Community discussions

MikroTik App
 
soheilsh
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Fri Nov 26, 2010 3:39 pm

help me socks5 to another gateway

Fri Dec 11, 2020 2:11 pm

hi, telegram twitter and many social app blocked in iran
i have windows server in iran datacenter ( connect with pptp to out side country germany england vpn ) and ccproxy for using socks 5 in my devices but uses high cpu task
now i try to running socks5 in mikrotik but how to redirect socks5 traffic to another gateway ( pptp ) ?
i try to add mangle prerouting and not sloved problem
please see pic
You do not have the required permissions to view the files attached to this post.
 
soheilsh
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Fri Nov 26, 2010 3:39 pm

Re: help me socks5 to another gateway

Fri Dec 11, 2020 2:29 pm

help plz
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: help me socks5 to another gateway

Fri Dec 11, 2020 3:25 pm

SOCKS proxy is server, service running on router. Client connects to router, router then connects to requested destination and relays traffic between the two. Your rule in prerouting could see incoming traffic from client to router, but that's useless, you need to work with traffic from router to destination, and that would be in output chain. I'm not aware of any method how to identify connections from SOCKS server, so you may need to take all router's output, and optionally only exclude some things where you're sure it's not from SOCKS. For example:
/ip firewall mangle
add chain=output connection-state=new dst-address=x.x.x.x action=accept comment="target address to exclude"
add chain=output connection-state=new protocol=tcp action=mark-connection new-connection-mark=socks passthrough=yes
add chain=output connection-mark=socks action=mark-routing new-routing-mark=vpn passthrough=no
 
soheilsh
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Fri Nov 26, 2010 3:39 pm

Re: help me socks5 to another gateway

Fri Dec 11, 2020 5:29 pm

SOCKS proxy is server, service running on router. Client connects to router, router then connects to requested destination and relays traffic between the two. Your rule in prerouting could see incoming traffic from client to router, but that's useless, you need to work with traffic from router to destination, and that would be in output chain. I'm not aware of any method how to identify connections from SOCKS server, so you may need to take all router's output, and optionally only exclude some things where you're sure it's not from SOCKS. For example:
/ip firewall mangle
add chain=output connection-state=new dst-address=x.x.x.x action=accept comment="target address to exclude"
add chain=output connection-state=new protocol=tcp action=mark-connection new-connection-mark=socks passthrough=yes
add chain=output connection-mark=socks action=mark-routing new-routing-mark=vpn passthrough=no
thanks for replay
socks mikrotik server port 27015
how to config mikrotik server
what is that mean dst address ? which address ? telegram servers ?
add chain=output connection-state=new dst-address=x.x.x.x action=accept comment="target address to exclude"
 
soheilsh
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Fri Nov 26, 2010 3:39 pm

Re: help me socks5 to another gateway

Fri Dec 11, 2020 5:31 pm

mikrotik socks server port 27015 is ok and connect to mikrotik default gateway ( iran gateway )
i need socks server 27015 connect to pptp out
Last edited by soheilsh on Fri Dec 11, 2020 6:16 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: help me socks5 to another gateway

Fri Dec 11, 2020 6:02 pm

Port of SOCKS server doesn't matter. Clients connect to that port, but server creates new outgoing connections, and they look like any other connection from router itself. You can't tell if some outgoing connection is from SOCKS server, or if it's e.g. router checking for updates. Good news is that router itself usually don't need to connect anywhere, so you can take all connections from router (tcp should be enough). The address you're asking about is example how to exclude some connections and do not route them via VPN. If you don't have any such requirement, you don't need this rule.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: help me socks5 to another gateway

Fri Dec 11, 2020 6:25 pm

First of all, you may want to hide the public IP of the device from the screenshots in your OP (at least you haven't left Winbox open to the world on the default port, good).

Second, the SOCKS5 is easy to be identified, so it may not be the safest one to use for the purpose. The actual destination address of the remote server, can be seen in plaintext, so it is easy to find out where your clients are actually connecting. And if the actual traffic is not encrypted itself, it can also be seen in plaintext, so the DNS requests will also reveal what is going on to the authorities if the client will send them via the SOCKS5.

PPTP has some encryption but it has also been considered weak since years ago.

Next, as @Sob has explained, the SOCKS5 server on the Mikrotik sends all the requests in its own name, and there is no way the firewall rules could find out which outgoing traffic of the Mikrotik itself is actually the traffic forwarded by the clients via SOCKS5 and which is its own one. So you can route all the output traffic of the Mikrotik to the VPN tunnel, and only provide exceptions as @Sob has suggested.

Most important, the exceptions have to be the addresses of the remote VPN servers, but for that in particular, you don't need firewall rules and dedicated routing tables - dedicated routes are enough.

An example of another exception may be the addresses of the servers from which Mikrotik downloads the RouterOS upgrades, but if you don't mind that the download also goes via the VPN, there is no need for such exception.

If you replace the SOCKS5 idea by a VPN one, the Mikrotik will treat the clients' traffic as a router, not as a proxy, so you will be able to handle all traffic from the clients one way (forwarding it to the other VPN) and other traffic the other way, using other routing table(s). But it has to be something better than PPTP if it should serve the purpose.
 
soheilsh
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Fri Nov 26, 2010 3:39 pm

Re: help me socks5 to another gateway

Fri Dec 11, 2020 6:33 pm

First of all, you may want to hide the public IP of the device from the screenshots in your OP (at least you haven't left Winbox open to the world on the default port, good).

Second, the SOCKS5 is easy to be identified, so it may not be the safest one to use for the purpose. The actual destination address of the remote server, can be seen in plaintext, so it is easy to find out where your clients are actually connecting. And if the actual traffic is not encrypted itself, it can also be seen in plaintext, so the DNS requests will also reveal what is going on to the authorities if the client will send them via the SOCKS5.

PPTP has some encryption but it has also been considered weak since years ago.

Next, as @Sob has explained, the SOCKS5 server on the Mikrotik sends all the requests in its own name, and there is no way the firewall rules could find out which outgoing traffic of the Mikrotik itself is actually the traffic forwarded by the clients via SOCKS5 and which is its own one. So you can route all the output traffic of the Mikrotik to the VPN tunnel, and only provide exceptions as @Sob has suggested.

Most important, the exceptions have to be the addresses of the remote VPN servers, but for that in particular, you don't need firewall rules and dedicated routing tables - dedicated routes are enough.

An example of another exception may be the addresses of the servers from which Mikrotik downloads the RouterOS upgrades, but if you don't mind that the download also goes via the VPN, there is no need for such exception.

If you replace the SOCKS5 idea by a VPN one, the Mikrotik will treat the clients' traffic as a router, not as a proxy, so you will be able to handle all traffic from the clients one way (forwarding it to the other VPN) and other traffic the other way, using other routing table(s). But it has to be something better than PPTP if it should serve the purpose.
you have telegram id?
my id is @megasoheilsh
 
soheilsh
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Fri Nov 26, 2010 3:39 pm

Re: help me socks5 to another gateway

Tue Mar 30, 2021 10:45 am

can any one help me?
 
lillsoft
just joined
Posts: 1
Joined: Thu Apr 01, 2021 12:10 am

Re: help me socks5 to another gateway

Thu Apr 01, 2021 9:58 pm

Do you have access to another Mikrotik device? I would run the SOCKS proxy on a different Mikrotik device and in the main Mikrotik router direct traffic from the SOCKS device to the vpn. In that case it's would be easy to isolate the traffic from the SOCKS proxy. It should also be possible to run a metarouter inside the Mikrotik with the SOCKS proxy to remove the need for an additional Mikrotik but I'm not sure the metarouter package is available on x86. More info on the metarouter is available here: https://wiki.mikrotik.com/wiki/Manual:Metarouter
 
SANBOR
just joined
Posts: 7
Joined: Fri Dec 08, 2023 7:39 am

Re: help me socks5 to another gateway

Mon Jan 22, 2024 8:52 am

I have the same problem and I want the connections that come in from socks to go out from another gateway.

There is no one to help us

Who is online

Users browsing this forum: freemannnn, GoogleOther [Bot], Semrush [Bot], vbkp and 77 guests