Page 1 of 1

Transparent proxy

Posted: Thu Jan 25, 2007 12:36 pm
by mkorban
Hi all, i have a strong problem:
Mikrotik RouterBoard with RouterOS v3.0beta5.
[admin@Office.GW] /ip proxy> export
# jan/25/2007 14:22:16 by RouterOS 3.0beta5
# software id = UK5C-3TT
#
/ip proxy 
set cache-administrator="webmaster" cache-drive=CompactFlash \
    cache-hit-tos=0x10 cache-on-disk=yes enabled=yes max-cache-size=111000KiB \
    max-fresh-time=3d maximal-client-connections=1000 \
    maximal-server-connections=1000 parent-proxy=0.0.0.0:0 port=3128 \
    serialize-connections=no src-address=0.0.0.0 
/ip proxy access 
add action=allow comment="" disabled=no dst-address=!10.0.4.0/24 \
    src-address=10.0.4.0/24 
/ip proxy cache 
add action=allow comment="" disabled=no 
add action=masquerade chain=srcnat comment="Full Direct Access" disabled=no \
    dst-address-list=!LAN src-address-list=LAN 
add action=redirect chain=dstnat comment="IP-Proxy" disabled=no \
    dst-address-list=!LAN dst-port=80 in-interface=LAN-eth4 \
    protocol=tcp src-address-list=LAN to-ports=3128 
Problem : web-traffic to *:80 not redirected to proxy.
Please help my for setup transparent proxy

Posted: Thu Jan 25, 2007 12:39 pm
by janisk
maybe this -> dst-address-list=!LAN

has something to do with that?

Posted: Thu Jan 25, 2007 12:45 pm
by mkorban
add address=10.0.4.0/24 comment="" disabled=no list=LAN 
add address=10.0.5.0/24 comment="" disabled=no list=LAN 
add address=10.0.1.0/24 comment="" disabled=no list=LAN 
add address=10.0.3.0/24 comment="" disabled=no list=LAN 
add address=192.168.0.0/24 comment="" disabled=no list=LAN 
add address=192.168.1.0/24 comment="" disabled=no list=LAN 

This is segments of our local area network.
dsn-nat rules without *-address-list - no effect :-(

Posted: Thu Jan 25, 2007 1:00 pm
by janisk
add action=redirect chain=dstnat comment="IP-Proxy" disabled=no \
dst-address-list=!LAN dst-port=80 in-interface=LAN-eth4 \
protocol=tcp src-address-list=LAN to-ports=3128

from this try to remove in-interface

might help :roll:

at least i hope so


EDIT:

this should be close to true :)
http://www.mikrotik.com/testdocs/ros/2.9/ip/proxy.php

Posted: Thu Jan 25, 2007 1:40 pm
by mkorban
Yes, It worked...
But not good.
Situation 1: Client open https://issa.samara.mts.ru (Browser setting does not have a proxy, used transparent). Site not opened!
Situation 2: Client open https://issa.samara.mts.ru (Browser proxy setting is 10.0.4.254:3128 (MT) - Site opened normaly.
/ip firewall nat 
add action=dst-nat chain=dstnat comment="Torrent MKORBAN" disabled=no \
    dst-address=81.22.60.43 dst-port=63812 protocol=tcp \
    to-addresses=10.0.4.211 to-ports=63812 
add action=masquerade chain=srcnat comment="Full Direct Access" disabled=no \
    dst-address-list=!LAN src-address-list=LAN 
add action=redirect chain=dstnat comment="IP-Proxy" disabled=no \
    dst-address=!10.0.4.0/24 dst-port=80,443,8080,8443 protocol=tcp \
    src-address=10.0.4.0/24 to-ports=3128 

Posted: Tue Jan 30, 2007 12:55 pm
by Solusan
Hi,

Talking abut this topic i have a question:


I have this configuration in mi Mikrotik system.

Add one rule to chain=forward,
'ip firewall filter add action=jump jump-target=hotspot chain=forward',
set for 'guest' user profile,
'ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1', that will redirect current profile traffic to chain=1.

Add rule to chain 1 to drop traffic with specific dst-address,
'ip firewall filter add chain=1 dst-address=172.0.0.0/8 action=drop'.
And I applied this rule at the user 'guest'

I did that for locking to the user 'guest' couldn't acceed to 172.0.0.0/8 but as you can see I obtain a drop
But now I would need that the user could redirect to the hotspot home page or to nay error page where the user can be alerted that can not be acceed to the rank
How could I do it?


I feel that it's dst-nat of table NAT which can solve this.

I have tried it without success.

Many thanks for your help and understanding.