Community discussions

MikroTik App
 
abhi281
just joined
Topic Author
Posts: 11
Joined: Tue Sep 30, 2014 1:15 pm
Location: Bangladesh

Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 2:22 pm

Hello,

I have designed a topology which has an external proxy server (192.168.239.152) and a Mikrotik Router (192.168.239.151).
The MikroTik router connected with a LAN and enables internet connection to LAN PCs. The LAN PCs has IP from the block 192.168.1.0/24.

I want traffic (HTTP, HTTPS) from LAN PCs to go through the proxy server, so that I don't need to configure Browser manually to use proxy settings. For this I have created DST-NAT into MikroTik Router in following method:

Step1
Image

Step2
Image

After this traffic from LAN PCs are going through that proxy server (Squid), but no website is working and giving following error:
Image


What is wrong here?

Note: Manual proxy setup in Browser is working perfectly. But I am trying to set a transparent proxy here via MikroTik.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 2:44 pm

Few thoughts:
  • Isn't that suppossed to work only with HTTP traffic and not with HTTPS?
  • You did not port fotward 443 (HTTPS) traffic, only 80 (HTTP). Most sites use 80 to simply redirect to 443 and serve websites only on 443 port.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 3:16 pm

a network diagram will help as I have no idea what you mean by external
 
abhi281
just joined
Topic Author
Posts: 11
Joined: Tue Sep 30, 2014 1:15 pm
Location: Bangladesh

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 3:38 pm

Few thoughts:
  • Isn't that suppossed to work only with HTTP traffic and not with HTTPS?
  • You did not port fotward 443 (HTTPS) traffic, only 80 (HTTP). Most sites use 80 to simply redirect to 443 and serve websites only on 443 port.
Same issue if I forward port 443. no matter it's Port 80 or 443, Proxy server giving the error.
 
abhi281
just joined
Topic Author
Posts: 11
Joined: Tue Sep 30, 2014 1:15 pm
Location: Bangladesh

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 3:48 pm

a network diagram will help as I have no idea what you mean by external
External means the Proxy server not in the same LAN as those PCs. It's another device, but I can get ping to it from MikroTik Router and LAN PCs. It has public IP. Diagram is like following:
Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 4:04 pm

So the mikrotik and proxy server are not behind the same modem?

Sounds like forward chain rules............and IP routes....

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN dst-port=80,443

IP Route
/ip route
add distance=1 gateway=ISP_Gaterway
add distance=1 gateway=ISP_Gateway routing-mark=proxy-route

Route Rule
/ip route rule
add action=lookup-only-in-table src-address=192.168.1.0/24 \
dst-address=192.168.239.152 table=proxy-route


The end result is that
(1) If any lan user attempts to reach the internet by any other port that 80 and 443 it will not happen period.
(2) if any lan user attempts to reach any other WANIP then the proxy, they will not be routed.
 
abhi281
just joined
Topic Author
Posts: 11
Joined: Tue Sep 30, 2014 1:15 pm
Location: Bangladesh

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 4:36 pm

So the mikrotik and proxy server are not behind the same modem?

The end result is that
(1) If any lan user attempts to reach the internet by any other port that 80 and 443 it will not happen period.
(2) if any lan user attempts to reach any other WANIP then the proxy, they will not be routed.
Yes, they are behind the same modem, you can see both using IP from same IP block, which is 192.168.239.0/24.

So at the end, LAN users can't ping outside addresses? or can't use any other websites which using other ports rather than 80 or 443?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 4:47 pm

Well I dont know how to handle that,
I am hoping those more expert than me can help.
My guess is that if it was me I would put the proxy server behind the ROUTER but on its own IP address, vice completely separate like you have.
However I do not know what is better. :-(
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 5:21 pm

This issue is not caused by the MikroTik dst-nat but by the HTTP protocol.
It is simply not possible to make a proxy that way!
When you fetch a HTTP page the browser splits the URL into its parts: http://site.com/path is split into site.com and /path
The browser then does a DNS lookup for site.com, makes a connection to the returned IP port 80, and then sends a request for /path there, unfortunately.
(so it does not send the full http://site.com/path but only the /path part)

When you forward all http traffic to a single internal proxy, there is no way for that proxy to know what you want from it because it only gets the /path and
not the full URL.

Later the HTTP protocol was modified and it sends the extracted part "site.com" in a separate header in the request:
Host: site.com

Apparently your proxy does not support to use that. You may need to configure it differently (as a "transparent proxy")
However, note that this is not possible for the https protocol! That can only be handled by a proxy when you configure it in each browser, it is not possible to make such a port forward and still have it working. That is exactly the point of the https protocol.

So while it may be convenient to you to not have to configure the proxy, unfortunately it cannot be done this way.
(there are other ways to do it, but they all have special restrictions)
 
kalamaja
Member Candidate
Member Candidate
Posts: 112
Joined: Wed May 23, 2018 3:13 pm

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 7:12 pm

What is the main goal you want to achieve? Reason to install Squid has vanished as 90% of web runs already on HTTPS and those who still not, get downvoted in SEO/searchengines. This is to build trust that clients communicate with an intended service, not fake one. Nowadays content is cached on browsers by the rules server says. btw, do you know Mikrotik contains proxy functionality?
 
abhi281
just joined
Topic Author
Posts: 11
Joined: Tue Sep 30, 2014 1:15 pm
Location: Bangladesh

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sat Jun 12, 2021 11:15 pm

Ok understood. So there's no way to achieve what I am trying to do.
So either i need to use Proxy feature of MikroTik or I am out of luck.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sun Jun 13, 2021 1:51 am

NO, you do not understand,
PROXY ARE DEAD with 90% of traffic go to HTTPS
Any try you do are perfectly useless and only a lost of time.
Understand now?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sun Jun 13, 2021 11:35 am

Ok understood. So there's no way to achieve what I am trying to do.
So either i need to use Proxy feature of MikroTik or I am out of luck.
No you don't understand!
You either need to configure the proxy in each computer or you are out of luck.
It does not matter if you use the proxy feature of MikroTik or any other proxy: invisible proxy for https cannot be done.
That is the intended purpose of https: To prevent network admins like you from setting up something between the user and the server without the user knowing about it.
 
abhi281
just joined
Topic Author
Posts: 11
Joined: Tue Sep 30, 2014 1:15 pm
Location: Bangladesh

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sun Jun 13, 2021 2:20 pm

No you don't understand!
You either need to configure the proxy in each computer or you are out of luck.
It does not matter if you use the proxy feature of MikroTik or any other proxy: invisible proxy for https cannot be done.
That is the intended purpose of https: To prevent network admins like you from setting up something between the user and the server without the user knowing about it.
So what's the best possible way to block clients from accessing certain websites? (i.e. facebook or youtube)
without giving much workload on MikroTik router offcourse. I am using a RB450G device at my place.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18961
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sun Jun 13, 2021 2:35 pm

Parenting is the solution.
You can cut off internet during certain hours but then they will use their cellphones and data to connect.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sun Jun 13, 2021 2:49 pm

DNS filtering is probably your best bet. Pihole or nextdns (cloud based) will allow you to block certain websites. There are ways around it though if you have someone set a doh provider manually on their device. If you don't have doh on any client then you can use dst-nat to redirect any non approved DNS requests to the mikrotik DNS server that would then be forwarded to your approved doh/DNS provider.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Issue with DST-NAT (RouterOS 6.47.10)

Sun Jun 13, 2021 3:04 pm

So the topic title "Issue with DST-NAT (RouterOS 6.47.10)" is actually "I don't know how the internet works, it must be this specific version broken and this specific feature." ?

Who is online

Users browsing this forum: baragoon, Bing [Bot], duartev, GoogleOther [Bot], ItchyAnkle, menyarito, sergejs and 89 guests