Page 1 of 1

How to redirect to external proxy

Posted: Tue Dec 09, 2008 2:26 pm
by GuJack20
Hi

I've setup a squid based proxy and MikroTik router with the following configuration

Squid proxy ip: 10.10.10.1
Wan MikroTik ip: 80.x.x.x
Lan MikroTik ip: 192.168.1.1

I want to make transparent proxy (so the clients doesn't need to put anything on the browser config to use the proxy). I've used the following NAT:

/ip firewall nat
chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.10.1 to-ports=8080

With this configuration i get an error message from squid proxy stating "INVALID REQUEST"

What am i doing wrong?? Any ideas?

Re: How to redirect to external proxy

Posted: Tue Dec 09, 2008 2:31 pm
by normis
I think you will have to configure your squid accordingly too

Re: How to redirect to external proxy

Posted: Wed Dec 10, 2008 12:07 am
by GuJack20
I thought that is was sufficient to redirect the packets. It seems not. Does anyone have a clue..?
The setup is like the following
[img=http://img166.imageshack.us/img166/7009/sqjp6.th.jpg]

Re: How to redirect to external proxy

Posted: Wed Dec 10, 2008 2:14 am
by Chupaka
you need to configure squid to work in transparent-proxy mode

Re: How to redirect to external proxy

Posted: Wed Dec 10, 2008 12:19 pm
by janisk
or you can us parent proxy feature that is available under /ip proxy and do no caching on router.

Re: How to redirect to external proxy

Posted: Wed Dec 10, 2008 1:09 pm
by GuJack20
Yes janisk... i did that but then MikroTik didn't recognize DSCP from squid :(
What DSCP should i use?

Re: How to redirect to external proxy

Posted: Wed Dec 24, 2008 2:25 pm
by beny30
I did patch Linux kernel, I pached squid with needed patch.
I set Squid to work as transparet proxy, I tasted squid putting proxy IP and port in Internet Explorer and it worked perfectly with squid connected in switch with my clients, but after I connected in the second interface of Mikrotik it does not work, I need help for this problem, how to config rules in Mikrotik, do I need to add any queue for squid IP address, any redirect http rule or mangle rule?
If any can help me thanks very much I am waiting a long time for this to work but could not make it work?

Re: How to redirect to external proxy

Posted: Thu Dec 25, 2008 12:16 am
by sjwrick
I'm running this for a Chistian school here in town

I run the squid/dansgaurdian on the same physical port as the schools lan- but a different network

I set up the webproxy on the MT box:
port:8080
parent proxy: 10.1.2.2 (ip of squid box)
Parent Proxy Port: 8080 (that is for dansguardian you might use 3128 for squid)

In the firewall I setup to redirect port 80 to port 8080
/ip firewall nat chain=dstnat action=redirect to-ports=8080 src-address=10.1.1.0/24 dst-port=80 protocol=tcp
masquerade both the squid /30 net and the schools /24 as normal.

Rick

Re: How to redirect to external proxy

Posted: Thu Dec 25, 2008 9:41 am
by pokeman

Re: How to redirect to external proxy

Posted: Thu Dec 25, 2008 6:25 pm
by beny30
I tried this but it does not work for me :( I tried to redirect http traffic to squid IP but again not working,

Re: How to redirect to external proxy

Posted: Thu Dec 25, 2008 7:42 pm
by pokeman
try out this with policy routing setup you linux external server with transparent proxy with NAT and mark 80 traffic and redirect to the linux gateway
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-routing new-routing-mark=HTTP
passthrough=yes comment="" disabled=no


/ip route add gateway=x.x.x.x/x routing-mark=HTTP comment="HTTP Traffic" disabled=no
replace x.x.x.x/x with your linux gateway ip

Re: How to redirect to external proxy

Posted: Thu Dec 25, 2008 8:32 pm
by beny30
I tried this but does not worked.

Re: How to redirect to external proxy

Posted: Fri Dec 26, 2008 11:13 am
by pokeman
send me your msn addresses latter on we will do a remote session

I tried this but does not worked.

Re: How to redirect to external proxy

Posted: Fri Dec 26, 2008 6:28 pm
by beny30
Let me clear something.
My Mikrotik has 5 LAN Ports:
WAN, ether1....ether4
ether1-ether3 are Bridge, and I have configured Mikrotik as web proxy. But I want to use my Squid box, it is configured as needed but it does not work. Do I need to set any queue for squid IP, and squid box has only one Lan configured. I want to use it as transparent proxy. I dont have public IP. But maybe we can use teamviewer to get connected to my pc than to Mikrotik.

Re: How to redirect to external proxy

Posted: Wed Dec 31, 2008 7:45 pm
by beny30
Any help?

Re: How to redirect to external proxy

Posted: Thu Jan 01, 2009 10:55 pm
by cartes
Ok, first, what I see from your config is, Squid Proxy and the MT are connected to a switch, which in turn is connected to your uplink. What you should ensure first is:

1. You have a working squid. For this, try connecting a PC to the same "uplink switch", and use IP 10.10.10.2 or some other in the same subnet as your Squid. Now:
. a) Use your PC first without any manual Proxy Config. That ensures that your 10.10.10.0/24 block is routable to the internet. Make sure your Natting rules are working.
. b) Now, manually put a Proxy Config in your browser on that PC, and see if it works. If it does, check your squid config for the ACL and HTTP_ACCESS settings. This is an important step and should work before moving forward.

2. Now that we've got a working squid, next step would be to check MT and squid is able to talk to each other. For this:
. a) Assign 10.10.10.3 to your MT's WAN interface (same as the 80.x.x.x you put on the diagram). See if your MT is able to ping squid.
. b) Change Squid config to allow transparent proxying.
. c) Change Squid config for the appropriate ACLs and HTTP_ACCESS. A most likely problem could be to have allowed 192.168.1.0/24 subnet in Squid, but using SRCNAT as packets move out of MT. Then, your Squid will never see the 192.168.1.0/24 IP block.
. d) Then, use a simple dst-nat as follows:
/ip fir nat add action=dst-nat chain=dstnat comment="HTTP routed through Proxy01" disabled=no dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-addresses=10.10.10.1 to-ports=3128

The 3128 port# on the 2d assumes you're using Squid's default port configuration.

The #1 section mentioned above is mentioned as it looks like there is no device doing Nat for your Squid box. That is why these steps are there to ensure you've got that working without problems.

Re: How to redirect to external proxy

Posted: Mon Jan 05, 2009 12:28 pm
by beny30
Thanks very much for your answer.

My mikrotik has 3 interfaces:
WAN
LAN(ether1,ether2,ether3 are bridget)
SQUID

I am not using any switch, and squid box has only one LAN card.

What if Squid has only one interface how to make it work, do I need to create any queue in Mikrotik for squid IP address and any NAT or mangle rule to allow traffic through Mikrotik for squid box?

What IP to put in Squid box?
If I put any e.g. 10.0.0.100/24 will it work without PPPoE setup on squid box?

I have configured my squid box and tasted it, it is working I tried by putting IP and port on internet explorer and it works, in this case my pc and squid were connected by switch. I changed access list in squid to allow 192.168.0.0/24 and 192.168.1.0/24 and 10.0.0.0/24.
than I configured squid to work in transparent mode.

acl our_networks src 192.168.1.0/24 192.168.0.0/24 10.0.0.0/24
http_access allow our_networks

http_port 3128 transparent
always_direct allow all

I have put masquerade rule for 10.0.0.0/24 and 192.168.1.0/24 on Mikrotik but with PPPoE(10.0.0.0/24) I can access internet but from squid box not.

Do I need to make any queue for suid in order to set limit for it e.g. 512/512 for its IP or it will have unlimited speed? I tried to create a queue for squid IP 192.168.1.1/32.

But after I moved squid to my environment it does not worked. When I tried to ping 192.168.1.1 from my clients I can not, from Mikrotik I can ping 192.168.1.1. I have put routes on Mikrotik: routes add gatteway 192.168.1.1 int=squid .

I will try to see if it works based on your suggestions.

Re: How to redirect to external proxy

Posted: Wed Jan 07, 2009 3:09 pm
by beny30
I have tried this configuration but does not worked? Any other suggestions>

Re: How to redirect to external proxy

Posted: Wed Jan 07, 2009 4:08 pm
by cartes
Let us say you've got three interface, as you say you have, on the MT with the following IPs assigned to them:

1_ether1 => a.b.c.d (Real IP)
2_ether2 => 192.168.100.1/24 (Private IP)
3_ether3 => 10.100.100.1/29 (Private IP for Squid)

Put 10.100.100.2/29 IP on squid box and connect to 3_ether3
Put 192.168.100.2/24 IP on your PC

Check if you can ping between Squid Box and PC.

Now put TWO masquerade rules:
1. for 192.168.100.0/24
2. for 10.100.100.0/29

Configure DNS Server on you MT and use same values for Default GW and DNS IP in both your PC and the Squid Box (/etc/resolv.conf)

Check if Internet is working for your PC
Check if Internet is working for Squid Box (ssh into the box, and do a simple traceroute)

Configure Squid Box with (consult squid docx for proper syntax):
acl locallan src 192.168.0.0/24
acl locallan src 10.100.100.0/29
http_access locallan allow

Put manual proxy on your PC and test if browsing is working.

Now, put the following dst-nat on your MT in
/ip firewall nat add chain=dstnat src-address=192.168.100.0/24 dst-address=!10.100.100.0/29 protocol=6 dst-port=80 action=dst-nat to-addresses=10.100.100.2 to-ports=3128

Remove manual proxy from your PC and test if browsing is working now.

These steps should work, AFAIK. Please let me know how it went.

Re: How to redirect to external proxy

Posted: Sun Jan 11, 2009 12:36 am
by beny30
First of all I check my Squid box for configuration and I added default route to squid and now I can ping from my pc to squid. I can ping from squid to Mikrotik, My network, and Internet.
I added this two subnets to squid configuration file:

acl our_networks src 10.0.0.0/24
acl our_networks src 10.100.100.0/29
http_access allow our_networks

http_port 3128 transparent
always_direct allow all

Without any redirect rule on Mikrotik it is working when I put IP and port of squid in internet explorer it works but if I remove it is not working.
After I tried to redirect HTTP traffic to my proxy but does not work.

I tried this one:
/ip fir nat add action=dst-nat chain=dstnat comment="HTTP routed through Proxy01" disabled=no dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-addresses=10.10.10.1 to-ports=3128

Than this one:
/ip firewall nat add chain=dstnat src-address=192.168.100.0/24 dst-address=!10.100.100.0/29 protocol=6 dst-port=80 action=dst-nat to-addresses=10.100.100.2 to-ports=3128

But it does not work.

Re: How to redirect to external proxy

Posted: Sun Jan 11, 2009 5:11 am
by cartes
Give this info:

1. What is your Local LAN Network
2. What is your Squid IP
3. What are the IP in the 3 interfaces of Mikrotik.

Re: How to redirect to external proxy

Posted: Sun Jan 11, 2009 11:45 am
by beny30
My Mikrotik has 5 interfaces:
WAN = 192.168.0.2/24
LAN(bride: ether1,ether2,ether3) = 10.0.0.1/24
Squid(ether4)=10.100.100.1/29

From Mikrotik I can ping Squid

My Squid has one interface:
eth0=10.100.100.2/29

Configuration of squid.conf:
acl our_networks src 10.0.0.0/24
acl our_networks src 10.100.100.0/29
acl our_networks src 192.168.0.0/24
http_access allow our_networks

From Squid I can ping my network 10.0.0.0/24, Internet.
I did traceroute it worked.

Because I am using PPPoE I checked today that I had to put proxy for Dial-up, and when I put proxy I dont have internet, I get this error:
Internet Explorer cannot display the webpage
Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

Also when I did redirect HTTP traffic to squid IP I dont have internet.

Re: How to redirect to external proxy

Posted: Thu Jan 22, 2009 4:41 pm
by beny30
Any help?

Re: How to redirect to external proxy

Posted: Fri Jan 23, 2009 12:41 pm
by ken2005
This is working good for me:

Mikrotik config (Sample)
/ ip firewall address-list
add list=transp-proxy address=10.0.0.0/24 comment="Transparent proxy users" \
disabled=no
add list=squid-always-direct address= 69.17.117.207/32 comment="speedtest.net \
always direct!" disabled=no
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 src-address-list=transp-proxy \
dst-address-list=!squid-always-direct action=mark-routing \
new-routing-mark=transparent-proxy passthrough=yes comment="mark \
port 80 for transparent proxy" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.100.100.2 check-gateway=ping distance=1 \
scope=255 target-scope=10 routing-mark=transparent-proxy comment="Route \
for redirecting to transparent proxy" disabled=no

Squid box (Don't forget)
`which iptables` -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

Re: How to redirect to external proxy

Posted: Fri Jan 23, 2009 3:04 pm
by janisk
i would suggest to use dst-nat rule, that will redirect dirrectly to proxy port instead of doing it on proxy, because then you can add some simple info page on your squid box, or some fancy web interface for squid :)

Re: How to redirect to external proxy

Posted: Fri Jan 23, 2009 3:18 pm
by ken2005
What to do, if Squid box is crash? In my sample we are go directly automated ;) It's more important for me and really Transparent.

Re: How to redirect to external proxy

Posted: Fri Jan 23, 2009 9:01 pm
by beny30
Can any help me please what to do exactly on ubuntu is problem on ubuntu or on Mikrotik router that is not working?

I have this on Ubuntu server

root@10.100.100.2's password:
Last login: Fri Jan 23 19:51:48 2009 from 10.0.0.10
Linux proxy 2.6.26.3-custom-zph #1 SMP Wed Dec 10 11:20:09 CET 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
root@proxy:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Do I need to add any other command here and if yes what to add exactly?

Re: How to redirect to external proxy

Posted: Sat Jan 24, 2009 9:41 am
by ken2005
try out this:
iptables -t nat -nvL

Re: How to redirect to external proxy

Posted: Sun Jan 25, 2009 11:10 pm
by beny30
I want to use Squid like Mikrotik webproxy. I tried with redirect rule but it does not works.
Than I tried by putting rules like you suggested and it worked but the speed is very slow.
I tried it but users does not have high speed even they use cache content.
I would like to use squid as web proxy in mikrotik (for cache content I want e.g. 1 Mbps speed for all of my users, for other content not in squid I want the speed that they have).

Re: How to redirect to external proxy

Posted: Wed Sep 22, 2010 4:04 am
by yumarsana
try out this with policy routing setup you linux external server with transparent proxy with NAT and mark 80 traffic and redirect to the linux gateway
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-routing new-routing-mark=HTTP
passthrough=yes comment="" disabled=no


/ip route add gateway=x.x.x.x/x routing-mark=HTTP comment="HTTP Traffic" disabled=no
replace x.x.x.x/x with your linux gateway ip
I've tried routing-mark solution, but it took some time to loading request.
The faster way to use/redirect to external proxy is = redirect to internal proxy and configure its parent proxy setting to the external proxy address.

I don't know why mikrotik cannot redirecting 80/http/web (dst-nat NAT rule) request to external proxy address. Maybe admin can explain to us this problem.

Re: How to redirect to external proxy

Posted: Wed Sep 22, 2010 4:19 am
by fewi
http://forum.mikrotik.com/viewtopic.php?f=13&t=45114

That thread contains a working solution for an external proxy via NAT and descriptions for making it work with the proxy on a dedicated networks as well as allusions to how to make it work on the LAN.

Does that help?