Hi Guys,

We are wanting to setup Squid as a transparent proxy on our network. I have squid 2.6 running, and if i set my browser to look at it as a proxy, it works.

I have searched the forums, and tried the dst nat rules to forward traffic from our MT router to the Squid box, but when i enable this rule, all HTTP traffic stops dead, unless i set my browser to look at the proxy address. I disable the rule, and it works fine.

What am i doing wrong guys?

in 2.9 set a proxy on routeros and set parent proxy up. for more information see this link:
http://www.mikrotik.com/testdocs/ros/2. ... bproxy.php

Hi Janisk,

I've tried that as well, and i CANNOT make it work. If i could, i wouldnt have posted on the board for help

Whoa, take a chill pill dude.

janisk was just trying to help you.

Post your config and people will take a look at it.

lol, sorry, im not angry! Just had a bad day (3 RB333's turned up DOA) AND i cant make this work

I have squid with the transparent option working, as stated. The whole config might be a bit much to post, but we have the eth interface (internal) in a bridge with vlans, and the PPPoE interface out over another Eth interface

the NAT rule ive created is:

add chain=dstnat in-interface=OfficeLan-Bridge protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.10.104 to-ports=3128 comment="" disabled=no

when i enable this rule, the internet stops, completely, if i enable it on the internal interface the internet works, but proxy doesnt.

add this rule above your rule:

/ip firewall nat
add chain=dstnat action=accept src-address=10.10.10.104 protocol=tcp dst-port=80

Hey,

THat worked a charm, thanks heaps!

Ok, i take that back, It seems to be working for me here (at home) though i am bridged in to the lan in question by vlans (bridged with the internal ethernet interface) but the clients that connect to the ETH are dropped as soon as i enable that rule. Ideas?

add this rule above your rule:

/ip firewall nat
add chain=dstnat action=accept src-address=10.10.10.104 protocol=tcp dst-port=80

expand the src-address

can you please be more specific? The src address shown there is that of our squid box

try to masquerade your proxy ip too.

Hey, could you provide a working example?

this is my working setup ROS V2.9.51

/ip firewall nat

add chain=dstnat action=dst-nat to-addresses=10.1.1.2 to-ports=8080 \
src-address=10.0.8.0/22 dst-port=80 protocol=tcp comment="redirect to \
proxy for pppoe network" disabled=yes

add chain=srcnat action=masquerade src-address=10.1.1.2 comment="MasQ \
for local" disabled=no

does this mark all connections as having come from the router though?

[quote="dawam"]
add chain=dstnat action=dst-nat to-addresses=10.1.1.2 to-ports=8080 \
src-address=10.0.8.0/22 dst-port=80 protocol=tcp comment="redirect to \
proxy for pppoe network" disabled=yes

add chain=srcnat action=masquerade src-address=10.1.1.2 comment="MasQ \
for local" disabled=no[/quote]

Ah, so the direct rule must be BEFORE the masquerade rule?

Also I'm sure that disabled=yes should be disabled=no?

and then where does your previously mention rule go?
[quote="dawam"]
add chain=dstnat action=accept src-address=10.10.10.104 protocol=tcp dst-port=80
[/quote]

what im not understanding is why the rule i have now works for me at home (over the vlans) but not to any machine connected to the eth interface. that seems mighty strange.

sorry guys. none of that works. as soon as i enable

"chain=dstnat in-interface=OfficeLan-Bridge protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.10.104 to-ports=3128 comment="" disabled=no"

port 80 traffic connected to the lan stops. But it works perfectly fine at home, through the proxy and all. Completely bizzare!

and you have same version on both routers?

You need to post all your NAT/firewall rules and in what order they are in.

/ip firewall nat

add chain=dstnat action=dst-nat to-addresses=10.1.1.2 to-ports=8080 \
src-address=10.0.8.0/22 dst-port=80 protocol=tcp comment="redirect to \
proxy for pppoe network" disabled=no

add chain=srcnat action=masquerade src-address=10.1.1.2 comment="MasQ \
for local" disabled=no

.

I have corrected what hilton commented, just in case someone someone would like to use this config, which is not rocket science.

If you are into RouterOS, you could have easily figure that out. The above is a working setup , for my network ros2.9.51 with Squid proxy before my upgrade to RB1000 ros v3.9, replace what ever ip you have.

Not sure Masquerade position, if not after then before, maybe I could double check later.

The purposed is to share a configuration that works for me at least.and yes it a municipal network hotpsot and pppoe running on vlan.

This is the configuration i have, and in order,

0 chain=srcnat out-interface=pppoe-out1 action=masquerade

1 chain=dstnat src-address=10.10.10.104 protocol=tcp dst-port=80
action=accept

2 chain=dstnat in-interface=OfficeLan-Bridge protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.10.104
to-ports=3128

With this configuration enabled, port 80 traffic stops working in the office as mentioned, but works ok over the vlan via the proxy

The configuration mentioned by dawam doesnt work for me, in fact port 80 traffic stops working all together with the masq rule, and specifying the src address in rule #2 allows port 80 to work, but not via the proxy

Belyivulk what versions are you running?

hilton:

.43 on the router with the rules, .51 on all the routers between myself and work. I havnt thought to upgrade the work router

I have upgraded to .51, but still the same results.

Your proxy server is not configured to require authentication is it?

Nope. what im failing to understand is why it works for me perfectly at home, but not the lan. Even if i change the dst-nat rule to ether1 it still doesnt work. Can you see any fault with my rules?

Not sure why it works at home though, but I'm going to duplicate your scenario at my office where I have a smoothwall squid box and lets see what happens.

Hang seven..............

No worries. I also tried removing the Ether from the bridge, and running the net rules on ether1 (as i am back at work) with the same result, so now i am seriously stumped!

Ok these are my rules for /ip firewall nat print;

0 ;;; NAT for adsl
chain=srcnat action=masquerade src-address=192.168.50.0/24 out-interface=adsl_pppoe

1 ;;; Accept proxy server
chain=dstnat action=accept src-address=192.168.50.3 in-interface=bridge dst-port=80 protocol=tcp

2 ;;; Redirect to network guardian
chain=dstnat action=dst-nat to-addresses=192.168.50.3 to-ports=800 src-address=192.168.50.0/24 in-interface=bridge dst-port=80 protocol=tcp


My router is 192.168.50.2 and my squid box is 192.168.50.3 (listening on port 800)

Having followed some advice I 'think' I have set this up correctly but unfortunately I cannot get clients to browse. If you set the proxy and port directly in your browser, it works but not with the redirect from the router.

Belyivulk, not sure if this is similar to your setup?

Anyone have any obvious pointers for us please?

It is practically identical to my set up Now i feel not so hopeless!

Ok so we have a rule to forward all requests from users on port 80 to the squid box and we have a rule to allow requests from squid on port 80 to access the internet. This seems ok.

When I try and browse, I see plenty of traffic on the redirect rule (watching the counters) but I see nothing in the live squid logs. And I mean nothing. (tail -f /var/log/squid type of thing). As soon as you point your browser to the squid directly there's plenty of action.

So does this mean the router is really not forwarding requests or perhaps something is blocking this in the middle?

Just thinking out aloud here. We need to apply our little grey cells to this problem. Do we need to do any packet mangling perhaps?

Well, in my situation, i see exactly the same, except, when i add my vlan to home, and the ether into a bridge, the rules magically start working. I can surf and i see activitiy in the squid logs. however at work, its exactly what you are seeing, unless i point the browser at the proxy, in which case it starts working.

tbh, im not at all sure what else is required. It seems others have managed to get this going (no one?)

I presume no one worked out how to make this situation work?

I presume no one worked out how to make this situation work?

sir,
I m posting my simple setting of my network, may be its not what u need, but if some one needs to provide internet to LAN with squid 2.6 transparent proxy enable ,
my setting=
squid box/gateway(192.168.1.1/29) conntected to mt External network adapter ,
address=192.168.1.2/29
LAN conntected to another adapter (10.0.0.1/21)
dhcp server(10.0.0.0/21)
enabling routing dst=0.0.0.0 gateway = 192.168.1.1
then just have to add Src-nat with masqurading ( ip/firewall/nat
chain=srcnat action=masquerade)

Thats all u need to use both squid and mikrotik , with routing

For further interest, i got it working.

By moving the squid box off of our internal lan as per Zaymran's example, and onto our external network, and using the earlier nat rules, replacing the sqiud boxes internal IP address with the now External address it works, and flawlessly.

Hope that helps someone!

Ok, so now the problem im having (i know, i know, i want my cake AND to eat it as well)

All outgoing HTTP requests are going through the Squid box, and so of course show the IP address of the squid box, not the customer for our QOS

Is there anyway to get around this?

I think you need to making use of the internal proxy for this. Even if it's not actually caching, you need to redirect requests via the proxy.

One thing I'm not sure about is where exactly is your squid box? If your setup is like this;

internet cloud ==> dsl modem ==> mikrotik ==> lan

then where are you placing the squid box?

At the moment its

Client=> Internet Cloud => Squid Box => Edge Router => Internet

Maybe if i use web proxy package on MT router, and then use the Squid box as an external server, this will work?

[quote="Belyivulk"]
Maybe if i use web proxy package on MT router, and then use the Squid box as an external server, this will work?[/quote]

I'm not 100% sure but I seem to recall someone saying this before. I'll scratch for that post.

Edit - ok look here for Chupaka's post;

http://forum.mikrotik.com/viewtopic.php ... ilit=squid

At the moment its

Client=> Internet Cloud => Squid Box => Edge Router => Internet

Maybe if i use web proxy package on MT router, and then use the Squid box as an external server, this will work?

Physical setting should be like this

Internet => squid proxy/gateway=> mikrotik => Lan(client)

then u can manage your client with all mikrotik options by connecting your mt box from internet or LAN

Well blow my socks off. I upgraded to 3.10 and tried using the parent proxy setting in the internal web proxy and it works!

Didn't with 3.9.

Unfortunately I still can't get it to redirect properly to the squid box without using the internal proxy.

Stay tuned.