I'm struggling to get both my transparent proxy and traffic splitting (using prerouting mangle marking of connections, packets & routing) working at the same time.
I'm using the same type of mangling as used in this wiki: http://wiki.mikrotik.com/wiki/How_to_ap ... as_traffic
I want to give the PPTP clients & other clients on the LAN (192.168.1.0/24) access to the Internet.
The ADSL router dials a PPPoE connection for international Internet access, and my PC with RouterOS dials a second PPPoE connection for RSA (local) Internet access.
The Wireless AP/router is connected to a WUG (146.232.0.0/16 & 10.20.0.0/16), from where the PPTP clients connect.
Here's a diagram of my network layout. I've tried specifying the in-interface for the prerouting mangle entries that mark the connections/packets/routing, however, that doesn't work when you redirect the port 80 packets to the transparent proxy. The other issue that I have with specifying the in-interface, is that I have to specify the PPTP client's interface, which ROS lose as soon as the client disconnects.
The main reason I want to do mangling, is to keep my routing table clean, otherwise I have to add 600+ RSA IP blocks. Here's a wiki page where they've gone and added 600+ routes: http://wiki.mikrotik.com/wiki/Routing_l ... l_accounts
Mangling also allows me to use different queues for packets destined for different locations...
Quick overview of configuration in WinBox: My config:
Code: Select all
# jan/17/2010 17:17:29 by RouterOS 4.5
/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default comment="" disable-running-check=yes disabled=no full-duplex=yes mac-address=08:00:27:02:35:49 mtu=1500 name=ether1 speed=100Mbps
/interface pptp-server
add comment="" disabled=no name=pptp-server user=admin
/ip pool
add name=pptp_pool ranges=192.168.3.2-192.168.3.20
add name=dhcp_pool2 ranges=192.168.1.192-192.168.1.254
add name=dhcp_pool next-pool=dhcp_pool2 ranges=192.168.1.50-192.168.1.99
/ip dhcp-server
add address-pool=dhcp_pool authoritative=after-2sec-delay bootp-support=static disabled=no interface=ether1 lease-time=3d name=dhcp-server
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default use-compression=default use-encryption=default use-vj-compression=default
add change-tcp-mss=yes comment="PPTP VPN" local-address=192.168.3.1 name=pptp-encryption only-one=default remote-address=pptp_pool use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption only-one=default use-compression=default use-encryption=yes use-vj-compression=default
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=ether1 max-mru=1492 max-mtu=1492 mrru=disabled name=pppoe-openweb30gb password=xxx profile=default service-name="" use-peer-dns=no user=xxx
/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" connect-to=10.20.30.1 dial-on-demand=no disabled=no max-mru=1492 max-mtu=1492 mrru=disabled name=pptp-client-scn-vpn password=xxx profile=default-encryption user=xxx
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1492 max-mtu=1492 mrru=disabled
/ip address
add address=192.168.1.23/24 broadcast=192.168.1.255 comment="" disabled=no interface=ether1 network=192.168.1.0\
/ip firewall address-list
add address=192.168.0.0/16 comment="" disabled=no list=LAN
add address=10.0.0.0/8 comment="" disabled=no list=Local
add address=172.16.0.0/12 comment="" disabled=no list=Local
add address=146.232.0.0/16 comment="" disabled=no list=Local
add address=192.168.0.0/16 comment="" disabled=no list=Local
add address=10.0.0.0/8 comment="" disabled=no list=Local
add address=172.16.0.0/12 comment="" disabled=no list=Local
add address=146.232.0.0/16 comment="" disabled=no list=Local
add address=192.168.0.0/16 comment="" disabled=no list=Local
add address=41.0.0.0/11 comment="" disabled=no list="RSA address list"
#... more RSA addresses
add address=216.5.192.0/21 comment="" disabled=no list="RSA address list"
add address=216.236.176.0/20 comment="" disabled=no list="RSA address list"
add address=10.20.0.0/16 comment="" disabled=no list=SUN/SCN
add address=146.232.0.0/16 comment="" disabled=no list=SUN/SCN
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark all connections" disabled=no new-connection-mark=All-connection passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting comment="Mark local connections" connection-mark=All-connection disabled=no dst-address-list=Local new-connection-mark=Local-connection passthrough=yes
add action=mark-connection chain=prerouting comment="Mark RSA connections" connection-mark=All-connection disabled=no dst-address-list="RSA address list" new-connection-mark=RSA-connection passthrough=yes
add action=mark-packet chain=prerouting comment="Mark international packets" connection-mark=All-connection disabled=no new-packet-mark=international-packet passthrough=yes
add action=mark-routing chain=prerouting comment="Mark international routing" disabled=no new-routing-mark=international-routing packet-mark=international-packet passthrough=yes src-address-list=LAN
add action=mark-packet chain=prerouting comment="Mark local packets" connection-mark=Local-connection disabled=no new-packet-mark=local-packet passthrough=yes
add action=mark-routing chain=prerouting comment="Mark local routing" disabled=no new-routing-mark=main packet-mark=local-packet passthrough=no src-address-list=LAN
add action=mark-packet chain=prerouting comment="Mark RSA packets" connection-mark=RSA-connection disabled=no new-packet-mark=RSA-packet passthrough=yes
add action=mark-routing chain=prerouting comment="Mark RSA routing" disabled=no new-routing-mark=RSA-routing packet-mark=RSA-packet passthrough=yes src-address-list=LAN
/ip firewall nat
add action=redirect chain=dstnat comment="Redirect to Web Proxy" disabled=no dst-address-list=!Local dst-port=80 protocol=tcp src-address-list=Local to-ports=8080
add action=masquerade chain=srcnat comment="NAT LAN/ADSL" disabled=no out-interface=ether1
add action=masquerade chain=srcnat comment="NAT OpenWeb 30GB" disabled=no out-interface=pppoe-openweb30gb
add action=masquerade chain=srcnat comment="NAT SCN VPN" disabled=no out-interface=pptp-client-scn-vpn
/ip proxy
set always-from-cache=no cache-administrator="Admin" cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size=379000KiB max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=deny comment="block telnet & spam e-mail relaying" disabled=no dst-port=23-25
add action=deny comment="allow CONNECT only to SSL ports 443 [https] and 563 [snews]" disabled=no dst-port=!443,563 method=CONNECT
/ip proxy direct
add action=allow comment="" disabled=no dst-address=10.0.0.0/8
add action=allow comment="" disabled=no dst-address=146.232.0.0/16
add action=allow comment="" disabled=no dst-address=172.16.0.0/12
/ip route
add check-gateway=ping comment=ADSL disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.100 routing-mark=international-routing scope=30 target-scope=10
add comment=Local disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.100 routing-mark=local-routing scope=30 target-scope=10
add check-gateway=ping comment="SUN (SCN VPN)" disabled=no distance=1 dst-address=146.232.0.0/16 gateway=pptp-client-scn-vpn routing-mark=local-routing scope=30 target-scope=10
add comment="RSA Only" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-openweb30gb routing-mark=RSA-routing scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.100 scope=30 target-scope=10
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=pada profile=pptp-encryption routes="" service=pptp
Ideas/assistance would be appreciated.