Community discussions

MUM Europe 2020
 
sophal
newbie
Topic Author
Posts: 34
Joined: Thu Aug 07, 2008 6:09 am
Location: Cambodia

web proxy debug???

Fri Feb 06, 2009 10:24 am

hi all,

I'm configuring follow:
http://wiki.mikrotik.com/wiki/Queue_wit ... _Web-Proxy

MikroTik, I saw debung bellow:
/log print

feb/05 09:57:09 web-proxy,debug
feb/05 09:57:09 web-proxy,account 10.150.5.5 GET http://insider.msg.yahoo.com/client_ad. ... 3809925703 action=allow cache=MISS
Regards
Lor Sophal
lor.sophal@gmail.com
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24418
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: web proxy debug???

Fri Feb 06, 2009 10:26 am

do you have a question?
No answer to your question? How to write posts
 
sophal
newbie
Topic Author
Posts: 34
Joined: Thu Aug 07, 2008 6:09 am
Location: Cambodia

Re: web proxy debug???

Fri Feb 06, 2009 10:34 am

thanks normis,

I cant open web site but i can ping.
what error?
Regards
Lor Sophal
lor.sophal@gmail.com
 
sophal
newbie
Topic Author
Posts: 34
Joined: Thu Aug 07, 2008 6:09 am
Location: Cambodia

Re: web proxy debug???

Fri Feb 06, 2009 10:42 am

I'm use Mikrotik V 3.20

My configure:
/ip proxy
set always-from-cache=yes cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size=none max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=3128 serialize-connections=yes src-address=0.0.0.0

/ip firewall nat
add action=masquerade chain=srcnat comment="Mikrotik2 to Mikrotik1" disabled=no src-address=10.150.5.5
add action=masquerade chain=srcnat comment="" disabled=no src-address=10.150.15.1
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp to-ports=3128

/ip firewall mangle
add action=change-mss chain=forward comment="This rule is needed to surf some sites which require lower MTU - Microsoft!!!" disabled=no new-mss=1440 protocol=tcp tcp-flags=syn
add action=mark-packet chain=prerouting comment="" disabled=no new-packet-mark=test-up passthrough=no
add action=mark-connection chain=forward comment="" disabled=no new-connection-mark=test-conn passthrough=yes
add action=mark-packet chain=output comment="" disabled=no new-packet-mark=test-down passthrough=no
Regards
Lor Sophal
lor.sophal@gmail.com
 
User avatar
chapex
Member Candidate
Member Candidate
Posts: 137
Joined: Wed May 30, 2007 1:23 am

Re: web proxy debug???

Fri Feb 06, 2009 6:08 pm

do you try to disable webproxy and surfing same webpage again?

regards
Ubnet datacenter: bandwith transport
 
sophal
newbie
Topic Author
Posts: 34
Joined: Thu Aug 07, 2008 6:09 am
Location: Cambodia

Re: web proxy debug???

Sat Feb 07, 2009 8:57 am

thanks chapex,

when i disable web proxy, can open webpage.
Regards
Lor Sophal
lor.sophal@gmail.com
 
mudasir
Member Candidate
Member Candidate
Posts: 278
Joined: Tue Apr 29, 2008 3:38 am
Location: Karachi, Pakistan
Contact:

Re: web proxy debug???

Sun Feb 08, 2009 1:16 pm

Hi,

Let me add something to it.

Since i have upgraded to 3.20 i am unable to use Web-Proxy Feature. There is some sort of bug in it thats for sure.
Every thing was working fine till 3.17 then suddenly 3.18 started the problem, then came 3.19 almost the same problem, then 3.20 the problem is at its peak.

Please check the proxy feature in 3.20, becasue its not working for me since the time i upgraded.
Regards
Mudasir Mirza
http://www.diglinux.com
 
msundman
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jan 15, 2009 2:44 pm
Location: Stockholm, Sweden
Contact:

Re: web proxy debug???

Mon Feb 09, 2009 1:56 pm

So what happens?

"It's not working" is not much of a problem description.

Do you get any entries in the log?
Is it completely "dead" or does it work sometimes?
Is you sniff the outside interface, can you see the proxy trying to connect to the destination http server?

Are you both running in transparent mode? If you configure your browser to use the proxy as a normal HTTP proxy, does it work then?

I'm very curious as I'm just about to put a Mikrotik proxy into production running 3.20 or the upcoming 3.21 version that has a fix for HTTPS through a parent proxy. So of course I want to make sure it's completely stable. All my tests with 3.20 has worked flawlessly at least. But I've only been able to test it using a parent-proxy and as a normal non-transparent proxy though.

/Mathias
 
mudasir
Member Candidate
Member Candidate
Posts: 278
Joined: Tue Apr 29, 2008 3:38 am
Location: Karachi, Pakistan
Contact:

Re: web proxy debug???

Tue Feb 10, 2009 10:51 pm

Hi,

Dear i have been using this feature for sometime now, but this is the first time i am facing issues.

I have send support file to support lets see what do they tell me.
Regards
Mudasir Mirza
http://www.diglinux.com
 
msundman
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jan 15, 2009 2:44 pm
Location: Stockholm, Sweden
Contact:

Re: web proxy debug???

Wed Feb 11, 2009 9:28 am

Hi,
Dear i have been using this feature for sometime now, but this is the first time i am facing issues.
Dear? So you think that statement answers any of my questions above? How do you expect anyone to be able to help finding the problem if you can't provide any details and answer the questions we have?

I didn't ask all those questions to try telling you you have done anything wrong if that's what you thought, I asked them because knowing the answers would help pinpointing the problem and make it easier to reproduce the problem.

I've tried to reproduce the problem but cannot. I've tried 3.13, 3.17, 3.18, 3.20, 3.21(beta) and they all work perfect for me. They work both in transparent mode (redirecting 80 -> 8080) for HTTP, in normal proxy mode and with and without a parent proxy. I havn't been able to test fully without a parent proxy though as the network I'm testing on does not allow direct outbound connects, but I can see correct requests are sent out my external interface.

While testing I found bug though that causes the web-proxy to use the wrong src-address when processing requests that come from a client on the internal interface and the dest server is on the external interface. It then incorrectly picks the internal IP address as src-address when sending out the request to the dest server. So you might wanna test explicitly setting src-address to the IP address you want it to use.

This problem seemed to exist also in 3.13 and 3.17 as well as the newer ones so it shouldn't be your problem, unless something else changed at the same time causing you to get punished by this bug just at this time.
 
mknnoc
Trainer
Trainer
Posts: 227
Joined: Thu Feb 28, 2008 6:40 am
Location: cambodia

Re: web proxy debug???

Wed Feb 11, 2009 12:34 pm

Try to put dstnat before srcnat. Just put dstnat in the first row.
 
msundman
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jan 15, 2009 2:44 pm
Location: Stockholm, Sweden
Contact:

Re: web proxy debug???

Wed Feb 11, 2009 2:55 pm

Try to put dstnat before srcnat. Just put dstnat in the first row.
Hmm, does that really matter?

Isn't RouterOS using normal iptables/netfilter from the linux kernel todo packet filtering and nating? If so, it shouldn't matter as srcnat and dstnat rules goes into two different iptables chains, so I can't see why it should make any difference if you add a src- or dst- nat rules before the other or reverse.

But it never hurts trying though - I could be wrong :)
 
mudasir
Member Candidate
Member Candidate
Posts: 278
Joined: Tue Apr 29, 2008 3:38 am
Location: Karachi, Pakistan
Contact:

Re: web proxy debug???

Thu Feb 12, 2009 12:29 am

Hi,

Firewall rules are read from top to bottom, same in linux, it does not matter to which chain it belongs.
If the rule at top matches the query it will not go to any other rule to check. So its very important to make your DST-NAT Rule above all.
Regards
Mudasir Mirza
http://www.diglinux.com
 
msundman
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jan 15, 2009 2:44 pm
Location: Stockholm, Sweden
Contact:

Re: web proxy debug???

Thu Feb 12, 2009 2:06 am

Hi,

Firewall rules are read from top to bottom, same in linux, it does not matter to which chain it belongs.
If the rule at top matches the query it will not go to any other rule to check. So its very important to make your DST-NAT Rule above all.
Wrong! (On Linux with iptables atleast)

Each chain is traversed independently from top to bottom. DNAT is done in the prerouting chain which is processed before the any routing decision is made, while SNAT is done in the postrouting chain. So the order you add rules in are only significant for a specific chain. If you add the SNAT rules first and then the DNAT rules, or you first add all DNAT rules and then the SNAT rules really shouldn't matter.

The DNAT rules will always be processed first anyway as they are processed by the prerouting chain.

Ref: http://www.faqs.org/docs/iptables/trave ... ables.html
 
mknnoc
Trainer
Trainer
Posts: 227
Joined: Thu Feb 28, 2008 6:40 am
Location: cambodia

Re: web proxy debug???

Thu Feb 12, 2009 3:39 am

why don't you test out? and report the result.
 
proggams2
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Mar 14, 2007 10:15 pm

Re: web proxy debug???

Thu Feb 12, 2009 1:20 pm

the problem also happens to me.
when i restart my mikrotik. i connect to the internet , no page load. there is ping.
but when i go to winbox and to to IP PROXY and go to settings and just press OK. the browse and the internet works simply.
we need to fix this issue.

Can we downgrade a single package ? as downgrading http proxy to 3.17 ? whats the name of the package.
 
mudasir
Member Candidate
Member Candidate
Posts: 278
Joined: Tue Apr 29, 2008 3:38 am
Location: Karachi, Pakistan
Contact:

Re: web proxy debug???

Fri Feb 13, 2009 12:44 am

Hi,

msundman is right, i just messed it up. Mikrotik is making my Linux skills weak. By the he is right, in linux iptables work on chaing

1. PREROUTING
2. INPUT
3. FORWARD
4. OUTPUT
5. POSTROUTING

Rules are read in chains following the orders of chain above.

However not same in Mikrotik, rules are read from top to bottom, and i had personally experienced it.
Regards
Mudasir Mirza
http://www.diglinux.com
 
msundman
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jan 15, 2009 2:44 pm
Location: Stockholm, Sweden
Contact:

Re: web proxy debug???

Mon Feb 16, 2009 2:19 pm

As this got very off-topic, I started a new thread about how NAT chains are traversed on ROS:

http://forum.mikrotik.com/viewtopic.php?f=2&t=29723

Who is online

Users browsing this forum: akosikazim and 108 guests