/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=ether3 protocol=tcp to-addresses=172.19.65.10 to-ports=3128
/ip route add gateway=squid_ip routing-mark=tproxied
/ip fi man add chain=prerouting protocol=tcp port=80 src-mac-address=!squid_mac action=mark-routing new-routing-mark=tproxied
$ {IPTABLES}-t mangle-N FUN
$ {IPTABLES}-t mangle-to amuse j MARK - set-mark 1
$ {IPTABLES}-t mangle-j ACCEPT to amuse
$ {IPTABLES}-t mangle-A PREROUTING-p tcp-m socket-j FUN
$ {IPTABLES}-t mangle-A PREROUTING-p tcp - dport 80-j TPROXY - tproxy-mark 0x1/0x1 - on-port 3129
ip rule add lookup fwmark 1 100
ip route add local 0.0.0.0 / 0 dev table it 100
Thank you very much sir. I got working with the below rules/ip fi nat add chain=dstnat protocol=tcp port=80 action=dst-nat to-addresses=squid-address to-ports=3128
make sure you're not masquerading that traffic
difference is that when you're doing NAT, it changes dst. ip address; when routed, packet passes unchangedwhat is the difference between redirect dst nat and static route with mark routing for transparent cacher?
I got these working before I changed the clients from static IP to pppoe, and it stopped working, if I disable the src-mac-address it can redirect the packets but arrived at the proxy server as errorneous tcp packets, thus the clients can't browse. And with src-mac-address=!squid_mac it redirects nothing (0 hit).Thank you very much sir. I got working with the below rules/ip fi nat add chain=dstnat protocol=tcp port=80 action=dst-nat to-addresses=squid-address to-ports=3128
make sure you're not masquerading that traffic
/ip route add gateway=squid_ip routing-mark=tproxied
/ip fi man add chain=prerouting protocol=tcp port=80 src-mac-address=!squid_mac action=mark-routing new-routing-mark=tproxied
May i know why we we use "src-mac-address=!squid_mac?". Can we use ip instead of it?,
I got these working before I changed the clients from static IP to pppoe, and it stopped working, if I disable the src-mac-address it can redirect the packets but arrived at the proxy server as errorneous tcp packets, thus the clients can't browse. And with src-mac-address=!squid_mac it redirects nothing (0 hit).Thank you very much sir. I got working with the below rules/ip fi nat add chain=dstnat protocol=tcp port=80 action=dst-nat to-addresses=squid-address to-ports=3128
make sure you're not masquerading that traffic
/ip route add gateway=squid_ip routing-mark=tproxied
/ip fi man add chain=prerouting protocol=tcp port=80 src-mac-address=!squid_mac action=mark-routing new-routing-mark=tproxied
May i know why we we use "src-mac-address=!squid_mac?". Can we use ip instead of it?,
Ok, succeed. Thanks a lot.try to accept packets with src-mac-address=squid_mac and then mark routing w/o src-mac-address matcher
On paths from clients to origin servers and vice versa. They appear either with or w/o tproxy (no iptables rules to intercept port 80).on what part of path do you see those retransmissions? are they absent w/o tproxy?
then seems like the reason is somewhere elseThey appear either with or w/o tproxy
I'm suspecting the routing / mark-routing process on Mikrotik that caused this problem, since the clients are pppoe-clients and Mikrotik acts as pppoe server and gateway for the clients. AFAIK, pppoe connections have MTU issue, right?then seems like the reason is somewhere elseThey appear either with or w/o tproxy
you may tryMaybe I should move to tproxy with bridging mode?
then it was something wrong with your setupThe proxy can't intercept the http traffic from clients' IPs with ebtables rules.
no, pppoe was behind the router, squid machine didn't know about thatWas it because the pppoe connections don't have ARP while the bridge is in LAyer2 mode?
I don't know how ho setup ebtables for tproxy, RTFMOr because I didn't set the bridge ip within the same subnet as client's subnet?
STP just disables and enables interfaces, it's not about tproxy, I thinkOr maybe because a bridging STP priority problem?