I'm using mikrotik as pppoe server and squid as cache server.
mikrotik is redirecting traffic to port 80 to port 8080 of squid(using dst-nat)
everything works fine except one:
when I check squid access log, all requests come from mikrotik ip not users own ip!
I've also used mangle and policy route to route traffic to port 80 to squid but the access log on squid shows mikrotik ip as src ip!
dst-nat means change dst-address.Isn't it?
any solution?

nobody concerns?
anybody help

Mark routing on outgoing packets to port 80 to your squid proxy. Then use iptables to redirect traffic on the linux box to port 8080. Make sure it's setup for transparent redirect.


Where 192.168.1.2 is the squid server... On your linux box

Mark routing on outgoing packets to port 80 to your squid proxy. Then use iptables to redirect traffic on the linux box to port 8080. Make sure it's setup for transparent redirect.


Where 192.168.1.2 is the squid server...

Code: Select all

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=80 in-interface=LAN new-routing-mark=main passthrough=no protocol=tcp src-address=192.168.1.2
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=80 in-interface=LAN new-routing-mark=squid-redirect passthrough=yes protocol=tcp src-address=192.168.1.0/24

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 routing-mark=squid-redirect scope=30 target-scope=10

On your linux box

Code: Select all

iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

thanks netrat
is this solution to my problem? after this config my squid log will show clients ip addresses not mikrotik ip. right?
I'll test it...
P.S
when I mangle web traffic that comes to LAN and route it to squid, evrythings works fine. access log shows clients ip addresses.
BUT the problem arises when clients connect to mikrotik using pppoe or pptp. squid access log shows mikrotik ip address as src address and I cannot analyze a specific user ip log...

when clients connect to mikrotik using pppoe or pptp. squid access log shows mikrotik ip address as src address

it means that you do src-nat of pppoe clients, and nothing else. disable src-nat for redirected traffic - and all will be fine

when clients connect to mikrotik using pppoe or pptp. squid access log shows mikrotik ip address as src address

it means that you do src-nat of pppoe clients, and nothing else. disable src-nat for redirected traffic - and all will be fine

thanks Chupaka
so why this will not happen for LAN clients?
and by the way, mangle is before src-nat.this means port 80 traffic should be mangled and send to squid before it will be processed by other rules...

Mangle cannot stop packet from processing it by NAT until you make it explicitly. for example, set 'routing-mark=!squid-redirect' in src-nat rule