Community discussions

MikroTik App
 
Zenoss
just joined
Topic Author
Posts: 7
Joined: Tue Jan 08, 2008 1:24 pm

Redirect traffic to Squid ( Linux )

Mon Jan 28, 2008 10:54 am

Greetings,

I've just installed a squid cache server on a linux machine, the hierarchy is like this :
   WAN LINK
         |
 -------------             ---------------------
| Mikrotik Box |          |   Cache Linux Server  |
 -------------            ----------------------
         |                   /
         |                 /
 ----------------------
| Switch ( Cheap one ) |
 ----------------------
    |           |          |       
  Client1   Client2    Client3   etc.

What i'm trying to do is, I want all the traffic regarding to port 80 from Client1,Client2,Client3 to be forwarded to my Cache server at port 8080.
I tried with redirect rule, but it seems it only maps ports on his own and can't redirect somewhere else.

Any idea how to do this?

Thanks
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Redirect traffic to Squid ( Linux )

Mon Jan 28, 2008 1:40 pm

You have to use action=dstnat, as well do not forget to specify to-addresses, where you have to put squid address.
action=redirect is used to redirect traffic to router itself.
 
Zenoss
just joined
Topic Author
Posts: 7
Joined: Tue Jan 08, 2008 1:24 pm

Re: Redirect traffic to Squid ( Linux )

Mon Jan 28, 2008 2:26 pm

Could you be more specific please?
Under linux it could be done easy via set & mark, but don't know how to do this exactly in Mikrotik.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Redirect traffic to Squid ( Linux )

Mon Jan 28, 2008 2:33 pm

ip firewall nat add action=dst-nat dst-port=80 protocol=tcp src-address="client's_used subnet" to-addresses="squid_address" to-ports=8080 chain=dstnat
http://www.mikrotik.com/testdocs/ros/2.9/ip/nat.php
 
Zenoss
just joined
Topic Author
Posts: 7
Joined: Tue Jan 08, 2008 1:24 pm

Re: Redirect traffic to Squid ( Linux )

Mon Jan 28, 2008 2:56 pm

Hello,

I tried this alredy a few minutes ago, but I get this error in return:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: /firefox?client=firefox-a&rls=org.mozilla:en-US:official

The following error was encountered:

    * Invalid URL 

Some aspect of the requested URL is incorrect. Possible problems:

    * Missing or incorrect access protocol (should be `http://'' or similar)
    * Missing hostname
    * Illegal double-escape in the URL-Path
    * Illegal character in hostname; underscores are not allowed 
I'm not sure why is this showing up, it is coming from my proxy server , altho when I point my browser to my proxy server it works fine.

rules on cache server are to Accept ANY ANY
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Redirect traffic to Squid ( Linux )

Mon Jan 28, 2008 3:09 pm

Please, post you rules from 'ip firewall nat', when redirect to proxy is enabled.
 
Zenoss
just joined
Topic Author
Posts: 7
Joined: Tue Jan 08, 2008 1:24 pm

Re: Redirect traffic to Squid ( Linux )

Mon Jan 28, 2008 4:31 pm

Here's the rules:
 1   chain=dstnat src-address=myip protocol=tcp dst-port=80 
     action=dst-nat to-addresses=proxyip to-ports=8080 

 2   chain=srcnat src-address=someinternalip/24 action=masquerade 

 3   chain=srcnat src-address=someinternalip/24 action=masquerade 

 4   chain=srcnat action=masquerade 

Altho, there's one thing i'd like to mention, i'm connecting to this internal network via VPN, because i'm not there physically, does that change anything?
I'm probably gettin beyond of mikrotik point, somewhere says I need my proxy in transparent mode, which I think it is, but still if it works like this just by pointing my browser to the proxy, it should work fine with redirection too.

Thanks
Sorry for the late response.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6045
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Redirect traffic to Squid ( Linux )

Mon Jan 28, 2008 5:53 pm

I think that you must configure Squid to work as transparent proxy.
http://www.deckle.co.za/squid-users-gui ... hing/Proxy
 
alessio
newbie
Posts: 36
Joined: Fri Jan 11, 2008 1:30 pm

Re: Redirect traffic to Squid ( Linux )

Mon Jan 28, 2008 7:30 pm

Hello Zenoss,
I had the same problem some day ago.
I solved it configuring squid as a transparent proxy server.
To do this, if you have squid version 2.6 you have to edit the squid configuration file (squid.conf) putting the following line:

http_port 3128 transparent
instead of

http_port 3128

Of course the command "http_port 3128" is the default squid proxy port configuration.

If you are using Webmin, you have to specify the option "transparent" on:

Servers -> Squid Proxy Server -> Ports and Networking

Regards,
Alessio
 
Zenoss
just joined
Topic Author
Posts: 7
Joined: Tue Jan 08, 2008 1:24 pm

Re: Redirect traffic to Squid ( Linux )

Tue Jan 29, 2008 6:30 pm

Hello,

Thanks for your response,
I've alredy added transparent on the option, but still i get the same error.
Do i need probably to set some rules or something special?

Would really appreciate your help.

Thanks
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6045
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Redirect traffic to Squid ( Linux )

Tue Jan 29, 2008 6:53 pm

I don't know what exactly is myip in your configuration, but basically there should be two dstnat rules if you want to redirect all requests from local subnet. For example local subnet 192.168.1.0/24 and proxy is 192.168.1.250:8080

/ip firewall nat
add chain=dstnat src-address=192.168.1.250 dst-port=80 protocol=tcp action=accept

add chain=dstnat src-address=192.168.1.0/24 dst-port=80 protocol=tcp action=dst-nat to-address=192.168.1.250 to -port=8080

If it still isn't working then definitely something wrong with your squid configuration.
 
alessio
newbie
Posts: 36
Joined: Fri Jan 11, 2008 1:30 pm

Re: Redirect traffic to Squid ( Linux )

Tue Jan 29, 2008 8:55 pm

Hello Zenoss,
I think that the problem could be on the access lists of the proxy server.
What happens should be the following:

1. the hotspot receives your request no the Wireless interface and nat it to the proxy server address and proxy server port (to do it you should have configured the ip firewall nat rules on the Mikrotik);
2. when the hotspot forwards the request to the proxy server, it is forwarded not with the original address, but with the address of the interface which communicates with the proxy as the source address (the WAN address??), and it happens even if you don't enable the webproxy feature on it;
3. then, if you at the moment on the proxy server have an access list which permits just the network configured on the hotspot interface, it could be not enough.

I hope this could help you.

Regards
Alessio
 
lukkes
Member Candidate
Member Candidate
Posts: 166
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: Redirect traffic to Squid ( Linux )

Sat Apr 17, 2010 4:03 am

there is a way to redirect to an external proxy with the original client ip instead of the MT ip? in order to log the client web surf?
If you found this post useful don't forget about the karma viewtopic.php?f=1&t=41148

Feed Your FAITH Then Your Doubts Will Starve To Death...!!!
 
dog
Member Candidate
Member Candidate
Posts: 186
Joined: Wed Aug 12, 2009 3:37 pm
Location: Germany

Re: Redirect traffic to Squid ( Linux )

Sun Apr 18, 2010 5:40 pm

The only option is to use the squid proxy as gateway for your clients.
 
Madrox
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Mon Sep 03, 2007 12:24 am

Re: Redirect traffic to Squid ( Linux )

Sun Apr 18, 2010 8:37 pm

U can install squid whit Tproxy and set the squid as brigde this work great but you have use 2 NIC and if the power of squid goes you have to unplugg squid. as router-squid-switch-clients.
The good thing is that u do not have to change any thing to the network.

Im workin now whit triangel routing so the squid can stand as standalone server.
But have get this to work yet but have seen it done. more advance but the holle net do not crash if the server goes down.
 
gmidia
Member Candidate
Member Candidate
Posts: 223
Joined: Sun Sep 02, 2007 3:28 pm

Re: Redirect traffic to Squid ( Linux )

Wed Apr 21, 2010 8:19 pm

problem is with your configs on the squid had similar issues but after maing changes in the squid it worked well
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8394
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Redirect traffic to Squid ( Linux )

Fri Apr 23, 2010 11:32 pm

there is a way to redirect to an external proxy with the original client ip instead of the MT ip? in order to log the client web surf?
you may add route with gateway=squid and some routing mark, and then mark all traffic to port 80 and with src-mac-address=!squid's_one with that mark
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
lukkes
Member Candidate
Member Candidate
Posts: 166
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: Redirect traffic to Squid ( Linux )

Sat Apr 24, 2010 1:11 am

there is a way to redirect to an external proxy with the original client ip instead of the MT ip? in order to log the client web surf?
you may add route with gateway=squid and some routing mark, and then mark all traffic to port 80 and with src-mac-address=!squid's_one with that mark
hmmm, i'm not so clear about but i will try exact that you suggest.. thanks
If you found this post useful don't forget about the karma viewtopic.php?f=1&t=41148

Feed Your FAITH Then Your Doubts Will Starve To Death...!!!
 
pablo0582
just joined
Posts: 5
Joined: Tue Aug 14, 2007 4:42 am
Location: Argentina-Mendoza

Re: Redirect traffic to Squid ( Linux )

Mon May 03, 2010 9:18 pm

Hello,

I tried this alredy a few minutes ago, but I get this error in return:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: /firefox?client=firefox-a&rls=org.mozilla:en-US:official

The following error was encountered:

    * Invalid URL 

Some aspect of the requested URL is incorrect. Possible problems:

    * Missing or incorrect access protocol (should be `http://'' or similar)
    * Missing hostname
    * Illegal double-escape in the URL-Path
    * Illegal character in hostname; underscores are not allowed 
I'm not sure why is this showing up, it is coming from my proxy server , altho when I point my browser to my proxy server it works fine.

rules on cache server are to Accept ANY ANY
you problem is here "While trying to retrieve the URL: /firefox?client=firefox-a&rls=org.mozilla:en-US:official"
try only http://www.google.com whitout : in url
 
lukkes
Member Candidate
Member Candidate
Posts: 166
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: Redirect traffic to Squid ( Linux )

Wed May 05, 2010 5:46 am

Hello,

I tried this alredy a few minutes ago, but I get this error in return:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: /firefox?client=firefox-a&rls=org.mozilla:en-US:official

The following error was encountered:

    * Invalid URL 

Some aspect of the requested URL is incorrect. Possible problems:

    * Missing or incorrect access protocol (should be `http://'' or similar)
    * Missing hostname
    * Illegal double-escape in the URL-Path
    * Illegal character in hostname; underscores are not allowed 
I'm not sure why is this showing up, it is coming from my proxy server , altho when I point my browser to my proxy server it works fine.

rules on cache server are to Accept ANY ANY
you problem is here "While trying to retrieve the URL: /firefox?client=firefox-a&rls=org.mozilla:en-US:official"
try only http://www.google.com whitout : in url
what did you try? wich config?
about the problem, check that you have the transparent configuration in your squid.conf file
If you found this post useful don't forget about the karma viewtopic.php?f=1&t=41148

Feed Your FAITH Then Your Doubts Will Starve To Death...!!!
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: Redirect traffic to Squid ( Linux )

Thu Sep 23, 2010 11:05 pm

no luck?
try to redirect 80 to 8080
and use internal proxy
parent proxy(squid address )
parent port (squid port)
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
User avatar
RAHQGideon
newbie
Posts: 43
Joined: Wed Jun 30, 2010 9:18 am
Location: SA
Contact:

Re: Redirect traffic to Squid ( Linux )

Sat Sep 25, 2010 1:30 pm

I am using a similar proxy setup as you are and it is working 100%. Just make sure you have the parent proxy port set up corectly, this stuffed me around initialy, here is my config. Note that this is not my gateway router with the wan's connected but the router behind it.
 1   chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80 

 2   chain=srcnat action=masquerade 
 enabled: yes
             src-address: 0.0.0.0
                    port: 8080
            parent-proxy: 10.172.3.2
       parent-proxy-port: 800
     cache-administrator: ""
          max-cache-size: none
           cache-on-disk: no
  max-client-connections: 1000
  max-server-connections: 1000
          max-fresh-time: 11h6m
   serialize-connections: no
       always-from-cache: yes
          cache-hit-dscp: 4
             cache-drive: system
Hope this helps.
I wouldn’t’ be asking if I knew how it works !!!
 
lukkes
Member Candidate
Member Candidate
Posts: 166
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: Redirect traffic to Squid ( Linux )

Sun Sep 26, 2010 5:23 am

using a parent proxy and setup many clients can use all your cpu of the routerboard, the best way it's to use the redirect chains
If you found this post useful don't forget about the karma viewtopic.php?f=1&t=41148

Feed Your FAITH Then Your Doubts Will Starve To Death...!!!
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: Redirect traffic to Squid ( Linux )

Sun Sep 26, 2010 3:09 pm

..........
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: Redirect traffic to Squid ( Linux )

Sun Sep 26, 2010 8:45 pm

what if i dont want to use parent proxy
direct to squid
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
lukkes
Member Candidate
Member Candidate
Posts: 166
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: Redirect traffic to Squid ( Linux )

Mon Sep 27, 2010 3:50 am

ip firewall nat add action=dst-nat dst-port=80 protocol=tcp src-address="client's_used subnet" to-addresses="squid_address" to-ports=8080 chain=dstnat
http://www.mikrotik.com/testdocs/ros/2.9/ip/nat.php

This is the correct way, dont waste more time, your problem it's on the squid box, a bad squid acl configuration,
If you found this post useful don't forget about the karma viewtopic.php?f=1&t=41148

Feed Your FAITH Then Your Doubts Will Starve To Death...!!!
 
navidrasi
just joined
Posts: 9
Joined: Sun Sep 18, 2011 11:22 pm

Re: Redirect traffic to Squid ( Linux )

Sat Oct 01, 2011 12:27 pm

hi
i had sample problem
i think problem is when you use dst-nat in mikrotik DST ip changed to your squid box ip
there for your squid cann't understand what web site your client try to open
so i removed dst-nat and use routing mark
and routing to send my client tcp 80 traffic to squid box
and in squid box i had use iptables to redirect traffic to port 3128
 
bowzak
just joined
Posts: 1
Joined: Thu Feb 02, 2012 4:02 pm

Re: Redirect traffic to Squid ( Linux )

Thu Feb 02, 2012 4:05 pm

not sure if this helps anyone...

I needed to setup a transparent proxy for Websense. My mikrotik is using hotspot. I used the dstnat entry, but initially I was getting Proxy Cycle errors. Once I set the parent proxy to the websense ip in IP-Web Proxy, it worked fine.
 
mdKhan17
just joined
Posts: 1
Joined: Thu Oct 06, 2011 4:23 pm

Re: Redirect traffic to Squid ( Linux )

Sat Sep 01, 2012 4:25 pm

Hi i am newbie in here can anyone tell me how many clients i can manage in this squid caching server through mikrotik?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8394
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Redirect traffic to Squid ( Linux )

Sat Sep 01, 2012 7:34 pm

thousands
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
serek
just joined
Posts: 1
Joined: Tue Nov 06, 2012 3:33 pm

Re: Redirect traffic to Squid ( Linux )

Tue Nov 06, 2012 3:41 pm

I don't know what exactly is myip in your configuration, but basically there should be two dstnat rules if you want to redirect all requests from local subnet. For example local subnet 192.168.1.0/24 and proxy is 192.168.1.250:8080

/ip firewall nat
add chain=dstnat src-address=192.168.1.250 dst-port=80 protocol=tcp action=accept

add chain=dstnat src-address=192.168.1.0/24 dst-port=80 protocol=tcp action=dst-nat to-address=192.168.1.250 to -port=8080

If it still isn't working then definitely something wrong with your squid configuration.
mrz,

correct me if I'm wrong.. in my way of thinking one rule could cover above two (assuming default policy is accept):
/ip firewall nat
add chain=dstnat src-address=!192.168.1.250 in-interface=LAN_INTERFACE dst-port=80 protocol=tcp action=dst-nat to-address=192.168.1.250 to-port=8080
Regards,
Sergiusz

Who is online

Users browsing this forum: Delid4ve, erlinden, jvanhambelgium and 96 guests