Community discussions

MikroTik App
 
gsmphoenix
just joined
Topic Author
Posts: 5
Joined: Wed Apr 15, 2020 12:32 am

Transparent Proxy

Sun Jan 17, 2021 3:27 pm

Hi All
I have a bit of Question regarding Transparent proxy. I have setup a the server on my routerboard but the only time it works is when I manually configure a PC or Laptop to point to the proxy server. the only time the server blocks any on the websites is if the connected device has been configured manually
[admin@MikroTik] > ip proxy print
enabled: yes
src-address: 192.168.1.1
port: 8080
anonymous: no
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: Phoenix.Server
max-cache-size: unlimited
max-cache-object-size: 2048KiB
cache-on-disk: yes
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-path: web-proxy
[admin@MikroTik] > ip proxy connections print
Flags: S - server, C - client
# SRC-ADDRESS DST-ADDRESS LAST-PROTOCOL STATE TX-BYTES RX-BYTES
0 C 192.168.1.12 idle 4611 213
1 S 77.234.45.63 HTTP/1.1 idle 379 181
2 S 185.60.219.13 HTTP/1.1 idle 680 198
3 C 192.168.1.26 idle 83 194
4 S 77.234.45.64 192.168.1.39 rx-header 379 0
5 C 192.168.1.26 idle 83 184
6 C 192.168.1.13 idle 166 464
7 S 172.217.170.3 HTTP/1.1 idle 1182 332
8 C 192.168.1.27 104.94.95.243 HTTP/1.1 rx-body 3666 2567
9 C 192.168.1.39 77.234.45.64 HTTP/1.1 waiting 32501 1530
10 S 172.217.170.46 HTTP/1.1 idle 257 83
11 S 84.53.156.184 HTTP/1.1 idle 286 4635
12 S 104.94.95.243 192.168.1.27 rx-body 2442 3647
13 C 192.168.1.21 idle 83 185
14 S 216.58.223.142 HTTP/1.1 idle 258 83
[admin@MikroTik] >


[admin@MikroTik] > ip proxy access print
Flags: X - disabled
# DST-PORT DST-HOST PATH METHOD ACTION HITS
0 :porn deny 17
1 :sex deny 0
2 :xxx deny 0
3 .pornhub.com deny 0
4 :Sex deny 0
5 .facebook.com deny 1
6 youtube.com deny 0
[admin@MikroTik] >
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Transparent Proxy

Tue Jan 19, 2021 5:37 am

web proxy can not blacklist domain names for ssl/https transparently - which most modern sites use now no matter what. Non-transparent proxy gets around this by inspecting the CONNECT request sent to proxy-aware clients - but then can only filter based on domain (not subdir/querystring, e.g. 'facebook.com' can be blocked but can't block _just_ 'facebook.com/someuser'.

There are other methods such as IPS (that is not supported on mikrotik - its a different kind of product entirely).

On mikrotik, you may be able to do some L7 matching to block some things
Or what I do in BYOD networks is block 80,443 - and only allow the proxy server access to websites so they are forced to go via it. In corporate network, push out the details via PAC / WPAD and/or GPO for corp devices.

Who is online

Users browsing this forum: No registered users and 14 guests