222.1/24 network for all servers. Currently, I only have one physical server, but if I needed more, I would probably extend the new second LAN onto Port4 in order to capitalise on the RB750G's gigabit speeds. (but for even more, I'd put in another switch)

I am using an ubuntu linux server for squid (and subversion, apache, webmin, samba and ssh), and it's address is 192.168.222.222 - looks confusing, but at least I can remember it! As per good policy with servers, I've hardwired this in the server, and then reserved the IP in the RB750G's DHCP server so it doesn't get issued to another machine by some chance.

Diagramatically, my RB750G is wired as follows:

Port 1 -> ADSL router - internet
Port 2 -> dumb switch -> various client machines
Port 3 -> lone client in the server room
Port 4 (unused)
Port 5 -> server

I have chopped out the salient points from my config dump (at the end of this post). To other advanced and more experienced users, if I've made any obvious errors, or done something typically n00bish, please let me know. If anyone can streamline this further, please also say so.

Finally, I want to thank fewi and the community once more. Without your help, there would be no help for guys like me wanting to start out. If you were here, I'd get you a drink for sure, but for now it'll have to be an *e-beer* from South Africa!

######################################################
# Set up the 5th port on the RB750G as a separate LAN
######################################################
/interface ethernet
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 \
master-port=none mtu=1500 name=ether5-server-master speed=1Gbps

/ip neighbor discovery
set ether5-server-master discover=yes

/queue interface
set ether5-server-master queue=ethernet-default

/tool mac-server
add disabled=no interface=ether5-server-master

######################################################
# create a server IP pool and issue DHCP on this port
######################################################

/ip dhcp-server
add address-pool=server-dhcp authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=ether5-server-master lease-time=3d name=\
server

/ip pool
add name=server-dhcp ranges=192.168.222.22-192.168.222.222

######################################################
# now create the networking rules for our new LAN
######################################################

/ip address
add address=192.168.222.1/24 broadcast=192.168.222.255 comment=\
";;; default server configuration" disabled=no interface=\
ether5-server-master network=192.168.222.0

/ip dhcp-server network
add address=192.168.222.0/24 comment=";;; default server configuration" \
dns-server=192.168.88.1 gateway=192.168.222.1

######################################################
# now create NAT rules to redirect port 80 to proxy
######################################################

/ip firewall nat
add action=accept chain=srcnat comment=";;; allow direct access to proxy" \
disabled=no dst-address=192.168.222.222 dst-port=80 protocol=tcp
add action=accept chain=dstnat comment=";;; accept proxy through firewall" \
disabled=no dst-port=80 protocol=tcp src-address=192.168.222.222
add action=dst-nat chain=dstnat comment=\
";;; but re-route everyone else through proxy" disabled=no dst-port=80 \
protocol=tcp src-address=192.168.88.0/24 to-addresses=192.168.222.222 \
to-ports=3128

######################################################
# our new lan needs to be routable so we can see it
######################################################

/ip route
add comment="" disabled=no distance=1 dst-address=192.168.222.1/32 gateway=\
192.168.222.1 scope=30 target-scope=10
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: NAT re-route to squid proxy not working!

Mon Sep 20, 2010 3:12 pm

Glad you got it working.

This comes up so much, maybe write a wiki page yourself with that information - it is easier to find there than in the forums.
 
Glamplitude
just joined
Topic Author
Posts: 10
Joined: Thu Sep 16, 2010 7:08 pm
Location: South Africa

Re: NAT re-route to squid proxy not working!

Wed Sep 22, 2010 12:51 am

Thanks for the encouragement. I think I would like to write the wiki, to help the community. As you say, if it comes up a lot, then a simple tutorial may help.

I have one final question, about the route which I added using the following command:

/ip route
add comment="" disabled=no distance=1 dst-address=192.168.222.1/32 gateway=\
192.168.222.1 scope=30 target-scope=10

If I use winbox, I see the route in BLUE writing, and it says "unreachable" next to it (see attached screengrab). Have I done something wrong? It works, in the sense that my proxy is now working, but it concerns me that it's blue and unreachable.

Thanks!

Gareth
ip-routes.jpg
You do not have the required permissions to view the files attached to this post.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: NAT re-route to squid proxy not working!

Wed Sep 22, 2010 12:57 am

You cannot have a route to an IP address through itself. Your destination is 192.168.222.1/32 (/32 is CIDR notation for "just this one single IP address"), and you're trying to reach it through that IP address itself. That is redundant. A destination of 192.168.222.0/24 (that entire network) through 192.168.222.1 (the IP the router has on the interface that entire network is behind) makes sense, but you don't have to enter such a route: it will automatically be created the moment you put an IP address on an interface as what is called a 'directly connected' route.

In your screenshot look at the fourth entry: 192.168.222.0/24 is reachable through ether5-server-master with a preferred source of 192.168.222.1. The route has the properties DAC: dynamic (automatically created when the IP address was added to the interface), active (the interface is up, so the route is valid) and connected (the route doesn't point to a network behind a transit network, but to a network the router has an IP address on).

So you can remove that blue static route you created and things will still work, that blue static route isn't used at all as it is right now.
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: NAT re-route to squid proxy not working!

Thu Sep 23, 2010 11:11 pm

Glamplitude can you plz past the squid configuration you do use
i try what you said but with no luck
squid only work if i set my internal proxy enable
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
Glamplitude
just joined
Topic Author
Posts: 10
Joined: Thu Sep 16, 2010 7:08 pm
Location: South Africa

Re: NAT re-route to squid proxy not working!

Fri Sep 24, 2010 12:41 am

Hi

I use generic settings for squid - i.e. out of the box. (So there is no need to paste my config. It is default.)

If you are using squid version later than 2.6, remember to pass the "transparent" option as part of the "http_port" configuration. The relevant line in my config (line 1115 for me) says:

http_port 3128 transparent

I am familiar with using the config file, but the company I'm working for requires all the products to be configurable via webmin. If you are new to unix administration, I recommend webmin (www.webmin.com) - it is a very easy way to learn unix.

Also, (this is really easy in webmin) remember to edit your ACL's and add a line which says

http_access allow localnet

You must add this line BEFORE the line which says

http_access deny all

because, like RouterOS, squid reads the allow/deny rules in the order they appear (you want to allow before you deny all).

Good luck!
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: NAT re-route to squid proxy not working!

Fri Sep 24, 2010 12:55 am

already webmin install and run
http_access allow localnet
can i edit this through webmin am not so familiar with linux :D if yes where
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
Glamplitude
just joined
Topic Author
Posts: 10
Joined: Thu Sep 16, 2010 7:08 pm
Location: South Africa

Re: NAT re-route to squid proxy not working!

Fri Sep 24, 2010 1:14 am

1) Click on servers. (If you do not see squid listed, first click on "un-used modules", click on squid, then click install)
2) Click Squid Proxy Server
3) Click on Ports and Networking (first icon)
4) The first option, "proxy addresses and ports", this is my config:
 Port        Hostname/IP        Options for port
 ----        ------------      -----------------
 3128          all                 transparent
If this doesn't solve it for you, I think you're going to have to ask for help over at the squid forum - we're getting quite far away from RouterOS in this thread. (http://www.squid-cache.org is a good place to start)
Last edited by Glamplitude on Sun Oct 31, 2010 5:18 pm, edited 1 time in total.
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: NAT re-route to squid proxy not working!

Sun Sep 26, 2010 8:57 pm

Glamplitude
you don't use loadbalace like PCC
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: NAT re-route to squid proxy not working!

Sun Sep 26, 2010 9:05 pm

In his scenario the Squid box is behind a routed interface. Because of that all you need to do exempt the traffic that is going to be redirected to Squid from having the PCC ruleset applied to it (accept traffic with the same parameters you are going to use to NAT to the Squid box as the first step in the prerouting mangle set). Traffic makes it to the proxy without being torn apart by PCC, the proxy takes the traffic and requests the websites, that traffic now matches for PCC and is load shared.
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: NAT re-route to squid proxy not working!

Sun Sep 26, 2010 9:26 pm

Because of that all you need to do exempt the traffic that is going to be redirected to Squid from having the PCC ruleset applied to it
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp src-address=10.10.10.0/24 (client) to-addresses=172.18.1.2 to-ports=3128

easy
i cant exempt becuse it to port 80 and if i do what you ask i kill pcc 80%
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: NAT re-route to squid proxy not working!

Sun Sep 26, 2010 9:39 pm

Read my post more carefully. Only exempt traffic with the same source address, interface, protocol, port, etc. Exempt exactly the traffic going to the LAN to Squid. He traffic from Squid to the web still goes through PCC.
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: NAT re-route to squid proxy not working!

Sun Sep 26, 2010 9:51 pm

so my connection loset when it go out form squid to client (tha waht you mean)

add action=accept chain=input comment="" disabled=no dst-address=10.10.10.0 (my client) dst-port=80 in-interface=Local protocol=tcp src-address=172.18.1.2 src-port=3128
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: NAT re-route to squid proxy not working!

Sun Sep 26, 2010 10:12 pm

Take the NAT rule, change the chain to prerouting like I said, change the action to accept, put it into firewall mangle, move it to the very top. I don't know how to be more clear than that.

Again, the goal is to ensure that traffic that is going to be redirected to Squid later (and only that traffic) is exempt from PCC.
 
temuri426
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Fri Apr 30, 2010 1:47 pm

Re: NAT re-route to squid proxy not working!

Tue Oct 05, 2010 7:54 pm

hi all...

i need to configure my barracuda web filter as external cache engine for mikrotik router... it supports the WCCP protocol for that option...

But Mikrotik doesn't supports WCCP but it is possible to use external cache engines like squid..

If someone have any experience please give me some tips..

thanks advanced :)
 
Glamplitude
just joined
Topic Author
Posts: 10
Joined: Thu Sep 16, 2010 7:08 pm
Location: South Africa

Re: NAT re-route to squid proxy not working!

Tue Oct 05, 2010 10:13 pm

I checked out the product page for the Barracuda webfilter. That's one pimped-out proxy. I can't say I'd buy one... With linux, squid, srg, clam, and some time to learn how they work, you can achieve all of this without spending a thing - and you can build it on old hardware! If you're in a hurry to set it up and your company wants 3rd-party support, I guess there's some motivation, but I can't say I'd spend the money for someone to put together something I can make for free. (I feel the same about Apple computers, but that's another story! :) If you want to do it yourself, remember that much fail is required before any win can take place. Be patient.

That said, though - you've got this thing now and you want to use it. It seems to be built on linux and with standard modules. You need to find out if it has an option to be a transparent proxy - in squid this is passed as a runtime parameter. NB if you want to use proxy authorisation (proxy_auth), though, this can not be done transparently (obviously).

In all events, though: you need to create one logical network for your clients and a second logical network for your proxy (and other) server(s). In my example, with the RB750G, my logical networks are also physically distinct. Then, as discussed above, get your MikroTik router to forward all port 80 traffic to your Barracuda. I can't imagine a product as specialised as this doesn't have the capability - this is a standard function and application for a proxy.

Oh yes, make sure that you aren't NAT-ting between your various internal networks. NAT must ONLY be applied to your upstream (WAN) connection. Otherwise you won't get useful data on your proxy usage graphs; all requests will appear to originate at the router...

All the best!
 
obomz
newbie
Posts: 42
Joined: Tue Mar 22, 2011 11:54 am

Re: NAT re-route to squid proxy not working!

Tue Mar 04, 2014 9:49 am

Dear Fewi,

I seem to have the same problem here and have been long searching for a solution to no avail and would really appreciate it if you could assist me here. My setup is as follows:

Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink switch


I have added a squid with its input from the Wan directly and then I have put the squid directly to the mikrotik.

I did the following configurations:


Wan:

Wan -> mikrotik 172.16.10.1/24
Wan -> squid 172.16.11.1/24


Mikrotik


Ether1
172.16.10.2/24


Ether2 (Hotspot)
10.5.50.1/24


Ether3 to squid
192.168.50.2


Squid


Ether1 from Wan
172.16.11.2


Ether2 from mikrotik
192.168.50.1:3128


The squid is configured transparently.


Now I have tried several CLI commands I have seen online and still yet I am yet to find one that will eventually push the http traffic to the squid.

The last set of CLI commands i used that i thought will get me up and running is as follows:

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) routing-mark=http scope=30 target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) scope=30 target-scope=10

/ip firewall nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=80 src-address=10.5.50.0/24 to-addresses=192.168.50.1 to-ports=3128
add chain=dstnat action=dst-nat protocol=tcp dst-port=80 src-address=192.168.50.0/24 to-addresses=192.168.50.1 to-ports=3128


I am not sure what exactly it is i am doing wrong!

I would appreciate any help that I can get to make this happen.


Thanks in advance.

Who is online

Users browsing this forum: No registered users and 27 guests