I have just setup Squid as a transparent proxy. I need to figure out how to configure my network to send all clients to it.

My mikrotik is being used as our core router for our ISP.

We accept our internet connection on eth2 and our network is on eth4. All of our servers and clients are on public ips and we have a /21 subnet. Ethernet 1 and 3 are reserved for expansion.

So we need all customers on our network to be redirected to our squid server which is located at 190.3.160.15 and is listening on port 8080. Our customer addresses start at 190.3.161.1 and end at 190.3.167.254.

We are running an RB1000 on 4.5

Any help would be appreciated. I just love Mikrotik!

I'd rather route all http traffic to squid and use TProxy feature (so users' addresses not change to squid's address for websites)

something like

/route add gateway=190.3.160.15 routing-mark=to-squid
/ip firewall mangle add chain=prerouting src-address=client_address_pool src-mac-address=!squid_MAC protocol=tcp dst-port=80 action=mark-routing new-routing-mark=to-squid
/ip firewall mangle add chain=prerouting dst-address=client_address_pool src-mac-address=!squid_MAC protocol=tcp src-port=80 action=mark-routing new-routing-mark=to-squid

How do I exclude the SQUID ip address from there?

sorry, mistyped. I edited my post, 'src-address=!squid_ip' should also work for the first rule

Do I need to change any of this statement or enter it as it is?

This makes no sense...do I add the mac address or not? Where does it to forward the traffic to the listening port of 8080.....I feel those statements are incomplete or inaccurate.

use TProxy feature

http://wiki.squid-cache.org/Features/Tproxy4

thanks
do you use it like that?

no, unfortunately I didn't see such setup, only read about it. we don't use proxy at all

I dont think you are understanding me....I have squid installed and it is operating....I need to know the proper statement in the mikrotik to route to it. I also dont know whether I need to add the MAC address instead of the ip of the squid server, etc. Also, this doesnt mention anything about sending calls to 8080, which is the port that my squid box is listening on....


TGF

Any help from the MT gods?

well, you can simply setup transparent proxy on RouterOS, and set Parent Proxy of your WebProxy to Squid's address. but in that case all your users will have address of Squid for any website

Well that would defeat the need for a transparent proxy.

I am wanting to transparently route all http traffic to port 8080 on the Squid machine...... I dont want any user intervention.

The rules Chupaka gave you would route all traffic marked as traffic to be proxied (i.e. all traffic destined to port 80, but not traffic that carries the Squid proxies MAC address as source or destination so that routing loops are prevented) towards the Squid box. The T-Proxy feature on the Squid box would intercept that traffic automatically (you do _not_ need to redirect to port 8080, it would simply inspect all traffic and automagically find it) and proxy it transparently.

Well that would defeat the need for a transparent proxy.

I am wanting to transparently route all http traffic to port 8080 on the Squid machine...... I dont want any user intervention.

no user intervention at all. read the manual about parent proxy and transparent mode: http://www.mikrotik.com/testdocs/ros/3.0/pnp/proxy.php

So I am going to have to enable ip chains, add a 2nd ethernet device on the machine, and put the machine between our client devices?

Umm..... Or do I just have to enable parent proxy and create a rule to point the traffic to the Squid machine?

Do I have to enable bridging?

whats the reason for no proxy setup are your lines fast enuff or what as i have problems with my type setup


5 adsl lines 1mb/4mb lines
and a proxy always pic up problems

and cant seem to get a work around on it


as a proxy will help me a lot as i dont have speed to work with

sorry, mistyped. I edited my post, 'src-address=!squid_ip' should also work for the first rule

what did you mean by this. And you say that there is an adjustment to be done on the squid server. It is currently operational with parent proxy and when i manually input the proxy address on the proxy. Another way is i have have been able to redirect traffic using the hotspot profile by inputting the http-proxy
as below (yyy.yyy.yyy.yyy:8080)
name="hsprof1" hotspot-address=10.0.0.2 dns-name="" html-directory=hotspot rate-limit=""
http-proxy=yyy.yyy.yyy.yyy:8080 smtp-server=0.0.0.0 login-by=mac,cookie,http-chap,https mac-auth-password=""
http-cookie-lifetime=3d ssl-certificate=none split-user-domain=no use-radius=yes radius-accounting=yes
radius-interim-update=5m nas-port-type=wireless-802.11 radius-default-domain="" radius-location-id=""
radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX

parent proxy ~= redirection = most of websites will see proxy's ip, not client's ip

squid should work in TProxy mode: http://wiki.squid-cache.org/Features/Tproxy4

Has anyone looked at SafeSquid ?
They have expressed an interest in building a VM for RouterOS...

try this eg

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=10.0.0.0/24

2 ;;; masquerade lan
chain=srcnat action=masquerade src-address=192.168.0.0/24

3 ;;; redirect http to proxy
chain=dstnat action=dst-nat to-addresses="Squid IP" to-ports=8080
protocol=tcp src-address=10.0.0.0/24 dst-port=80

this should also work but the ip of the proxy is seen

[admin@Backbone Router] /ip hotspot profile> pr
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=mac,cookie,http-chap,https mac-auth-password="" http-cookie-lifetime=3d ssl-certificate=none split-user-domain=no use-radius=no

1 name="hsprof1" hotspot-address=10.0.0.2 dns-name="" html-directory=hotspot rate-limit="" http-proxy="squid proxy ip":8080 smtp-server=0.0.0.0
login-by=mac,cookie,http-chap,https mac-auth-password="" http-cookie-lifetime=3d ssl-certificate=none split-user-domain=no use-radius=yes
radius-accounting=yes radius-interim-update=5m nas-port-type=wireless-802.11 radius-default-domain="" radius-location-id="" radius-location-name=""
radius-mac-format=XX:XX:XX:XX:XX:XX

Guru's which of the two better performance? i have not put in included the parent-proxy which is also possible. Which gives a better performance all factors constant but Mikrotik router configs

Hi.
A query.
I have this design.
3 interfaces in mikrotik

1-wan
2-lan (192.168.99.0/24)
3-proxy (10.0.0.0/24----10.0.0.2(squid))

How do I send all traffic to port 80 to the squid ??
The squid I have it set to "intercept" mode (transparent). I would like to know the configuration of Mikrotik.

I want to do this without having to activate the webproxy the Mikrotik.

This is a translation of google.

Thank you all.

why not just ?

Nop.
I have these two ports listening Squid configuration.
http_port 10.0.0.2:3128
http_port 10.0.0.2:8080 intercept

With your rule in the mikrotik, if
"To-ports = 8080"
when I try to visit a page from the web browser returns me
"The connection was reset".

If,
"To-ports = 3128"
the web browser returns me
"The requested URL Could not be retrieved" (a page of squid)
"The following Error was Encountered while trying to retrieve the url"
"Invalid url"

any other ideas??
Thanks!!

What happens if you set squid's port 8080 in browser's proxy settings with and without that NAT rule?

if I put in the web browser 10.0.0.2:8080
He tells me "the connection was reset"

if i put in the browser 10.0.0.2:3128 work perfect..................... (sadly)