Hi

I've setup a squid based proxy and MikroTik router with the following configuration

Squid proxy ip: 10.10.10.1
Wan MikroTik ip: 80.x.x.x
Lan MikroTik ip: 192.168.1.1

I want to make transparent proxy (so the clients doesn't need to put anything on the browser config to use the proxy). I've used the following NAT:

/ip firewall nat
chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.10.1 to-ports=8080

With this configuration i get an error message from squid proxy stating "INVALID REQUEST"

What am i doing wrong?? Any ideas?

I think you will have to configure your squid accordingly too

I thought that is was sufficient to redirect the packets. It seems not. Does anyone have a clue..?
The setup is like the following
[img=http://img166.imageshack.us/img166/7009/sqjp6.th.jpg]

you need to configure squid to work in transparent-proxy mode

or you can us parent proxy feature that is available under /ip proxy and do no caching on router.

Yes janisk... i did that but then MikroTik didn't recognize DSCP from squid
What DSCP should i use?

I did patch Linux kernel, I pached squid with needed patch.
I set Squid to work as transparet proxy, I tasted squid putting proxy IP and port in Internet Explorer and it worked perfectly with squid connected in switch with my clients, but after I connected in the second interface of Mikrotik it does not work, I need help for this problem, how to config rules in Mikrotik, do I need to add any queue for squid IP address, any redirect http rule or mangle rule?
If any can help me thanks very much I am waiting a long time for this to work but could not make it work?

I'm running this for a Chistian school here in town

I run the squid/dansgaurdian on the same physical port as the schools lan- but a different network

I set up the webproxy on the MT box:
port:8080
parent proxy: 10.1.2.2 (ip of squid box)
Parent Proxy Port: 8080 (that is for dansguardian you might use 3128 for squid)

In the firewall I setup to redirect port 80 to port 8080
/ip firewall nat chain=dstnat action=redirect to-ports=8080 src-address=10.1.1.0/24 dst-port=80 protocol=tcp
masquerade both the squid /30 net and the schools /24 as normal.

Rick

this may be work for you

http://wiki.mikrotik.com/wiki/External_ ... ct_ROS_2.9

I tried this but it does not work for me I tried to redirect http traffic to squid IP but again not working,

try out this with policy routing setup you linux external server with transparent proxy with NAT and mark 80 traffic and redirect to the linux gateway
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-routing new-routing-mark=HTTP
passthrough=yes comment="" disabled=no


/ip route add gateway=x.x.x.x/x routing-mark=HTTP comment="HTTP Traffic" disabled=no
replace x.x.x.x/x with your linux gateway ip

I tried this but does not worked.

send me your msn addresses latter on we will do a remote session

I tried this but does not worked.

Let me clear something.
My Mikrotik has 5 LAN Ports:
WAN, ether1....ether4
ether1-ether3 are Bridge, and I have configured Mikrotik as web proxy. But I want to use my Squid box, it is configured as needed but it does not work. Do I need to set any queue for squid IP, and squid box has only one Lan configured. I want to use it as transparent proxy. I dont have public IP. But maybe we can use teamviewer to get connected to my pc than to Mikrotik.

Any help?

Ok, first, what I see from your config is, Squid Proxy and the MT are connected to a switch, which in turn is connected to your uplink. What you should ensure first is:

1. You have a working squid. For this, try connecting a PC to the same "uplink switch", and use IP 10.10.10.2 or some other in the same subnet as your Squid. Now:
. a) Use your PC first without any manual Proxy Config. That ensures that your 10.10.10.0/24 block is routable to the internet. Make sure your Natting rules are working.
. b) Now, manually put a Proxy Config in your browser on that PC, and see if it works. If it does, check your squid config for the ACL and HTTP_ACCESS settings. This is an important step and should work before moving forward.

2. Now that we've got a working squid, next step would be to check MT and squid is able to talk to each other. For this:
. a) Assign 10.10.10.3 to your MT's WAN interface (same as the 80.x.x.x you put on the diagram). See if your MT is able to ping squid.
. b) Change Squid config to allow transparent proxying.
. c) Change Squid config for the appropriate ACLs and HTTP_ACCESS. A most likely problem could be to have allowed 192.168.1.0/24 subnet in Squid, but using SRCNAT as packets move out of MT. Then, your Squid will never see the 192.168.1.0/24 IP block.
. d) Then, use a simple dst-nat as follows:
/ip fir nat add action=dst-nat chain=dstnat comment="HTTP routed through Proxy01" disabled=no dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-addresses=10.10.10.1 to-ports=3128

The 3128 port# on the 2d assumes you're using Squid's default port configuration.

The #1 section mentioned above is mentioned as it looks like there is no device doing Nat for your Squid box. That is why these steps are there to ensure you've got that working without problems.

Thanks very much for your answer.

My mikrotik has 3 interfaces:
WAN
LAN(ether1,ether2,ether3 are bridget)
SQUID

I am not using any switch, and squid box has only one LAN card.

What if Squid has only one interface how to make it work, do I need to create any queue in Mikrotik for squid IP address and any NAT or mangle rule to allow traffic through Mikrotik for squid box?

What IP to put in Squid box?
If I put any e.g. 10.0.0.100/24 will it work without PPPoE setup on squid box?

I have configured my squid box and tasted it, it is working I tried by putting IP and port on internet explorer and it works, in this case my pc and squid were connected by switch. I changed access list in squid to allow 192.168.0.0/24 and 192.168.1.0/24 and 10.0.0.0/24.
than I configured squid to work in transparent mode.

acl our_networks src 192.168.1.0/24 192.168.0.0/24 10.0.0.0/24
http_access allow our_networks

http_port 3128 transparent
always_direct allow all

I have put masquerade rule for 10.0.0.0/24 and 192.168.1.0/24 on Mikrotik but with PPPoE(10.0.0.0/24) I can access internet but from squid box not.

Do I need to make any queue for suid in order to set limit for it e.g. 512/512 for its IP or it will have unlimited speed? I tried to create a queue for squid IP 192.168.1.1/32.

But after I moved squid to my environment it does not worked. When I tried to ping 192.168.1.1 from my clients I can not, from Mikrotik I can ping 192.168.1.1. I have put routes on Mikrotik: routes add gatteway 192.168.1.1 int=squid .

I will try to see if it works based on your suggestions.

I have tried this configuration but does not worked? Any other suggestions>

Let us say you've got three interface, as you say you have, on the MT with the following IPs assigned to them:

1_ether1 => a.b.c.d (Real IP)
2_ether2 => 192.168.100.1/24 (Private IP)
3_ether3 => 10.100.100.1/29 (Private IP for Squid)

Put 10.100.100.2/29 IP on squid box and connect to 3_ether3
Put 192.168.100.2/24 IP on your PC

Check if you can ping between Squid Box and PC.

Now put TWO masquerade rules:
1. for 192.168.100.0/24
2. for 10.100.100.0/29

Configure DNS Server on you MT and use same values for Default GW and DNS IP in both your PC and the Squid Box (/etc/resolv.conf)

Check if Internet is working for your PC
Check if Internet is working for Squid Box (ssh into the box, and do a simple traceroute)

Configure Squid Box with (consult squid docx for proper syntax):
acl locallan src 192.168.0.0/24
acl locallan src 10.100.100.0/29
http_access locallan allow

Put manual proxy on your PC and test if browsing is working.

Now, put the following dst-nat on your MT in
/ip firewall nat add chain=dstnat src-address=192.168.100.0/24 dst-address=!10.100.100.0/29 protocol=6 dst-port=80 action=dst-nat to-addresses=10.100.100.2 to-ports=3128

Remove manual proxy from your PC and test if browsing is working now.

These steps should work, AFAIK. Please let me know how it went.

First of all I check my Squid box for configuration and I added default route to squid and now I can ping from my pc to squid. I can ping from squid to Mikrotik, My network, and Internet.
I added this two subnets to squid configuration file:

acl our_networks src 10.0.0.0/24
acl our_networks src 10.100.100.0/29
http_access allow our_networks

http_port 3128 transparent
always_direct allow all

Without any redirect rule on Mikrotik it is working when I put IP and port of squid in internet explorer it works but if I remove it is not working.
After I tried to redirect HTTP traffic to my proxy but does not work.

I tried this one:
/ip fir nat add action=dst-nat chain=dstnat comment="HTTP routed through Proxy01" disabled=no dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-addresses=10.10.10.1 to-ports=3128

Than this one:
/ip firewall nat add chain=dstnat src-address=192.168.100.0/24 dst-address=!10.100.100.0/29 protocol=6 dst-port=80 action=dst-nat to-addresses=10.100.100.2 to-ports=3128

But it does not work.

Give this info:

1. What is your Local LAN Network
2. What is your Squid IP
3. What are the IP in the 3 interfaces of Mikrotik.

My Mikrotik has 5 interfaces:
WAN = 192.168.0.2/24
LAN(bride: ether1,ether2,ether3) = 10.0.0.1/24
Squid(ether4)=10.100.100.1/29

From Mikrotik I can ping Squid

My Squid has one interface:
eth0=10.100.100.2/29

Configuration of squid.conf:
acl our_networks src 10.0.0.0/24
acl our_networks src 10.100.100.0/29
acl our_networks src 192.168.0.0/24
http_access allow our_networks

From Squid I can ping my network 10.0.0.0/24, Internet.
I did traceroute it worked.

Because I am using PPPoE I checked today that I had to put proxy for Dial-up, and when I put proxy I dont have internet, I get this error:
Internet Explorer cannot display the webpage
Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

Also when I did redirect HTTP traffic to squid IP I dont have internet.

Any help?

This is working good for me:

Mikrotik config (Sample)
/ ip firewall address-list
add list=transp-proxy address=10.0.0.0/24 comment="Transparent proxy users" \
disabled=no
add list=squid-always-direct address= 69.17.117.207/32 comment="speedtest.net \
always direct!" disabled=no
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 src-address-list=transp-proxy \
dst-address-list=!squid-always-direct action=mark-routing \
new-routing-mark=transparent-proxy passthrough=yes comment="mark \
port 80 for transparent proxy" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.100.100.2 check-gateway=ping distance=1 \
scope=255 target-scope=10 routing-mark=transparent-proxy comment="Route \
for redirecting to transparent proxy" disabled=no

Squid box (Don't forget)
`which iptables` -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

i would suggest to use dst-nat rule, that will redirect dirrectly to proxy port instead of doing it on proxy, because then you can add some simple info page on your squid box, or some fancy web interface for squid

What to do, if Squid box is crash? In my sample we are go directly automated It's more important for me and really Transparent.

Can any help me please what to do exactly on ubuntu is problem on ubuntu or on Mikrotik router that is not working?

I have this on Ubuntu server

root@10.100.100.2's password:
Last login: Fri Jan 23 19:51:48 2009 from 10.0.0.10
Linux proxy 2.6.26.3-custom-zph #1 SMP Wed Dec 10 11:20:09 CET 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
root@proxy:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Do I need to add any other command here and if yes what to add exactly?

try out this:
iptables -t nat -nvL

I want to use Squid like Mikrotik webproxy. I tried with redirect rule but it does not works.
Than I tried by putting rules like you suggested and it worked but the speed is very slow.
I tried it but users does not have high speed even they use cache content.
I would like to use squid as web proxy in mikrotik (for cache content I want e.g. 1 Mbps speed for all of my users, for other content not in squid I want the speed that they have).

try out this with policy routing setup you linux external server with transparent proxy with NAT and mark 80 traffic and redirect to the linux gateway
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-routing new-routing-mark=HTTP
passthrough=yes comment="" disabled=no


/ip route add gateway=x.x.x.x/x routing-mark=HTTP comment="HTTP Traffic" disabled=no
replace x.x.x.x/x with your linux gateway ip

I've tried routing-mark solution, but it took some time to loading request.
The faster way to use/redirect to external proxy is = redirect to internal proxy and configure its parent proxy setting to the external proxy address.

I don't know why mikrotik cannot redirecting 80/http/web (dst-nat NAT rule) request to external proxy address. Maybe admin can explain to us this problem.

http://forum.mikrotik.com/viewtopic.php?f=13&t=45114

That thread contains a working solution for an external proxy via NAT and descriptions for making it work with the proxy on a dedicated networks as well as allusions to how to make it work on the LAN.

Does that help?