Community discussions

MikroTik App
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

External Transparent Squid proxy is not showing users log

Mon Sep 12, 2011 8:57 am

Hi,
My Hotspot with external transparent proxy is working fine.
My setup is both Mikrotik and squid servers are in same network, 192.168.15.0/24,

Mikrotik IP: 192.168.15.100
Squid Sever: 192.168.15.250
DHCP hot spot users: 10.5.7.0/24

And all traffic is redirecting to 3128 port of Squid server.

But the problem is Squid log is showing only the Mikrotik IP, not the users IP. The One ACL of Squid is to be based on hot users IPs only.

Can you please help me suitable firewall solution to log hotspot users IP instead of Mikrotik IP ...

thanks in advance,

-Navas
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

External Transparent Squid proxy is not showing users log

Mon Sep 12, 2011 3:59 pm

You cannot have the Squid proxy and the clients on the same network and see their real IP while using destination NAT. The proxy server must be on a different network for that. Once that is in place add an "out-interface=[name of WAN interface]" qualifier to your existing source NAT rule.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 4:12 pm

Squid and hotspot users are not in same network. But my Squid is using just one NIC only. But my understanding is that there are many work around with single NIC.

-Navas
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 4:26 pm

Then all you need to do is edit your source NAT rule to not source NAT traffic flowing from the router to the Squid server to the router's interface IP. The best way to do that are 'out-interface' modifiers, as posted. That works fine with a single NIC.

If you need help with that post the output of "/interface print detail", "/ip address print detail", and "/ip firewall nat export".
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 7:01 pm

Thanks Fewi for your wonderful support,

Let me list details as you requested,
Appreciated if you can assist me to create the firewall rules:-

*********************************************************************
/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.15.100/24 network=192.168.15.0 interface=ether2wan
actual-interface=ether2wan

1 address=10.5.0.1/16 network=10.5.0.0 interface=ether3clients
actual-interface=ether3clients
**********************************************************************
/ip firewall nat> /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.15.100/24 network=192.168.15.0 interface=ether2wan
actual-interface=ether2wan

1 address=10.5.0.1/16 network=10.5.0.0 interface=ether3clients
actual-interface=ether3clients
*************************************************************************
/ip firewall nat export
# jan/02/1970 11:50:00 by RouterOS 5.6
# software id = 51KH-93NN
#
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=no src-address=10.5.0.0/16
************************************************************************
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 7:26 pm

That's going to be more complicated.

I hope this explanation will make sense to you.

You will need to add a route to 10.5.0.0/16 via 192.168.15.100 so that the WAN network knows how to reach your Hotspot network. You then also need to configure the main router for 192.168.15.0/24 to NAT 10.5.0.0/16 towards its upstream routers. Then you can delete the masquerade rule on the Mikrotik router that implements the Hotspot, and the Squid box will see a 10.5.0.0/16 address from the client. Right now you're telling the router specifically to source NAT - and you probably have to, since the rest of the 192.168.15.0/24 network wouldn't have any idea how to get back to 10.5.0.0/16.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 7:34 pm

What about following routing, as per this hotspot client can access the net,
but my lack of knowledge in firewall rules to access the squid box.

I have already done the pre routing in my squid box to accept any hit from the Mikrotik.

Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 red ir ports 3128



**********************************************************************************************
/ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=192.168.15.50
gateway-status=192.168.15.50 reachable ether2wan distance=1 scope=30
target-scope=10

1 ADC dst-address=10.5.0.0/16 pref-src=10.5.0.1 gateway=ether3clients
gateway-status=ether3clients unreachable distance=0 scope=200

2 ADC dst-address=192.168.15.0/24 pref-src=192.168.15.100 gateway=ether2wan
gateway-status=ether2wan reachable distance=0 scope=10
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 7:39 pm

I am talking about routing on the upstream network, 10.5.0.0/16.

Think about it this way: does the Squid box know how to get back to 10.5.0.0/16?

Right now the answer appears to be no. So how can you have the 10.5.0.0/16 address of a client in the source address field of a packet going to the Squid box if the Squid box could never send a packet back because 192.168.15.0/25 doesn't know how to reach 10.5.0.0/16?
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 7:45 pm

Yes .. i understood...

In this way i tried many rules in Mikrotik to reach to the squid, but unfortunately i could not make it coz of my lack of knowledge in this area...
can you please guide me to create a proper rule here.

thanks in advance.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 7:51 pm

Again: the problem isn't the Mikrotik router. The problem is the OTHER NETWORK. The 192.168.15.0/24 network the Mikrotik router connects to. Fix THAT network and make sure it has routes to 10.5.0.0/16. I can't help you with that because you haven't posted any details regarding that network.

Once you have fixed THE OTHER network you can then simply remove the masquerade rule on the Mikrotik router. If you cannot fix the other network then you have to keep that masquerade in place, and will only see 192.168.15.100 as the source IP address on the Squid host. There is no other workaround.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 7:57 pm

This is the route specified in my squid box: (192.168.15.250), so you are telling i want to create another route here to reach 10.5.0.0/16 network, right ?


[root@hotspot ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.15.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.15.50 0.0.0.0 UG 0 0 0 eth0
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 8:09 pm

Yes. That would be one option. Ideally all devices in 192.168.15.0/24 should be able to route back to 10.5.0.0/16, so you'd also want to put such a route on all other routers on that network.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 8:18 pm

I just want push traffic back from the squid box only. But still i need to create a rule to push all HTTP traffic from Mikrotik to squid right.

for more clarification current structure is as below

squid (192.168.15.150) <> (192.168.15.100) Mikrotik (10.5.0.1) <> Hotspot users (10.5.0.0/16)

and ADSL router IP: 192.168.15.50
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 8:21 pm

Sorry, squid IP: 192.168.15.250
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 8:23 pm

You initially said that the Squid logs are showing the Mikrotik router IP (192.168.15.100) - how is that traffic getting there right now? Because you said that I had assumed that you already have something set up to get traffic to the Squid proxy.

If you want to punt just all HTTP traffic there you can search the wiki and find countless articles for RouterOS and external proxies that include rules like this:
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-address=192.168.15.250 to-ports=3128 
Next time you ask for help this will be easier if you include ALL the relevant details at the beginning. This has been much more complicated than it needed to be.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 8:34 pm

Sorry for the big mistake i have done when informing you the details:-

Squid logs were showing the Mikrotik router IP (192.168.15.100) after creating a rule in the Mikrotik router as follows:-

/ip firewall nat
add chain=dstnat src-address=192.168.15.250 dst-port=80 protocol=tcp action=accept
add chain=dstnat src-address=10.5.0.0/16 dst-port=80 protocol=tcp action=dst-nat to-address=192.168.15.250 to -port=3128
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 8:38 pm

That'll work just fine.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 8:50 pm

Thanks a lot for your time, let me check it and will update you ...
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 8:59 pm

Unfortunately still couldn't ...!!!

Any issues with the rule:-


/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=dstnat disabled=no dst-port=80 protocol=tcp \
src-address=192.168.15.250
add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp \
src-address=10.5.0.0/16 to-addresses=192.168.15.250 to-ports=3128
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 9:12 pm

Unfortunately still couldn't ...!!!
What does that mean? Couldn't what?

The rules you have would forward all traffic from 10.5.0.0/16 to tcp/80 to port tcp/3128 on 192.168.15.250.
You have since removed the source NAT rules. If you didn't implement routing back to 10.5.0.0/16 in ALL of the 192.168.15.0/25 network (and you said you wouldn't) that would make all other traffic, including DNS lookups, impossible. You'd want to have these source NAT rules:
/ip firewall nat
add chain=srcnat src-address=10.5.0.0/16 dst-address=192.168.15.250 action=accept
add chain=srcnat out-interface=ether2wan action=masquerade
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Mon Sep 12, 2011 9:33 pm

With your given rules still i can access net without squid,

So i think the issue is with my following rule to access the squid (firewall export details given below is without this entries):-

/ip firewall nat
add chain=dstnat src-address=192.168.15.250 dst-port=80 protocol=tcp action=accept
add chain=dstnat src-address=10.5.0.0/16 dst-port=80 protocol=tcp action=dst-nat to-address=192.168.15.250 to-port=3128

*************************************************************************************************
/ip firewall export
# jan/02/1970 14:21:21 by RouterOS 5.6
# software id = 51KH-93NN
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=srcnat disabled=no dst-address=192.168.15.250 src-address=10.5.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether2wan
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Tue Sep 13, 2011 8:50 am

Please check my firewall rules:-

by using this Forward proxy is working well by putting proxy address in the browser, but it's not working as transparent.
Is it the problem with routing or any changes to be done in squid ?

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp src-address-list=10.5.0.0/16 to-addresses=192.168.15.250 to-ports=3128
add action=masquerade chain=srcnat disabled=no out-interface=ether2wan
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Tue Sep 13, 2011 7:25 pm

Can anybody help me, still i am getting log in my transparent proxy with the IP of Mikrotik router only, not the hotspot users IP.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: External Transparent Squid proxy is not showing users lo

Tue Sep 13, 2011 7:29 pm

I posted to use these source NAT lines:
/ip firewall nat
add chain=srcnat src-address=10.5.0.0/16 dst-address=192.168.15.250 action=accept
add chain=srcnat out-interface=ether2wan action=masquerade
As I explained several times the 'accept' rule makes sure that the traffic from 10.5.0.0/16 to the Squid proxy doesn't have source NAT applied to it.
You only seem to have the bottom one in your configuration.
Also, again - and for the last time: that will also require that your Squid box has a route back to 10.5.0.0/16. At this point I've lost any and all overview of what you've changed where.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
nbsdubai
just joined
Topic Author
Posts: 22
Joined: Tue Sep 06, 2011 9:11 pm

Re: External Transparent Squid proxy is not showing users lo

Tue Sep 13, 2011 9:00 pm

Thanks Fewi for your wonderful support,

I have done it with few changes, pls see the diagram:

ADSL router
|
|
Proxy
|
|
Mikrotik
|
|
Switch for hotspot users

/ip firewall export
add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp src-address=10.5.0.0/16 to-addresses=192.168.1.250 to-ports=3128
Thank again for your time, but i think it can be done with single NIC in the squid server, right ?
 
fruiz002
just joined
Posts: 13
Joined: Fri Jan 06, 2012 1:35 pm

Re: External Transparent Squid proxy is not showing users lo

Fri Jul 27, 2012 1:01 am

Good evenig,

I have the same problem like "nbsdubai", I solved it by removing the masquerade from MKT router as indicated and I see the clients web pages log in my squid, until here everything perfect. The problem is that my paypal payment system does not work, I mean: it's a Hotspot to which the clients connect, pay via paypal and begin to surf. The problem is then that when the client has paid, (with masquerade disabled) the system cannot load the success.php which is in my server, but when I enable the masquerade, everything works fine, but of course I cannot log the information of the clients in my squid, I just get it but with the ip of the Hotspot.

Internet---Squid proxy---hotspot (10.139.88.4)-----clients (10.5.50.0/24)


Thanks for your help

Regards

Who is online

Users browsing this forum: Bing [Bot] and 54 guests