Hello
I have squid proxy on different location and i want to redirect traffic from specified interface on Mikrotik to proxy
Example..
eth4 on Mikrotik is 192.168.0.250
squid proxy server is x.x.x.x:port
Anyone please?
Re: Squid Proxy
Probably you can get away using DST NAT (in conjunction with SRC NAT probably already in place). Something like this:
You can fine tune the selection criteria about which connections have to be redirected to squid proxy, e.g. include src-address or dst-address or ...).
Mind that you can not redirect HTTPS requests (dst-port=443) because clients expect proper SSL handshake with target server to happen which a random intermediate server (e.g. squid proxy) can't perform (that would be "man in the middle attack", one of basic reasons for using SSL is expressly to prevent MITM attacks). HTTPS can be directed via proxy only if client (e.g. web browser) is fully aware of the fact it's using proxy and it expects to handshake a connection with one. It is possible to redirect HTTP requests since those don't cause any client-server verification. But it only works reliably with HTTP/1.1 (I guess all modern browsers always try to use it), with HTTP/1.0 sending Host header was not mandatory (but required when using proxy server) and such redirect would often produce undesirable results.
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether4 protocol=tcp dst-port=80 to-addresses=x.x.x.x
...
# together with generic:
add action=masquerade chain=srcnat out-interface-list=WAN
You can fine tune the selection criteria about which connections have to be redirected to squid proxy, e.g. include src-address or dst-address or ...).
Mind that you can not redirect HTTPS requests (dst-port=443) because clients expect proper SSL handshake with target server to happen which a random intermediate server (e.g. squid proxy) can't perform (that would be "man in the middle attack", one of basic reasons for using SSL is expressly to prevent MITM attacks). HTTPS can be directed via proxy only if client (e.g. web browser) is fully aware of the fact it's using proxy and it expects to handshake a connection with one. It is possible to redirect HTTP requests since those don't cause any client-server verification. But it only works reliably with HTTP/1.1 (I guess all modern browsers always try to use it), with HTTP/1.0 sending Host header was not mandatory (but required when using proxy server) and such redirect would often produce undesirable results.