Community discussions

 
huntah
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Tue Sep 09, 2008 3:24 pm

CHR - Access Internet via external Proxy

Fri May 18, 2018 4:34 pm

Hi,

I have a Dude Server installed on a CHR (Hyper-V) which is working. ROS 6.42.2.
There is only one ether interface name=ether1.
IP and Default GW, DNS is configured and I can ping and traceroute everthing as I should.
But the Main Firewall is blocking internet acess directly and I have to use Proxy server (ProxyIP:8080).
If I enable IP-WebProxy and specify ParentProxy it is not enough.
I have tried with dst-nat but nothing happens (
There are no other Ip firewall rules.

Can some one tell how to write a rule so that the download.mikrotik.com and license.mikrotik.com are accessable via my external proxy from CHR.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 968
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: CHR - Access Internet via external Proxy

Fri May 18, 2018 8:38 pm

You can try something like below:
ip firewall nat add in-interface=eth1 src-address=!<IP of Proxy> protocol=tcp action=dst-nat to-addresses=<IP of Proxy> to-ports=8080
MTCNA, MTCTCE, MTCRE & MTCINE
 
huntah
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Tue Sep 09, 2008 3:24 pm

Re: CHR - Access Internet via external Proxy

Mon May 21, 2018 4:52 pm

Hi CZFan,

first sorry for late reply. I think you have just pasted the same answer which I already tried and found on forum. And It is missing a chain.
But it does not work (it does not count the packets).

So here is the complete ip firewall export:
/ip firewall address-list
add address=download.mikrotik.com list=Mikrotik
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp src-address=!10.140.10.240 to-addresses=10.140.10.240 to-ports=8080

The counters are not increasing.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 968
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: CHR - Access Internet via external Proxy

Mon May 21, 2018 7:04 pm

Maybe reason is it is secure traffic, have you tried with TLS-Host, something like (have not tested it and not sure if the TLS host is specified correctly)
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp src-address=127.0.0.1 tls-host=mikrotik.com to-addresses=<Ext Proxy IP> to-ports=8080
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: No registered users and 1 guest