Hi every one,
I want to redirect the HTTP ports to my proxy server (Fedora , but NOT USING IP>Proxy or IP>Web Proxy.
I just want to redirect that ports using ip firewall feature.
Any advices, Any suggestions?

Thanks
With Best Regards
Karapet Aznavuryan

ip firewall dst nat protocol=tcp In-interface=lan dst-port=80 Action dst-nat to address= xxxx (ur fedora/linux) to ports=xxx (ports u have to use, for proxy may be 3128)

Thanks Ratkim

I have tested, But it does not work at all.
some body help, Please.

Greetings!

If you tried the example above as-is, it has some challenges. If the web server is 192.168.0.2, then this should do:

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=80 to-addresses=192.168.0.2
You will lose the ability to use a web-based controller on the parent device tho.

So, Look at My configuration,
I have Mikrotik 2.9.50 ROS and Squid running on Fedora 8
Everything is ok.
My Squid listens on port 61119, when I redirect the HTTP ports via Ip>Proxy or IP>Web Proxy to the Squid's 61119 port, everything works fine,
But when I do dst-nat to my squid's 61119 port, sometimes I get "the requested url could not be retrieved" message or did not get any reply.
Why? where did I make a mistake?

With Best Regards
Karapet Aznavuryan

My bad!
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=80 to-addresses=192.168.0.2 in-interface=ether1

This way only ether1 (internet) will use this nat. Your local users will still go through the proxy.

EDIT: You also may want to do a
/ip firewall nat print
and insure your squid proxy port 80 dstnat rule is not above this dstnat rule. I believe you can use the place-before=0 variable to put this rule first. The first rule that applies is used, and, as the docs say, all others are ignored.

My bad!
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=80 to-addresses=192.168.0.2 in-interface=ether1

This way only ether1 (internet) will use this nat. Your local users will still go through the proxy.

EDIT: You also may want to do a
/ip firewall nat print
and insure your squid proxy port 80 dstnat rule is not above this dstnat rule. I believe you can use the place-before=0 variable to put this rule first. The first rule that applies is used, and, as the docs say, all others are ignored.

I have tried every methods, but there is no use.
My Squid will handle requests only on port 61119, if I put the dst-nat rule to all of its ports, my HTTP requests will go to Squid's 80 port.
I don't want that, I just want to redirect HTTP Requests.

OK, can you post a copy of your ip firewall nat?

EDIT: The MT box is the router, and the fedora box is the web server, right?

well, if your users and squid server are in one subnet, you should use srcnat along with dstnat. but you will loose the ability to check user's IP on squid server. Web Proxy returns this ability back =)

well, if your users and squid server are in one subnet, you should use srcnat along with dstnat. but you will loose the ability to check user's IP on squid server. Web Proxy returns this ability back =)

Thanks Chupaka.
My users are not in th same subnet with Squid,
When I put the proxy server setting to my Squid
Every thing is ok,
But I want to redirect the HTTP requests to Squid,
Please tell Me what to do,
dst-nat does not help,

please describe your network topology

I have 2 ROS 2.9.51 PIII
1 For NAS Server, and the other is for NAT Server to Internet
Look at the picture, this is the topology.
My Squid Is in the same network with NAS (192.168.250.0/24 network)
My Clients (PPTP and PPPOE) get IP addresses from 172.16.0.0/12 network.
I just want to redirect the HTTP port from network 172.16.0.0/12 to 192.168.250.50 port 63333( Ssuid listens on this port)
When I set the Proxy server settings in I-explorer or Mozilla IP=SquidIP and Port=Squidport everything is ok,
But I want to do transparent redirect NOT USING IP>Proxy or IP>Web Proxy Features
With Best Regard
Karapet Aznavuryan

are your clients, NAS and squid in different physical segments (different broadcast domains) or only different IP segments?

They are in different IP Segments,
Thanks

so you need they be on different RouterOS interfaces (VLANs, for example)

Thanks Chupaka,
I have already done using 2 different ROS.
Thanks Very Much;

set your dst-nat rules as the posts above reccomend...
then,

try this in your squid.conf:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Or if it's a newer version of squid, this:

http_port <ip of server>:<port your proxy listens on> transparent

[quote="Chupaka"]well, if your users and squid server are in one subnet, you should use srcnat along with dstnat. but you will loose the ability to check user's IP on squid server. Web Proxy returns this ability back =)[/quote]

Chupaka, I've setup the internal proxy in 3.10. It now allows me to use the parent proxy settings and this works like a charm. Except that now the squid box shows all hits originating from the mikrotik router and not the user's ip address.

The squid is set in transparent mode and if I manually point a browser to the squid box, it shows the individual ip address in the logs but not if I use the miktotik's web proxy.

Any ideas for me please?

My rules;
1 ;;; Accept squid proxy server
chain=dstnat action=accept src-address=192.168.50.3 in-interface=bridge dst-port=80 protocol=tcp

2 ;;; Redirect via internal proxy
chain=dstnat action=redirect to-ports=8080 in-interface=bridge dst-port=80 protocol=tcp

of course you do not need transparent mode on squid

ok so what you are saying is that I need to enable authentication on the squid server?

will any requests on port 80 which are redirected to the mikrotik internal web proxy be pushed through to the squid box?

the squid box is going to ask for authentication, so surely I need to setup some rule where it handles this two way communication?

no, you need no authentication (ROS do not support it yet). ROS proxy should send client's IP in parent proxy request, so try to sniff request's packets, and if there is client's IP, see what you can do with squid. else - write to support =)

thanks Chupaka.

Hi Hilton,

So, did you call tech support? Is there any resolution for this redirect to squid server problem?

Thanks,

apr

It will work if you set the squid server to be transparent, but not if you need it to authenticate via LDAP.

It will work if you set the squid server to be transparent, but not if you need it to authenticate via LDAP.

Thank you Hilton. But I tried some of the examples above and it doesn't work here. As I read through this thread again , I think I have a different network as yours. I have something like:
Here is what I want to do. Just like the Subject of this thread. But I think I misunderstood some posts.

I need to pass http port 80 directly to squid proxy server without going through the Proxy of the rn532a. If I set my browser settings to use the squid proxy everything is fine... But when I redirect port 80 to the squid port 3128 it does not work. I get something like "the requested url could not be retrieved".

@Chupaka and karo84

What do you mean by this ? http://forum.mikrotik.com/viewtopic.php ... 78#p111478

Thank you,

aprmicro