/ip firewall export
/ip route print detail
/ip proxy export
/ip hotspot export
/ip firewall export
# dec/15/2010 17:56:25 by RouterOS 4.15
# software id = W5EY-LHT9
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=5s tcp-close-timeout=5s \
tcp-close-wait-timeout=5s tcp-established-timeout=10m \
tcp-fin-wait-timeout=5s tcp-last-ack-timeout=5s tcp-syn-received-timeout=\
5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=5s \
udp-stream-timeout=3m udp-timeout=5s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=return chain=forward comment="Ping Replay Rule" disabled=no \
protocol=icmp
add action=accept chain=forward comment="Yoville Game" disabled=no dst-port=\
843 protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=9339 \
protocol=tcp
add action=drop chain=forward comment="Block P2P Traffic" disabled=no p2p=\
all-p2p
add action=add-src-to-address-list address-list="ARP Users" \
address-list-timeout=0s chain=forward comment=\
"Add to Net Cut Address list" disabled=yes dst-address-type=unicast \
dst-port=137 protocol=udp src-address=10.10.10.0/24
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Ping Rule" disabled=no \
new-packet-mark=Ping passthrough=yes protocol=icmp
add action=mark-packet chain=output comment="Cache Packets Rule" disabled=no \
dscp=4 new-packet-mark=Cache_Packets out-interface=LAN passthrough=no
/ip firewall nat
add action=accept chain=dstnat comment="Arab seed" disabled=no \
dst-address-list=Arabseed dst-port=80 protocol=tcp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=10.10.10.0/23
add action=redirect chain=dstnat comment="Transparent Web Proxy Forward" \
disabled=no dst-port=80 protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat comment="Samir RDP" disabled=no dst-address=\
10.0.0.1 dst-port=3389 protocol=tcp to-addresses=10.10.10.240
add action=netmap chain=srcnat comment="VPN Rule" disabled=no src-address=\
10.10.10.0/23 to-addresses=10.0.0.1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=yes
set sip disabled=no ports=5060,5061
set pptp disabled=yes
[Admin@MikroTik Maadi Server] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=10.0.0.138
gateway-status=10.0.0.138 reachable WAN distance=1 scope=255
target-scope=10
1 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10
2 ADC dst-address=10.10.10.0/23 pref-src=10.10.10.250 gateway=LAN
gateway-status=LAN reachable distance=0 scope=10
[Admin@MikroTik Maadi Server] > /ip proxy export
# dec/15/2010 17:56:26 by RouterOS 4.15
# software id = W5EY-LHT9
#
/ip proxy
set always-from-cache=yes cache-administrator="" cache-hit-dscp=4 \
cache-on-disk=yes enabled=yes max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=1w max-server-connections=5000 \
parent-proxy=95.211.133.181 parent-proxy-port=80 port=8080 \
serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=deny comment="block telnet & spam e-mail relaying" disabled=no \
dst-port=23-25
add action=deny comment="Deny access from WAN to Web Proxy " disabled=no \
src-address=!10.10.10.0/23
add action=deny comment="Block All Banners" disabled=no dst-host=\
*yieldmanager* redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*googlesyndication.com* \
redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*doubleclick.net* \
redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*megaclick.com* redirect-to=\
img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*loading321.com* redirect-to=\
img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*fe.brandreachsys.com* \
redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*.advertising.com* \
redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*at.atwola.com* redirect-to=\
img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=\
*adserving.cpxinteractive.com* redirect-to=\
img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*server.cpmstar.com* \
redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*adserver.adtech.de* \
redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*www.linkonlineworld.com* \
redirect-to=img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=*clk.atdmt.com* redirect-to=\
img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=ads.*.com* redirect-to=\
img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=ad.*.com* redirect-to=\
img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=ads.*.net* redirect-to=\
img31.imageshack.us/img31/4692/88153829.jpg
add action=deny comment="" disabled=no dst-host=ad.*.net* redirect-to=\
img31.imageshack.us/img31/4692/88153829.jpg
/ip proxy cache
add action=deny comment="" disabled=no path=*.zip
add action=deny comment="" disabled=no path=*.rar
add action=deny comment="" disabled=yes path=*.mp3
add action=deny comment="" disabled=yes path=*.pdf
add action=deny comment="" disabled=no path=*.wav
add action=deny comment="" disabled=yes path=*.flv
add action=deny comment="" disabled=no path=*.iso
/ip proxy direct
add action=allow comment="" disabled=no dst-address=10.10.10.0/23
add action=allow comment="" disabled=no dst-host=*student.guc.edu.eg*
add action=allow comment="" disabled=no dst-host=www.google.com
add action=allow comment="" disabled=no dst-host=*www.yahoo.com*
add action=allow comment="" disabled=no dst-host=www.msn.com
[Admin@MikroTik Maadi Server] > /ip hotspot export
# dec/15/2010 17:56:29 by RouterOS 4.15
# software id = W5EY-LHT9
#
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name=www.wi-fi-internet.com hotspot-address=10.10.10.250 \
html-directory=hotspot http-proxy=0.0.0.0:0 login-by=http-chap name=\
Hotspot_Profile rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
/ip hotspot
add address-pool=Hotspot_Pool addresses-per-mac=1 disabled=no idle-timeout=5m \
interface=LAN keepalive-timeout=none name=hotspot1 profile=\
Hotspot_Profile
/ip hotspot user profile
set default advertise=no idle-timeout=none keepalive-timeout=1m name=default \
open-status-page=http-login rate-limit=\
"128K/416K 2M/4M 128K/416K \t120/120" shared-users=1 status-autorefresh=\
10m transparent-proxy=yes
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot walled-garden
add action=allow comment="" disabled=no dst-host=www.tvquran.com
add action=allow comment="" disabled=no dst-host=www.islamway.com
add action=allow comment="" disabled=no dst-host=www.way2allah.com
add action=allow comment="" disabled=no dst-host=www.mazameer.com
add action=allow comment="" disabled=no dst-host=www.alheweny.org
add action=allow comment="" disabled=no dst-host=www.quranflash.com
add action=allow comment="" disabled=no dst-host=www.dorar.net
add action=allow comment="" disabled=yes dst-host=ia331410.us.archive.org
add action=allow comment="" disabled=no dst-host=www.archive.org
add action=allow comment="" disabled=yes dst-host=ia331411.us.archive.org
add action=allow comment="" disabled=no dst-host=*.us.archive.org
[Admin@MikroTik Maadi Server] >
add action=deny comment="block telnet & spam e-mail relaying" disabled=no \
dst-port=23-25
add action=deny comment="Deny access from WAN to Web Proxy " disabled=no \
src-address=!10.10.10.0/23
Add this rule:/ip firewall nat
(snip)
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=10.10.10.0/23
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
For this error i had fixed it but nothing changed it is the same.This may be the problem.Add this rule:/ip firewall nat
(snip)
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=10.10.10.0/23If ether1 is not your wan interface, then change that.Code: Select all/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
Then remove the masquerade with the src-address.
It will masquerade your localnet, but when you go through the proxy, it is not masquerading the proxy server (127.0.0.1). At least that is what I have discovered.
i discovered that when i disable the proxy at all, the site works normally (i discover this after i tried working with proxy but disabling all rules and cache (also does not work)) please Feklar try to open this links with enabling proxy in Mikrotik you will find that it won't work as i did.Well you have two things in your proxy rule that won't do anything there, they are better placed in the firewall filter:
The proxies only works for HTTP, not telnet or SMTP, so having those rules there is meaningless. Also I believe it will take fewer resources to block proxy requests from address you don't want in the firewall filter than in the proxy itself.Code: Select alladd action=deny comment="block telnet & spam e-mail relaying" disabled=no \ dst-port=23-25 add action=deny comment="Deny access from WAN to Web Proxy " disabled=no \ src-address=!10.10.10.0/23
As for why you cannot access that website, I didn't see anything in your firewall to prevent it, so I'm guessing it's tied to the proxy itself. Try setting always-from-cache=yes to no, and test. If that doesn't work, disable the transparent proxy rule, and disable it in the hotspot profile and sign back in and see what happens. If it works then, re-enable the proxy and disable all of the deny rules, try again, if it works, enable the rules one by one until you run across the one causing your problem.
/ip proxy
set always-from-cache=yes cache-administrator="" cache-hit-dscp=4 \
cache-on-disk=yes enabled=yes max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=1w max-server-connections=5000 \
parent-proxy=95.211.133.181 parent-proxy-port=80 port=8080 \
serialize-connections=no src-address=0.0.0.0
The php code has challenges also. There are <html> and <head> tags in the document body. ??<meta http-equiv='refresh' content='0; url=http://forum.arabseed.com/showthread.php?p=857400'>
This mean that mikrotik proxy does not suport this kind of pages??There are challenges with the webpages also. This is the only code returned by http://www.arabseed.com/refresh-21886The php code has challenges also. There are <html> and <head> tags in the document body. ??<meta http-equiv='refresh' content='0; url=http://forum.arabseed.com/showthread.php?p=857400'>
Not only mikrotik. Most proxy servers face similar issues with such pages.This mean that mikrotik proxy does not suport this kind of pages??
<html>
<head>
<meta http-equiv='refresh' content='0; url=http://forum.arabseed.com/showthread.php?p=857400'>
</head>
</html>
for solution i did found one (by putting site ip addresses before Proxy Rule in nat section and accept it) but it is not logical to do this for every site does not work
I agree with you no doubt that Mikrotik is a very high performance server.How many sites don't work besides the one you listed in your original post? How about http://www.yahoo.com? Or http://www.google.com? Do they work? They are both dynamic pages.
/ip proxy direct
add action=allow dst-host=forum.arabseed.com
<html><body>Test Page</body></html>
it didn't workTry this:And you are certain you are not blocking anything on that page with the proxy, by either domain name or file type? I noticed a Flash Player app running on that page.Code: Select all/ip proxy direct add action=allow dst-host=forum.arabseed.com
and for this i think i must be admin for this site to do this and i am not admin in itYou might try a simple php page in that same server.Save as "test.php" on forum.arabseed.com website.Code: Select all<html><body>Test Page</body></html>
http://forum.arabseed.com/test.php
If it says "Test Page", then it must be something on your showthread.php page causing the fail.
i tried to to open the site with a default proxy settings without any other rule it didn't work. i wonder that Feklar say that it is working with him via mikrotik but i am sure he test it via mikrotik without using mikrotik web-proxy just enable check box for web-proxy and find what happen, not working not just in my mikrotik but also in any mikrotik using web-proxy server.Then unblock everything in your proxy. domain names, file types, and all. Then try it. If it works, start adding blocks back until it doesn't. It downloads a LOT of different pages, probably some you have blocked by wildcard domain names. I would suspect the "ad.*.com" and "ads.*.com" blocks. That site is almost nothing but ads. Watch the download bar at the bottom of your browser as the page loads.
/ip firewall nat>
add action=redirect chain=dstnat comment="transparent proxy - hotspot net" disabled=\
no dst-address=!173.236.99.211 dst-port=80 in-interface=hotspot protocol=tcp \
src-address=192.168.3.0/24 to-ports=3130
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
/ip firewall address-list
add address=173.236.99.214 comment="" disabled=no list=non-proxy
add address=173.236.99.211 comment="" disabled=no list=non-proxy
/ip firewall nat
add action=redirect chain=dstnat comment="transparent proxy - hotspot net" disabled=no dst-address-list=!non-proxy dst-port=80 in-interface=hotspot protocol=tcp src-address=192.168.3.0/24 to-ports=3130
I have found the solution........