Community discussions

 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

(ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Thu Apr 09, 2009 10:12 am

Hi all,

I need your help to solve my problem. My boss asked me to build proxy server very soon. I am using Mikrotik proxy and do not want to use Squid because I don't know any Linux script.

Please see my attached picture.
PROX.gif
My question is:

Is it possible for MIKROTIK AS BRIDGE + INTERNAL PROXY to cache all clients' HTTP request ?
And I want my "Mikrotik Router" do bandwidth shapping, while my "Mikrotik Bridge" ONLY do web caching.


Config in this device are:
/interface bridge add name=bridge1 protocol=none disabled=no
/interface bridge port add interface=ether-to-client bridge=bridge1 disabled=no
/interface bridge port add interface=ether-to-router bridge=bridge1 disabled=no

/interface bridge settings
set use-ip-firewall=yes
use-ip-firewall-for-pppoe=no
use-ip-firewall-for-vlan=no

/ip firewall nat
add action=redirect chain=dstnat comment=Proxy disabled=no dst-port=80 in-interface=bridge1 protocol=tcp to-ports=3128

/ip proxy
set always-from-cache=yes cache-administrator=webmaster cache-hit-dscp=20
cache-on-disk=yes enabled=yes max-cache-size=200000000KiB
max-client-connections=5000 max-fresh-time=3d max-server-connections=5000
parent-proxy=0.0.0.0 parent-proxy-port=0 port=3128
serialize-connections=yes src-address=0.0.0.0

/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB
max-udp-packet-size=512 primary-dns=0.0.0.0 secondary-dns=0.0.0.0


HTTP down (cannot browsing) when I am using that topology and configs :(
If I disabled DST-NAT to 3128, HTTP is up and normal.
Please show me where is my mistake ?

Thanks in advanced.

Regards,
YUJOBIKA
You do not have the required permissions to view the files attached to this post.
Last edited by YUJOBIKA on Mon May 04, 2009 11:56 pm, edited 2 times in total.
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Thu Apr 09, 2009 5:25 pm

No one can help me ? :(
Please.....
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Fri Apr 10, 2009 8:15 am

36 users view this post, and no one can help me ?
I wonder...does Mikrotik support proxy in bridging ?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Fri Apr 10, 2009 3:04 pm

is your bridge allowed to access the Internet on your router?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Sat Apr 11, 2009 11:06 am

Yes, from my bridge I can ping and traceroute to internet.
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Sun Apr 19, 2009 8:17 pm

I still need someone who can help me :(
Please...
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Tue Apr 21, 2009 12:01 pm

Intresting
i am not test in MT . i used Linux+squid instead of MT and its work for me. The problem was same as you facing in MT. Add the ip addresses and gateway on bridge interface. the ip range must be your client using. e.g 192.168.1.254/24 gw 192.168.1.1 .
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Tue Apr 21, 2009 9:46 pm

Intresting
i am not test in MT . i used Linux+squid instead of MT and its work for me. The problem was same as you facing in MT. Add the ip addresses and gateway on bridge interface. the ip range must be your client using. e.g 192.168.1.254/24 gw 192.168.1.1 .
Thanks for reply, pokeman :)

If I add the ip addresses and gateway on bridge interface (in Mikrotik Bridge), so all traffic shapping will be done in Mikrotik Bridge, right ? And I won't like this.

I want all traffic shapping done in Mikrotik Router. And Mikrotik Bridge only do caching.

Please advice.
 
User avatar
Aug
Member
Member
Posts: 313
Joined: Thu Jun 07, 2007 2:10 am

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Tue Apr 21, 2009 10:06 pm

In your dst-nat rule, try using "in-bridge-port" (ethernet facing router).

The bridge will only shape traffic traffic if you have it configured to.

If it were me, I might put my dst-nat rule on the router pointing to the proxy bridge.....well actually, I'd run proxy on the router....unless it doesn't have the horsepower and disk space.
Aug
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Wed Apr 22, 2009 8:56 pm

In your dst-nat rule, try using "in-bridge-port" (ethernet facing router).

The bridge will only shape traffic traffic if you have it configured to.

If it were me, I might put my dst-nat rule on the router pointing to the proxy bridge.....well actually, I'd run proxy on the router....unless it doesn't have the horsepower and disk space.
Hi Aug,

Thanks for your advice.
But if I put my dst-nat rule on the router pointing to the proxy bridge, all of my clients will using default route. Seems your advice could not work for multiple gateway.
 
User avatar
Aug
Member
Member
Posts: 313
Joined: Thu Jun 07, 2007 2:10 am

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Thu Apr 23, 2009 1:03 am

My bad..looked at the picture backwards. Thought it was clients--router--bridge--wan
Aug
 
spire2z
Long time Member
Long time Member
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Thu Apr 23, 2009 1:48 am

I think because your gateway is behind the bridge you will have difficulty doing it transparently except by redirecting it back using a firewall rule on the gateway router. That seems a bit inefficiant since it's sat before the router from the clients perspective. For it to be transparant you will need to run the proxy rule on the gateway redirecting port 80 to the port and IP of the proxy. It will work but slighty odd setup I think. Could you run web proxy on the router? Maybe beef up the hardware a bit.
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Thu Apr 23, 2009 9:20 am

I think because your gateway is behind the bridge you will have difficulty doing it transparently except by redirecting it back using a firewall rule on the gateway router. That seems a bit inefficiant since it's sat before the router from the clients perspective. For it to be transparant you will need to run the proxy rule on the gateway redirecting port 80 to the port and IP of the proxy. It will work but slighty odd setup I think. Could you run web proxy on the router? Maybe beef up the hardware a bit.
Hi spire2z,

Thanks for your reply.

I put my "mikrotik bridge + web proxy" before "mikrotik router" because my topology is multiple gateway. If I only use "mikrotik router + web proxy", without "mikrotik bridge" in the middle, seems impossible since mikrotik proxy does not support multiple gateway.

If I run the proxy rule on the gateway redirecting port 80 to the port and IP of the proxy....I tried too and all of my clients will always use WAN1 (my default gateway). So this way, also multiple gateway does not work. :(
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Mon Apr 27, 2009 10:06 pm

Hi,

Please help me :(
where is my mistake ? I still need to solve this problem.

Regards
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Mon May 04, 2009 10:15 pm

still waiting answer from all of you :(
 
User avatar
Aug
Member
Member
Posts: 313
Joined: Thu Jun 07, 2007 2:10 am

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Mon May 04, 2009 10:43 pm

Suggestion.
Replace the switch with an RB450 or similar.
From there you can redirect the packets to the proxy-bridge.
Aug
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK URGENT) Mikrotik Bridge as Internal Proxy

Mon May 04, 2009 11:53 pm

Suggestion.
Replace the switch with an RB450 or similar.
From there you can redirect the packets to the proxy-bridge.
Thanks Aug,

But I could not replace switch with RB or PC with ROS because actually those are 2 X 48 port switch (un-manageable switch).

I believe, "Mikrotik as bridge" can cache HTTP, because Mikrotik's document said so. But I don't know how to configure it :(
 
User avatar
Muhammad
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Aug 20, 2008 9:15 pm
Location: Pakistan

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Tue May 05, 2009 1:56 am

Hi,
Brother my english is not good but i can give you a idia, i think is working 100%
first: don't use bridge-router as a bridge mod, you need to use brige-router as a gatway but with live IP concept (IP Passthrough) and through all clint to man router with original ip but not just port 80
like that http://wiki.mikrotik.com/wiki/Live-IP-C ... riginal_ID
&
just chang, bypass all ip traffic but not port 80
1.jpg
2.jpg
!Dst Port 80 Protocol tcp
You do not have the required permissions to view the files attached to this post.
any thoughts ???
think about Karma
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Wed May 06, 2009 6:42 am

Thanks Muhammad :)
I will try your idea and will let you know the result.
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Wed May 06, 2009 9:22 pm

Hi Muhammad,

I have tried your idea, I already "mark route" the traffic, but the traffic always go through "default gateway" of my bridge. :( So my router could not shapping my client's IP, because the router see my Proxy's IP :(

Please help me.

Thanks in advance.
 
User avatar
Muhammad
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Aug 20, 2008 9:15 pm
Location: Pakistan

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Thu May 07, 2009 12:33 am

Hi Muhammad,

I have tried your idea, I already "mark route" the traffic, but the traffic always go through "default gateway" of my bridge. :( So my router could not shapping my client's IP, because the router see my Proxy's IP :(

Please help me.

Thanks in advance.
Hi,
ok explain you how can you do it!
First I lay your Network Again hare
Transparent Router.jpg
Now Your Router is a Transparent-Router/ Transparent Firewall
Next you need to do Web-Proxy Turned ON
Now you have 2 ways to do this
1st) you can change Mangle-Rules in Clint-Proxy-Router (Protocol TCP Dst-Port !80)
2nd) Do not change any thing in Mangle-Rules in Clint-Proxy-Router but add some rules in Gateway-Router Firewall NAT
Like:
/ip firewall nat add chain=dstnat dst-address=0.0.0.0 src-address=192.168.1.0/24 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.200.2 to-ports=80
/ip firewall nat add chain=dstnat dst-address=0.0.0.0 src-address=172.16.1.0/24 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.200.2 to-ports=80
/ip firewall nat add chain=dstnat dst-address=0.0.0.0 src-address=10.0.1.0/24 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.200.2 to-ports=80

just turned on web-proxy on port 80 at your clint-router
You do not have the required permissions to view the files attached to this post.
any thoughts ???
think about Karma
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Thu May 07, 2009 1:40 pm

WOW !!! Thanks Muhammad :)

Great tutorial ! I will try again tonight.
100000x thanks Muhammad.
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Fri May 08, 2009 7:30 am

Dear Muhammad,

You said I have to choose only 1 way.

First way: you can change Mangle-Rules in Clint-Proxy-Router (Protocol TCP Dst-Port !80)
OR
Second way: Do not change any thing in Mangle-Rules in Clint-Proxy-Router but add some rules in Gateway-Router Firewall NAT

For First way, it does not work.
For Second way, IT WORK !!! :D

But I prefer First way, because Second way seems have looping traffic.

In the First way, my problem is HTTP could not redirect to proxy. How to redirect it ? Because you said I must not use NAT.

Thanks brother.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Fri May 08, 2009 8:52 am

for 2nd way you have to set up correct NAT rule, so traffic is not looped, set, for example, src-address that can be directed to proxy using your NAT rule.
 
YUJOBIKA
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Sep 15, 2007 5:55 pm

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Fri May 08, 2009 11:50 am

for 2nd way you have to set up correct NAT rule, so traffic is not looped, set, for example, src-address that can be directed to proxy using your NAT rule.
You mean set NAT in "Gateway Router" or in "Client Proxy Router" ?

Thanks
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Fri May 08, 2009 4:02 pm

client proxy

if you want transparently (without configuration on client PC) to forward requests to proxy you set up simple rule in firewall nat
/ip firewall nat add chain=dstnat in-interface=<your local lan> protocol=tcp dst-port=80 action=redirect to-ports=<your proxy port here>
and better use routing
 
amjad
just joined
Posts: 1
Joined: Fri Jan 08, 2016 11:37 am
Location: iraq
Contact:

Re: (ASK) Mikrotik Bridge as Internal Proxy (Un-Solved Mystery)

Wed Oct 05, 2016 2:55 pm

hi i tried do this in my network bu dont work .any one can help me?

Who is online

Users browsing this forum: MSN [Bot] and 116 guests