Community discussions

 
reinerotto
Member
Member
Topic Author
Posts: 437
Joined: Thu Dec 04, 2008 2:35 am

Hotspot+cache-proxy+parent-proxy on 3.30 ? HOWTO ?

Thu Oct 01, 2009 5:48 pm

Hi,

can somebody advise, how to setup hotspot+cache-proxy+upstream-proxy in 3.30 ?
Somehow I got it to work on 3.23, but on 3.30 no idea, because hotspot+proxy-conf somehow changed.

It looks like, web-proxy is running automatically when hotspot is enabled; however, I do not see any caching in the statistics.
 
reinerotto
Member
Member
Topic Author
Posts: 437
Joined: Thu Dec 04, 2008 2:35 am

Re: Hotspot+cache-proxy+parent-proxy on 3.30 ? HOWTO ?

Fri Oct 02, 2009 11:02 pm

On top of that: No option to specify a transparent proxy.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Hotspot+cache-proxy+parent-proxy on 3.30 ? HOWTO ?

Sat Oct 03, 2009 12:02 am

Alrighy then. This is a setup for Hotspot+Transparent Proxy. I do not use the parent proxy feature. Also, this is for a transparent proxy setup for both a Hotspot and a non-Hotspot VLAN.

RB1000 running 3.30, two ethernet interfaces used - inside and outside. Inside is a trunk to a Cisco switch with Hotspot VLAN 902 on it, the native VLAN on the trunk is used for wired connections that do not go through a Hotspot:
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                        TYPE             MTU   L2MTU
 0  R  outside                                     ether            1500  1600
 1  R  inside                                      ether            1500  1600
 2  X  ether3                                      ether            1500  1600
 3  X  ether4                                      ether            1500  1600
 4  R  Hotspot                                     vlan             1500  1596
 
[admin@MikroTik] > /interface vlan print
Flags: X - disabled, R - running, S - slave
 #    NAME                  MTU   ARP        VLAN-ID INTERFACE
 0 R  Hotspot               1500  enabled    902     inside
Standard scenario with publics on the outside interface, and private IPs on the inside:
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   ;;; Admin IP
     1.1.1.1/24	     1.1.1.0         1.1.1.254       outside
 1   ;;; NAT IP
     1.1.1.2/24	     1.1.1.0         1.1.1.254       outside
 2   10.1.0.1/24        10.1.0.0        10.1.0.255      inside
 3   10.2.0.1/23        10.2.0.0        10.2.1.255      Hotspot

Standard DHCP setup for the Hotspot only, the network on the inside interface is static:
[admin@MikroTik] > /ip pool print
 # NAME                                         RANGES
 0 DHCP-Pool-Hotspot                            10.2.0.2-10.2.1.254
 
[admin@MikroTik] > /ip dhcp-server print detail
Flags: X - disabled, I - invalid
 0   name="DHCP-Hotspot" interface=Hotspot lease-time=3h
     address-pool=DHCP-Pool-Hotspot bootp-support=static authoritative=yes
	 
[admin@MikroTik] > /ip dhcp-server network print detail
 0 address=10.2.0.0/23 gateway=10.2.0.1 dns-server=10.1.0.1
   domain="example.com"
Standard DNS setup:
[admin@MikroTik] > /ip dns print
            primary-dns: 1.1.1.3
          secondary-dns: 1.1.1.4
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 67KiB
Enable the web proxy:
[admin@MikroTik] > /ip proxy print
                 enabled: yes
             src-address: 0.0.0.0
                    port: 8080
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: "webmaster"
          max-cache-size: unlimited
           cache-on-disk: no
  max-client-connections: 600
  max-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: no
          cache-hit-dscp: 4
             cache-drive: system
Make sure the clients are permitted to access the proxy through the firewall - rule number 4 permits traffic to port 8080 on the local host. Yes, it's only a very basic firewall:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

 1   ;;; allow established incoming traffic
     chain=input action=accept connection-state=established

 2   ;;; allow related incoming traffic
     chain=input action=accept connection-state=related

 3   ;;; allow service UDP ports from LAN
     chain=input action=accept protocol=udp src-address-list=""
     in-interface=!outside dst-port=53,67

 4   ;;; allow service TCP ports from LAN
     chain=input action=accept protocol=tcp in-interface=!outside
     dst-port=53,67,8080

 5   ;;; allow rate-limited ICMP
     chain=input action=accept protocol=icmp limit=50,50

 6   ;;; allow everything from admin networks
     chain=input action=accept src-address-list=Administrative_Networks

 7   ;;; drop everything else
     chain=input action=drop

 8   ;;; forward established traffic
     chain=forward action=accept connection-state=established

 9   ;;; forward related traffic
     chain=forward action=accept connection-state=related

10   ;;; drop worms TCP
     chain=forward action=drop protocol=tcp dst-port=135-139,445,1434,4444

11   ;;; drop worms UDP
     chain=forward action=drop protocol=udp dst-port=135-139,445,1434,4444

12   ;;; forward traffic from customer interfaces to wan
     chain=forward action=accept out-interface=outside

13   ;;; drop everything else
     chain=forward action=drop
The NAT rules - standard src-nat and the redirect to port 8080 for traffic destined to port 80:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

 1   chain=srcnat action=src-nat to-addresses=1.1.1.2
     src-address-list=Local_NAT_Networks out-interface=outside

 2   chain=dstnat action=redirect to-ports=8080 protocol=tcp
     in-interface=Hotspot dst-port=80


Standard Hotspot setup:
[admin@MikroTik] > /ip hotspot profile print
Flags: * - default
 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
     rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=https
     ssl-certificate=none split-user-domain=no use-radius=no

 1   name="Hotspot" hotspot-address=0.0.0.0 dns-name="hotspot.example.com"
     html-directory=MyHotspot rate-limit="" http-proxy=0.0.0.0:0
     smtp-server=0.0.0.0 login-by=https,http-pap ssl-certificate=wildcard
     split-user-domain=no use-radius=yes radius-accounting=yes
     radius-interim-update=received nas-port-type=wireless-802.11
     radius-default-domain="" radius-location-id=""
     radius-location-name="Hotspot" radius-mac-format=XX:XX:XX:XX:XX:XX

[admin@MikroTik] > /ip hotspot print detail
Flags: X - disabled, I - invalid, S - HTTPS
 0 S name="Hotspot" interface=Hotspot profile=Hotspot idle-timeout=30m
     keepalive-timeout=5m ip-of-dns-name=10.1.0.1 proxy-status="running"
A test user and a test user profile - the test user profile has transparent-proxy set to 'yes', and I believe you do not need NAT rules redirecting if this is enabled and you don't need to proxy non-Hotspot users:
[admin@MikroTik] > /ip hotspot user profile print
Flags: * - default
 0 * name="default" idle-timeout=none keepalive-timeout=2m
     status-autorefresh=1m shared-users=unlimited rate-limit="64k/64k"
     transparent-proxy=no

 1   name="Hotspot" idle-timeout=none keepalive-timeout=15m
     status-autorefresh=1m shared-users=unlimited rate-limit="256k/512k"
     transparent-proxy=yes

[admin@MikroTik] > /ip hotspot user print
Flags: X - disabled, D - dynamic
 #   SERVER           NAME         ADDRESS         PROFILE         UPTIME
 0                    test                         Hotspot         33m10s
Proof that the proxy is actively caching:
[admin@MikroTik] > /ip proxy cache-contents print
URI                                   FILE-SIZE     LAST-MODIFIED LAST-ACCESSED
http://www.google.com/favicon.ico     1KiB          oct/02/2009   oct/02/2009
http://l.yimg.com/a/i/pulse/09q4/c... 5KiB          oct/02/2009   oct/02/2009
http://update.macromates.com/versi... 0KiB          oct/02/2009   oct/02/2009
http://l.yimg.com/a/i/mntl/per/09q... 7KiB          oct/02/2009   oct/02/2009
http://www.apple.com/                 4KiB          oct/02/2009   oct/02/2009
[admin@MikroTik] >
For the proxy-parent feature it should be sufficient to specify the parent-proxy IP and possibly the src-address under "/ip proxy", and to make sure that the traffic for those connections is permitted in the firewall rules. The set posted here should work as there's no filtering in the output chain, and related/established traffic is permitted in the input chain.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
reinerotto
Member
Member
Topic Author
Posts: 437
Joined: Thu Dec 04, 2008 2:35 am

Re: Hotspot+cache-proxy+parent-proxy on 3.30 ? HOWTO ?

Sun Oct 04, 2009 8:16 pm

Thanx for your detailed description. And I thought, it might be a bit easier :-)
Will take some time, until I understand, how this works :-)
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: Hotspot+cache-proxy+parent-proxy on 3.30 ? HOWTO ?

Sun Oct 04, 2009 9:29 pm

Alrighy then. This is a setup for Hotspot+Transparent Proxy. I do not use the parent proxy feature. Also, this is for a transparent proxy setup for both a Hotspot and a non-Hotspot VLAN.

Can this setup work for a mT box with 2 network cards, Ether1 (WAN), ether2 - Hotspot, and ether3- lan without hotspot.

I need a detailed setup for such just like you posted, sorry i am not too familair with console comman, can u help with winbox picture of the setup or the one below

RB1000 running 3.30, two ethernet interfaces used - inside and outside. Inside is a trunk to a Cisco switch with Hotspot VLAN 902 on it, the native VLAN on the trunk is used for wired connections that do not go through a Hotspot:
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                        TYPE             MTU   L2MTU
 0  R  outside                                     ether            1500  1600
 1  R  inside                                      ether            1500  1600
 2  X  ether3                                      ether            1500  1600
 3  X  ether4                                      ether            1500  1600
 4  R  Hotspot                                     vlan             1500  1596
 
[admin@MikroTik] > /interface vlan print
Flags: X - disabled, R - running, S - slave
 #    NAME                  MTU   ARP        VLAN-ID INTERFACE
 0 R  Hotspot               1500  enabled    902     inside
Standard scenario with publics on the outside interface, and private IPs on the inside:
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   ;;; Admin IP
     1.1.1.1/24	     1.1.1.0         1.1.1.254       outside
 1   ;;; NAT IP
     1.1.1.2/24	     1.1.1.0         1.1.1.254       outside
 2   10.1.0.1/24        10.1.0.0        10.1.0.255      inside
 3   10.2.0.1/23        10.2.0.0        10.2.1.255      Hotspot

Standard DHCP setup for the Hotspot only, the network on the inside interface is static:
[admin@MikroTik] > /ip pool print
 # NAME                                         RANGES
 0 DHCP-Pool-Hotspot                            10.2.0.2-10.2.1.254
 
[admin@MikroTik] > /ip dhcp-server print detail
Flags: X - disabled, I - invalid
 0   name="DHCP-Hotspot" interface=Hotspot lease-time=3h
     address-pool=DHCP-Pool-Hotspot bootp-support=static authoritative=yes
	 
[admin@MikroTik] > /ip dhcp-server network print detail
 0 address=10.2.0.0/23 gateway=10.2.0.1 dns-server=10.1.0.1
   domain="example.com"
Standard DNS setup:
[admin@MikroTik] > /ip dns print
            primary-dns: 1.1.1.3
          secondary-dns: 1.1.1.4
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 67KiB
Enable the web proxy:
[admin@MikroTik] > /ip proxy print
                 enabled: yes
             src-address: 0.0.0.0
                    port: 8080
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: "webmaster"
          max-cache-size: unlimited
           cache-on-disk: no
  max-client-connections: 600
  max-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: no
          cache-hit-dscp: 4
             cache-drive: system
Make sure the clients are permitted to access the proxy through the firewall - rule number 4 permits traffic to port 8080 on the local host. Yes, it's only a very basic firewall:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

 1   ;;; allow established incoming traffic
     chain=input action=accept connection-state=established

 2   ;;; allow related incoming traffic
     chain=input action=accept connection-state=related

 3   ;;; allow service UDP ports from LAN
     chain=input action=accept protocol=udp src-address-list=""
     in-interface=!outside dst-port=53,67

 4   ;;; allow service TCP ports from LAN
     chain=input action=accept protocol=tcp in-interface=!outside
     dst-port=53,67,8080

 5   ;;; allow rate-limited ICMP
     chain=input action=accept protocol=icmp limit=50,50

 6   ;;; allow everything from admin networks
     chain=input action=accept src-address-list=Administrative_Networks

 7   ;;; drop everything else
     chain=input action=drop

 8   ;;; forward established traffic
     chain=forward action=accept connection-state=established

 9   ;;; forward related traffic
     chain=forward action=accept connection-state=related

10   ;;; drop worms TCP
     chain=forward action=drop protocol=tcp dst-port=135-139,445,1434,4444

11   ;;; drop worms UDP
     chain=forward action=drop protocol=udp dst-port=135-139,445,1434,4444

12   ;;; forward traffic from customer interfaces to wan
     chain=forward action=accept out-interface=outside

13   ;;; drop everything else
     chain=forward action=drop
The NAT rules - standard src-nat and the redirect to port 8080 for traffic destined to port 80:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

 1   chain=srcnat action=src-nat to-addresses=1.1.1.2
     src-address-list=Local_NAT_Networks out-interface=outside

 2   chain=dstnat action=redirect to-ports=8080 protocol=tcp
     in-interface=Hotspot dst-port=80


Standard Hotspot setup:
[admin@MikroTik] > /ip hotspot profile print
Flags: * - default
 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
     rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=https
     ssl-certificate=none split-user-domain=no use-radius=no

 1   name="Hotspot" hotspot-address=0.0.0.0 dns-name="hotspot.example.com"
     html-directory=MyHotspot rate-limit="" http-proxy=0.0.0.0:0
     smtp-server=0.0.0.0 login-by=https,http-pap ssl-certificate=wildcard
     split-user-domain=no use-radius=yes radius-accounting=yes
     radius-interim-update=received nas-port-type=wireless-802.11
     radius-default-domain="" radius-location-id=""
     radius-location-name="Hotspot" radius-mac-format=XX:XX:XX:XX:XX:XX

[admin@MikroTik] > /ip hotspot print detail
Flags: X - disabled, I - invalid, S - HTTPS
 0 S name="Hotspot" interface=Hotspot profile=Hotspot idle-timeout=30m
     keepalive-timeout=5m ip-of-dns-name=10.1.0.1 proxy-status="running"
A test user and a test user profile - the test user profile has transparent-proxy set to 'yes', and I believe you do not need NAT rules redirecting if this is enabled and you don't need to proxy non-Hotspot users:
[admin@MikroTik] > /ip hotspot user profile print
Flags: * - default
 0 * name="default" idle-timeout=none keepalive-timeout=2m
     status-autorefresh=1m shared-users=unlimited rate-limit="64k/64k"
     transparent-proxy=no

 1   name="Hotspot" idle-timeout=none keepalive-timeout=15m
     status-autorefresh=1m shared-users=unlimited rate-limit="256k/512k"
     transparent-proxy=yes

[admin@MikroTik] > /ip hotspot user print
Flags: X - disabled, D - dynamic
 #   SERVER           NAME         ADDRESS         PROFILE         UPTIME
 0                    test                         Hotspot         33m10s
Proof that the proxy is actively caching:
[admin@MikroTik] > /ip proxy cache-contents print
URI                                   FILE-SIZE     LAST-MODIFIED LAST-ACCESSED
http://www.google.com/favicon.ico     1KiB          oct/02/2009   oct/02/2009
http://l.yimg.com/a/i/pulse/09q4/c... 5KiB          oct/02/2009   oct/02/2009
http://update.macromates.com/versi... 0KiB          oct/02/2009   oct/02/2009
http://l.yimg.com/a/i/mntl/per/09q... 7KiB          oct/02/2009   oct/02/2009
http://www.apple.com/                 4KiB          oct/02/2009   oct/02/2009
[admin@MikroTik] >
For the proxy-parent feature it should be sufficient to specify the parent-proxy IP and possibly the src-address under "/ip proxy", and to make sure that the traffic for those connections is permitted in the firewall rules. The set posted here should work as there's no filtering in the output chain, and related/established traffic is permitted in the input chain.

This is exactly what i want to achieve, hotspot and transparent proxy in one MT box. Pls can u include in it traffic shaping, mostly to limit p2p limiting.

Thanks
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Hotspot+cache-proxy+parent-proxy on 3.30 ? HOWTO ?

Sun Oct 04, 2009 9:36 pm

I have not looked at traffic shaping at all - it's enough for me to limit the bandwidth of each user via the Hotspot. It doesn't matter to me what traffic they run within their channel.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Hotspot+cache-proxy+parent-proxy on 3.30 ? HOWTO ?

Sun Oct 04, 2009 10:07 pm

Thinking about it a little bit I am not sure you can do shaping at all. The Hotspot creates a dynamic simple queue for each user. I am not sure how additional queues would interact with that.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: Hotspot+cache-proxy+parent-proxy on 3.30 ? HOWTO ?

Mon Oct 05, 2009 12:20 pm

hello Fewi,
I dont seems to understand your setup as it is not working for me.
Alrighy then. This is a setup for Hotspot+Transparent Proxy. I do not use the parent proxy feature. Also, this is for a transparent proxy setup for both a Hotspot and a non-Hotspot VLAN.
Look at my setup,I have ether1 as my wan =198.78.236.2/29, while ether2 is my lan, (hotspot) = 192.168.200.1/24 running DHCP. While your is VLAN

RB1000 running 3.30, two ethernet interfaces used - inside and outside. Inside is a trunk to a Cisco switch with Hotspot VLAN 902 on it, the native VLAN on the trunk is used for wired connections that do not go through a Hotspot:
I am running MT 3.22 in a computer



[admin@MikroTik] > /ip dns print
            primary-dns: 1.1.1.3
          secondary-dns: 1.1.1.4
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 67KiB
Enable the web proxy:
[admin@MikroTik] > /ip proxy print
                 enabled: yes
             src-address: 0.0.0.0
                    port: 8080
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: "webmaster"
          max-cache-size: unlimited
           cache-on-disk: no
  max-client-connections: 600
  max-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: no
          cache-hit-dscp: 4
             cache-drive: system
Make sure the clients are permitted to access the proxy through the firewall - rule number 4 permits traffic to port 8080 on the local host. Yes, it's only a very basic firewall:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

 1   ;;; allow established incoming traffic
     chain=input action=accept connection-state=established

 2   ;;; allow related incoming traffic
     chain=input action=accept connection-state=related

 3   ;;; allow service UDP ports from LAN
     chain=input action=accept protocol=udp src-address-list=""
     in-interface=!outside dst-port=53,67

 4   ;;; allow service TCP ports from LAN
     chain=input action=accept protocol=tcp in-interface=!outside
     dst-port=53,67,8080

 5   ;;; allow rate-limited ICMP
     chain=input action=accept protocol=icmp limit=50,50

 6   ;;; allow everything from admin networks
     chain=input action=accept src-address-list=Administrative_Networks

 7   ;;; drop everything else
     chain=input action=drop

 8   ;;; forward established traffic
     chain=forward action=accept connection-state=established

 9   ;;; forward related traffic
     chain=forward action=accept connection-state=related

10   ;;; drop worms TCP
     chain=forward action=drop protocol=tcp dst-port=135-139,445,1434,4444

11   ;;; drop worms UDP
     chain=forward action=drop protocol=udp dst-port=135-139,445,1434,4444

12   ;;; forward traffic from customer interfaces to wan
     chain=forward action=accept out-interface=outside

13   ;;; drop everything else
     chain=forward action=drop
The NAT rules - standard src-nat and the redirect to port 8080 for traffic destined to port 80:

I dont understand the firewall script above, as i dont understand them at all.
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

 1   chain=srcnat action=src-nat to-addresses=1.1.1.2
     src-address-list=Local_NAT_Networks out-interface=outside

 2   chain=dstnat action=redirect to-ports=8080 protocol=tcp
     in-interface=Hotspot dst-port=80


Standard Hotspot setup:
[admin@MikroTik] > /ip hotspot profile print
Flags: * - default
 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
     rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=https
     ssl-certificate=none split-user-domain=no use-radius=no


A test user and a test user profile - the test user profile has transparent-proxy set to 'yes', and I believe you do not need NAT rules redirecting if this is enabled and you don't need to proxy non-Hotspot users:

[code][admin@MikroTik] > /ip hotspot user profile print
Flags: * - default
 0 * name="default" idle-timeout=none keepalive-timeout=2m
     status-autorefresh=1m shared-users=unlimited rate-limit="64k/64k"
     transparent-proxy=no

 1   name="Hotspot" idle-timeout=none keepalive-timeout=15m
     status-autorefresh=1m shared-users=unlimited rate-limit="256k/512k"
     transparent-proxy=yes

[admin@MikroTik] > /ip hotspot user print
Flags: X - disabled, D - dynamic
 #   SERVER           NAME         ADDRESS         PROFILE         UPTIME
 0                    test                         Hotspot         33m10s
Proof that the proxy is actively caching:
[admin@MikroTik] > /ip proxy cache-contents print
URI                                   FILE-SIZE     LAST-MODIFIED LAST-ACCESSED
http://www.google.com/favicon.ico     1KiB          oct/02/2009   oct/02/2009
http://l.yimg.com/a/i/pulse/09q4/c... 5KiB          oct/02/2009   oct/02/2009
http://update.macromates.com/versi... 0KiB          oct/02/2009   oct/02/2009
http://l.yimg.com/a/i/mntl/per/09q... 7KiB          oct/02/2009   oct/02/2009
http://www.apple.com/                 4KiB          oct/02/2009   oct/02/2009
[admin@MikroTik] >
For the proxy-parent feature it should be sufficient to specify the parent-proxy IP and possibly the src-address under "/ip proxy", and to make sure that the traffic for those connections is permitted in the firewall rules. The set posted here should work as there's no filtering in the output chain, and related/established traffic is permitted in the input chain.
Thanks
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Hotspot+cache-proxy+parent-proxy on 3.30 ? HOWTO ?

Mon Oct 05, 2009 5:56 pm

It's going to be hard to change that without specific information on what isn't working (you're not getting DHCP? you're not getting a login page? the proxy isn't logging any hits), troubleshooting steps already taken by you and the relevant configuration from your devices.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

Who is online

Users browsing this forum: MSN [Bot] and 113 guests