1. When enabling a transparent proxy using NAT rule in BETA 9 although HTTP downloads are extremely fast HTTP uploads fail. This happens for GMail, Hotmail, and sites that can take photos.

2. Where is the "transparent proxy" setting in new proxy server?

1) I think new 3.0beta10 will work better, I have tried to download 7/9 Mb files from Gmail, both files were downloaded successfully.

2) Such option is not present in 'ip proxy' configuration.

...I have tried to download 7/9 Mb files...

The problem is not downloading - the problem is uploading a file, e.g. attaching a picture or document.

I'm sorry for taking so long to reply. I have tested upload as well, it is working for me.
Could you try the same with 2.9 proxy ?

Unfortunately it's going to be difficult to downgrade as this is an Internet cafe and we especially went beta because of SATA support because fast SATA drives are available. My client reports this as the error when trying to upload:

"oops... the system was unable to perform your operation
(error code 008). Please try again in a few seconds."

Hi,

I don't mean to hijack this thread but can anyone tell me if Beta10 x86 web-proxy will work as a transparent proxy? I cannot see any option to enable it.

Regards,

Malcolm

Add Destination NAT rule to redirect HTTP traffic from users to the proxy, that is running on the router appropriate port.

Hi, thanks for the reply sergejs

I have tried the NAT rule but cannot get it to work transparently. If I manually configure the browser all is well. I am using v3 Beta10

My web-proxy (not proxy as this is an x86 system) settings are:
/ip proxy> print
enabled: yes
src-address: 0.0.0.0
port: 3128
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: system
cache-administrator: "info@blah.net"
max-cache-size: none
cache-on-disk: yes
maximal-client-connections: 600
maximal-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
cache-hit-dscp: 4

My NAT rule is:

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=91.142.107.50 to-ports=3128 src-address=91.142.106.1 dst-port=80 protocol=tcp

When I try to use it in transparent mode the browsing stalls completely. I would have expected to see a tick box to enable transparency. Has this been removed / lost / forgotten??

The source address is there so I dont stop all browsing for all users!!

Regards,

Malcolm

First of all I'm going to hijack the thread back to the first part and report that according to my Internet café client since I've upgraded them to BETA version 10 they are no longer having any problems with uploading! Thank you! I suppose this issue was addressed by this item in the changelog:


What's new in 3.0beta10:

*) ip proxy - fixed crash; fixed HTTP POST method handling;

Secondly I'd like to comment on mstead's question about transparent proxy. Your NAT rule looks wrong. The action according to my system is "redirect" not "dst-nat".

Finally according to sergejs and mentioned earlier in this post there is no transparent proxy option in version 3:

2) Such option is not present in 'ip proxy' configuration.

Hi eugenevdm

From the manpage for IPtables which I assume is what routeros uses:

REDIRECT
This target is only valid in the nat table, in the PREROUTING and OUT-
PUT chains, and user-defined chains which are only called from those
chains. It alters the destination IP address to send the packet to
the machine itself (locally-generated packets are mapped to the
127.0.0.1 address). It takes one option:

--to-ports port[-port]
This specifies a destination port or range of ports to use:
without this, the destination port is never altered. This is
only valid if the rule also specifies -p tcp or -p udp.

I cannot see any way of accessing the OUTPUT or PREROUTING parts of the nat table in routeros.

Secondly I am under the impression that the 'web-proxy' in the x86 version is NOT the same as 'ip-proxy' which is Mikrotiks own version. I understand that caching was withdrawn from routerboard versions as at wears out the nand storage due to excessive read/writes.

So - has anyone got a transparent caching web proxy setup working on Beta10??

I must add that I have the local and public interfaces in bridge mode and have this machine on my outgoing backhaul. I enabled the 'use ip firewall' option hidden away in the bridge options to catch people out.

Regards,

Malcolm

mstead,

First of all I suggest you read the RouterOS manual instead of the Linux manual as RouterOS is actually an improvement on what they offer there. Anyway had you searched 'transparent proxy' by clicking the manual button on the home page of MikroTik web site you would have found:
http://www.mikrotik.com/testdocs/ros/2.9/ip/proxy.php

Also you need to setup destination NAT in order to utilize transparent proxying facility:

[admin@MikroTik] ip firewall nat> add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

Substitute 8080 for whatever port you're using with your proxy.

Furthermore your IPTables reference the sentence reads "This target is only valid in the nat table, PREROUTING and OUT-
PUT chains"

The comma implies it's a logical AND. And yes it's possible to access both OUTPUT AND PREROUTING chains, you just click the drop down in Winbox or specify it by hand on the command line.

Sure web-proxy in ip-proxy are different programs, one is based on Squid and another is an improved version that MikroTik wrote from scratch. But the reason for the difference is to maintain control over code base in new improved written from scratch version, not because some stupid people ran transparent proxy on Routerboards. If you are silly enough to run either version on a Routerboard then your NAND will still wear out but it is possible. Continous NAND storage access such as proxy requests will wear any flash out.

So finally yes of course I have transparent caching web proxy setup working in BETA10, and so does a few other people.

I don't personally use bridges but to the best of my knowledge the transparent proxy works in bridge mode. It never used to long ago, and then it did, and I'm actually not so sure about the new written from scratch version, but I tested in in the previous version of Mikrotik in bridged mode and it worked. Can you simplify your setup by getting rid of the bridge? Here is the old documentation that says the transparent proxy doesn't work in bridged mode and why:
http://www.mikrotik.com/documentation/m ... proxy.html

Ok. I have confirmed that my nat rule matches that of the manual:

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=redirect to-ports=3128 dst-port=80 protocol=tcp

However I am still getting no joy. I can manually set the browser to use the proxy so it is up and working.

I cannot really get rid of the bridge so is anyone out there using Beta10 with a bridge config and got a working transparent web proxy?? I really am starting to wonder what is wrong here.

Regards,

Malcolm

Well then you should probably contact MikroTik or wait for someone who is familiar with the BETA version proxy to reply. I imagine 99% of people don't use a transparent proxy in bridged mode. Ask them if this section of the *old* 2.5 manual maybe applies to the new version:
Can I use transparent proxy feature on a MikroTik router with bridged interfaces?
No. Transparent proxy requires redirection of IP packets by firewall destination NAT. Firewall is not involved when packets are passed from one bridged interface to another. But packets have to be translated by firewall destination NAT for transparent web-proxy to work. So, web-proxy is not going to work in transparent mode between bridge interfaces.

ps. I suggest you start a new thread, the title of this thread is still:
"Transparent Proxy Causes File Upload (e.g. GMAIL) to Fail" - nothing to do with bridges in BETA version.

1. Per the main thread (upload failing), I have experienced a few issues too and I strongly suggest we keep testing, provide feedback to Mikrotik Support and look out for the improvments coming in next release. The re-written Mikrotik Web-proxy has great features worth implementing...

2. Per the hijack, Yes the web-proxy can run transparently on a bridge.
If you run RouterOS 2.9 with normal Web-proxy package, you must enable 'transparent proxy' option and redirect http as below (assumes proxy is on port 8080):

/ip firewall nat add chain=dstnat action=redirect to-ports=8080 dst-port=80 protocol=tcp

I prefer not to specify interface matcher so that everything works in case of accidental swap of cables on the ethernet port. If you want to redirect specific Source addresses, then use a list:

/ip firewall nat add chain=dstnat action=redirect to-ports=8080 dst-port=80 protocol=tcp src-address-list=webcache-redirect

then add the sources you want to the list (e.g 10.10.10.0/24 or 10.10.10.10/32) :
/ip firewall address-list add list=webcache-redirect address=10.10.10.0/24

If you run web-proxy-test, there is no need to enable transparent option anywhere. You only need the NAT redirect rules above. Web-proxy-test is smart enough to do the rest.

In 3.0beta, web-proxy-test is now web-proxy, so there is no need to enable transparent proxy either. In 3.0beta, you must enable firewall for bridge before the firewall rules above can work:

/interface bridge settings set use-ip-firewall=yes

Else, your redirect rule will not work, which is probably the problem you're having.

Good answer. Address lists are very powerful!