Community discussions

MikroTik App
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

pcc web proxy????

Thu Sep 02, 2010 5:59 pm

any one try to use webproxy or squid cach with pcc???
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: pcc web proxy????

Thu Sep 02, 2010 6:24 pm

For the built in proxy, you have to apply PCC to the 'output' chain. For squid proceed as normal as long as the traffic flows through the router.
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: pcc web proxy????

Fri Sep 03, 2010 7:55 am

that my configuration for pcc + squid
page dont work unless i set the ip and port of my squid

[admin@MikroTik] /ip address> exp
# jan/02/2002 00:52:15 by RouterOS 3.28
# software id = TN2Q-922K
#
/ip address
add address=192.168.1.249/24 broadcast=192.168.1.255 comment="" disabled=no interface=wlan2 network=192.168.1.0
add address=10.10.10.1/24 broadcast=10.10.10.255 comment="" disabled=no interface=Local network=10.10.10.0
add address=192.168.2.249/24 broadcast=192.168.2.255 comment="" disabled=no interface=wlan1 network=192.168.2.0
add address=172.18.1.1/24 broadcast=172.18.1.255 comment="" disabled=no interface=Local network=172.18.1.0
[admin@MikroTik] /ip address> /ip route exp
# jan/02/2002 00:52:41 by RouterOS 3.28
# software id = TN2Q-922K
#
/ip route
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-mark=to_wlan2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_wlan1 scope=30 target-scope=10
[admin@MikroTik] /ip address> .. firewall exp
# jan/02/2002 00:52:55 by RouterOS 3.28
# software id = TN2Q-922K
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="" disabled=yes
/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=wlan2 new-connection-mark=wlan1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=wlan1 new-connection-mark=wlan2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wlan1_conn disabled=no new-routing-mark=to_wlan1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wlan2_conn disabled=no new-routing-mark=to_wlan2 passthrough=yes
add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.2.0/24 in-interface=Local
add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.1.0/24 in-interface=Local
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wlan1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wlan2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=wlan1_conn disabled=no in-interface=Local new-routing-mark=to_wlan1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=wlan2_conn disabled=no in-interface=Local new-routing-mark=to_wlan2 passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=80 protocol=tcp src-address=172.18.1.5 to-addresses=172.18.1.2 to-ports=3128
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wlan2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wlan1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] /ip address>
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: pcc web proxy????

Fri Sep 03, 2010 8:08 am

Did you read my comment at all?
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: pcc web proxy????

Fri Sep 03, 2010 1:10 pm

huuuuuh yes i did

did your read my configuration
at all????


i had add this tow rule
and try it with bulti in proxy the same
happen
/ip firewall mangle
add chain=output connection-mark=no-mark action=mark-connection new-connection-mark=Internet1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add chain=output connection-mark=no-mark action=mark-connection new-connection-mark=Internet2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: pcc web proxy????

Fri Sep 03, 2010 4:05 pm

I did. It doesn't contain anything regarding PCC in the output chain.

Those lines you tried to add need tweaking. If you added them at the bottom of the output chain you need to repeat the lines that set routing marks based on connection marks. If you added them before those route mark lines you need to add 'connection-mark=no-mark' so you don't overwrite the connection marks set in the input chain for connections originated from the WAN.
You could further improve things by running PCC load balancing on the proxy output specifically by adding a bridge interface without any ports attached and setting a /32 IP on it, and configuring the built in proxy to use that IP address as the source. You can then tell proxy traffic from other traffic in the output chain by merit of source address.

That's for the built in proxy.

For the external squid box I don't understand why you are only redirecting traffic from one source IP address there, and what your network layout is. Does the squid box sit on the same subnet as the users? What is your topology? Again, as long as traffic gets to the squid box right and flows through the router to the WAN your PCC scheme will apply to its traffic.
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: pcc web proxy????

Fri Sep 03, 2010 11:21 pm

If you added them at the bottom of the output chain you need to repeat the lines that set routing marks based on connection marks.
add action=mark-connection chain=input comment="" disabled=no in-interface=wlan2 new-connection-mark=wlan1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=wlan1 new-connection-mark=wlan2_conn passthrough=yes

this tow line i showld repeat??? if yes where i should before ....after which rule???
If you added them before those route mark lines you need to add 'connection-mark=no-mark' so you don't overwrite the connection marks set in the input chain for connections originated from the WAN.
add action=mark-connection chain=input comment="" disabled=no in-interface=wlan1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=wlan2 new-connection-mark=wan1_conn passthrough=yes


like this???
You could further improve things by running PCC load balancing on the proxy output specifically by adding a bridge interface without any ports attached and setting a /32 IP on it, and configuring the built in proxy to use that IP address as the source. You can then tell proxy traffic from other traffic in the output chain by merit of source address.can you explain more......
/ip firewall nat
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp src-address=192.168.10.10 to-ports=8080


/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size= unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=192.168.1.1


/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=yes forward-delay=15s max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6

i use src-address=192.168.10.10 only for test that is my ip address.
For the external squid box I don't understand why you are only redirecting traffic from one source IP address there
just testing on my ip address
Does the squid box sit on the same subnet as the users?
add address=172.18.1.1/24 broadcast=172.18.1.255 comment="" disabled=no interface=Local network=172.18.1.0
you mean for that line, if yes that wht u mean, no this ip only for squid my range
add address=10.10.10.1/24 broadcast=10.10.10.255 comment="" disabled=no interface=Local network=10.10.10.0
What is your topology?
what you mean
as long as traffic gets to the squid box right and flows through the router to the WAN your PCC scheme will apply to its traffic.
can you explain more
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: pcc web proxy????

Sat Sep 04, 2010 12:23 am

That post confused me even more.

a) are you trying to use an external proxy (a dedicated computer running squid) with an IP address of 172.18.1.2, or the built in proxy? Your original post shows a dstnat rule for all traffic from 172.18.1.5 on port tcp/80 traffic to 172.18.1.2 on tcp/3128. This is problematic because the client is on the same subnet as the proxy, which makes things more difficult (and doesn't appear to be what you want to eventually deploy, and since they are different, you'd have to reconfigure things after testing with that configuration).
However, your most recent post shows you redirecting all tcp/80 traffic from 192.168.10.10 (a host on a network that doesn't appear at all in your original post) to the built in proxy.

Configuration for external vs internal are different. Which one are you using?

b) Please make a drawing of your network including all networks (WAN and LAN) together with their IP addressing and purpose, and the ports on the router that they connect to, and the relevant hosts (at least the squid proxy).
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: pcc web proxy????

Sat Sep 04, 2010 12:55 am

sorry to confuse you but i try with bulit in proxy and with external (squid)

i have tow different network

for external(squid)
/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=80 protocol=tcp src-address=172.18.1.5 to-addresses=172.18.1.2 to-ports=3128

squid ip 172.8.1.2 port 3128
172.18.1.5 my ip
add address=10.10.10.1/24 broadcast=10.10.10.255 comment="" disabled=no interface=Local network=10.10.10.0
my client address i use DHCP (i can use 172.18.1.0/24 since i add in mikrotik same like 10.10.10.0/24) :S right :S
add address=192.168.2.249/24 broadcast=192.168.2.255 comment="" disabled=no interface=wlan1 network=192.168.2.0
add address=192.168.1.249/24 broadcast=192.168.1.255 comment="" disabled=no interface=wlan2 network=192.168.1.0

this tow network upstream i use PCC for loadbalance this to network
/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=80 protocol=tcp src-address=172.18.1.5 to-addresses=172.18.1.2 to-ports=3128
172.18.1.5 is my ip address
any more configuration for extrenal proxy you do need

i notice that when i disable this tow rule proxy (squid) work fine
i know i can't disable :d all pcc depand on it
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wlan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wlan2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: pcc web proxy????

Sat Sep 04, 2010 1:13 pm

:s what ?????
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: pcc web proxy????

Sat Sep 04, 2010 1:39 pm

fewi thx to try help

you said that pcc and web proxy (built in) will work ...right???

can you post a configuration for it???

tow upsteam and local and web proxy on
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: pcc web proxy????

Sun Sep 05, 2010 10:53 pm

nice no one have try to use pcc and proxy :shock:
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: pcc web proxy????

Sun Sep 05, 2010 10:54 pm

It's Labor Day weekend. I'll post something next week.
 
gtpro
newbie
Posts: 36
Joined: Thu Jun 03, 2010 9:05 pm

Re: pcc web proxy????

Mon Sep 06, 2010 5:01 am

Hi follow this http://forum.mikrotik.com/viewtopic.php?f=2&t=42208 and adjust it to your needs, It works here in my setup, the only thing I notice is that it wont use the full speed of my adsl lines, I have 3 Adsl lines of 3500 Kbps each and the max throughput I get is 7.5 Mbps, I should be getting more than 10 Mbos. I have around 50 users and the max throughput I get is 7.5 Mbps I dont know why.
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: pcc web proxy????

Mon Sep 06, 2010 9:02 pm

may be tow line just do the jobe (working)
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
kazanova
Member
Member
Topic Author
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: pcc web proxy????

Tue Sep 07, 2010 12:33 am

that what every one look for :D
any improve will be welcome

/ip dns
set allow-remote-requests=yes primary-dns= x.x.x.xsecondary-dns=0.0.0.0
/ip route
add dst-address=0.0.0.0 / 0 gateway= pppoe-out1 distance=1 check-gateway=ping
add dst-address=0.0.0.0 / 0 gateway= pppoe-out2 distance=2 check-gateway=ping
/ip firewall nat
add action=masquerade chain=srcnat out-interface= pppoe-out1
add action=masquerade chain=srcnat out-interface= pppoe-out2
/ip proxy
set cache-on-disk=yes enabled=yes max-cache-size=200000KiB port=8080
/ip firewall nat
/ip firewall address-list
add address=(ppoe range) list=local

add address=(my local range) list=local

/ip firewall mangle
add action=accept chain=prerouting dst-address-list=local in-interface=Local comment=“local traffic”
add action=accept chain=output dst-address-list=local
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=con-from-isp1 passthrough=yes comment=“traffic from isp1”
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out2 new-connection-mark=con-from-isp2 passthrough=yes comment=“traffic from isp2”
/ip firewall mangle
add action=mark-connection chain=output comment=dns dst-address=x.x.x.x dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp comment=“traffic control citra.net.id”
add action=mark-connection chain=output dst-address=x.x.x.xdst-port=53 new-connection-mark=dns passthrough=yes protocol=udp
add action=mark-routing chain=output connection-mark=dns new-routing-mark=route-to-isp1 passthrough=no
/ip firewall mangle
add action=jump chain=prerouting comment=“jump to the client-lb” connection-mark=no-mark in-interface=Local jump-target=client-lb
add action=jump chain=output comment=“jump to the lb-proxy” connection-mark=no-mark out-interface=!Local jump-target=lb-proxy
/ip firewall mangle
add action=mark-connection chain=client-lb dst-address-type=local new-connection-mark=to-isp1 passthrough=yes per-connection-classifier=both-addresses:3/0 comment=“initial client loadbalancing ”
add action=mark-connection chain=client-lb dst-address-type=local new-connection-mark=to-isp1 passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=client-lb dst-address-type=local new-connection-mark=to-isp2 passthrough=yes per-connection-classifier=both-addresses:3/2
add action=return chain=client-lb comment=“end of loadbalancing”
/ip firewall mangle
add action=mark-connection chain=lb-proxy-address dst-address-type=local new-connection-mark=con-from-isp1 passthrough=yes per-connection-classifier=both-addresses:3/0 comment=“initial load balancing proxy ”
add action=mark-connection chain=lb-proxy-address dst-address-type=local new-connection-mark=con-from-isp1 passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=lb-proxy-address dst-address-type=local new-connection-mark=con-from-isp2 passthrough=yes per-connection-classifier=both-addresses:3/2
add action=return chain=lb-proxy comment=“end of loadbalancing”
/ip firewall mangle
add action=jump chain=prerouting comment=“route marking client” connection-mark=no-mark in-interface=Local jump-target=route-client
add action=mark-routing chain=route-client connection-mark=to-isp1 new-routing-mark=route-to-isp1 passthrough=no
add action=mark-routing chain=route-client connection-mark=to-isp2 new-routing-mark=route-to-isp2 passthrough=no
add action=mark-routing chain=route-client connection-mark=con-from-isp1 new-routing-mark=route-to-isp1 passthrough=no
add action=mark-routing chain=route-client connection-mark=con-from-isp2 new-routing-mark=route-to-isp2 passthrough=no
add action=return chain=route-client disabled=no
/ip firewall mangle
add action=mark-routing chain=output comment=“proxy route marking” connection-mark=con-from-isp1 new-routing-mark=route-to-isp1 out-interface=Local passthrough=no
add action=mark-routing chain=output connection-mark=con-from-isp2 new-routing-mark=route-to-isp2 out-interface=Local passthrough=no
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to-isp1 distance=1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to-isp1 distance=2
add check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to-isp2 distance=1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to-isp2 distance=2
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون

Who is online

Users browsing this forum: Bing [Bot], jebz, solomon777, wichets, Znevna and 90 guests