mikrotik connect to proxy and share internet to another bridge

mohamadreza0101 · Thu Feb 16, 2023 5:54 pm

Hello
I have little experience in Mikrotik.
I have a scenario, I don't know if it can be implemented or not?
I have a Mikrotik rb951G with version 7.7 and I get the router's Internet from a TP-Link modem. I need to connect the router to a proxy and put it on a virtual wlan interface so that everyone after connecting To be able to access the Internet through proxy.
current situation:

/interface bridge
add name=Bridge-ether4-wlan1
/interface pppoe-client
add add-default-route=yes \
    disabled=no interface=ether5 name=IR-TCT password=123456 user=\
    qwerty12
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=HomeNetWork \
    supplicant-identity="" wpa-pre-shared-key=123456789qA \
    wpa2-pre-shared-key=123456789qA
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge name=\
    HomeMikrotikNet security-profile=HomeNetWork ssid=HomeMikrotikNet \
    wps-mode=disabled
/ip pool
add name=dhcp_pool0 ranges=\
    192.168.1.1-192.168.1.10,192.168.1.12-192.168.1.254
add name=dhcp-pool-150 ranges=192.168.1.150-192.168.1.200
/ip dhcp-server
add address-pool=dhcp-pool-150 disabled=no interface=Bridge-ether4-wlan1 \
    lease-time=10h10m name=dhcp1
/interface bridge port
add bridge=Bridge-ether4-wlan1 interface=ether4
add bridge=Bridge-ether4-wlan1 interface=HomeMikrotikNet
/ip address
add address=192.168.1.11/24 interface=Bridge-ether4-wlan1 network=192.168.1.0
/ip arp
add address=192.168.1.5 interface=Bridge-ether4-wlan1 mac-address=\
    B8:A3:86:6B:94:27
/ip dhcp-server lease
add address=192.168.1.5 client-id=1:b8:a3:86:6b:94:27 mac-address=\
    B8:A3:86:6B:94:27 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,4.2.2.4,1.1.1.1,185.51.200.2 \
    gateway=192.168.1.11
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.4,1.1.1.1
/ip dns static
add address=192.168.1.11 name=MikrotikRouter.Local
/ip firewall address-list
add address=192.168.1.0/24 list=LocalAddress
/ip firewall filter
add action=drop chain=input comment="Block DNS Attack" dst-port=53 \
    in-interface=IR-TCT protocol=udp src-address-list=!LocalAddress
add action=drop chain=input comment="Add BolockList" in-interface=IR-TCT \
    src-address-list=blacklist
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1d chain=input dst-port=1233,10999,64999,6499 \
    in-interface=IR-TCT protocol=tcp
add action=add-src-to-address-list address-list=Temporary_1234 \
    address-list-timeout=10s chain=input comment="Port Knocking Security" \
    dst-port=1234 in-interface=IR-TCT protocol=tcp
add action=add-src-to-address-list address-list=Temporary_11000 \
    address-list-timeout=10s chain=input dst-port=11000 in-interface=IR-TCT \
    protocol=tcp src-address-list=Temporary_1234
add action=add-src-to-address-list address-list=Temporary_65000 \
    address-list-timeout=10s chain=input dst-port=65000 in-interface=IR-TCT \
    protocol=tcp src-address-list=Temporary_11000
add action=add-src-to-address-list address-list=Secured address-list-timeout=\
    15m chain=input dst-port=6500 in-interface=IR-TCT protocol=udp \
    src-address-list=Temporary_65000
add action=accept chain=input in-interface=IR-TCT src-address-list=Secured
add action=accept chain=input comment="Accept Established" connection-state=\
    established
add action=drop chain=input comment="Drop any to any input"
/ip firewall nat
add action=src-nat chain=srcnat comment="if use static ip address from isp" \
    dst-address-list=!192.168.1.0/24 out-interface=IR-TCT src-address=\
    192.168.1.0/24 to-addresses=10.92.116.47
add action=dst-nat chain=dstnat comment=CCTV dst-address=10.92.116.47 \
    in-interface=IR-TCT port=1401 protocol=tcp src-address-list=Secured \
    to-addresses=192.168.1.108 to-ports=80
add action=dst-nat chain=dstnat comment="RDP mohamadreza PC" dst-address=\
    10.92.116.47 in-interface=IR-TCT port=3389 protocol=tcp src-address-list=\
    Secured to-addresses=192.168.1.9 to-ports=3389
add action=masquerade chain=srcnat comment=\
    "if use daynamic ip address from isp" disabled=yes out-interface=IR-TCT \
    src-address=192.168.1.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Tehran

anav · Thu Feb 16, 2023 6:12 pm

I dont have any experience with fancy words like proxy.
If the router provides a vlan/subnet attached to a virtual WLAN, anything coming on that interface can be pushed to the internet as required.
Not sure how bridge comes into the conversation either?

mohamadreza0101 · Thu Feb 16, 2023 6:26 pm

I dont have any experience with fancy words like proxy.
If the router provides a vlan/subnet attached to a virtual WLAN, anything coming on that interface can be pushed to the internet as required.
Not sure how bridge comes into the conversation either?

If possible, give me more guidance or send me a source.
Thank you

Sob · Thu Feb 16, 2023 7:38 pm

Short answer: NO

Long answer: Maybe. It would work with transparent proxy and requests that could be intercepted this way, e.g. HTTP (but not HTTPS). So in practice it's NO again. Other way would be to make clients aware of proxy. Manual config would be impractical, but there may be some chance with WPAD (https://en.wikipedia.org/wiki/Web_Proxy ... y_Protocol). It's ancient thing, but supposedly it still works even with current browser. I can't say. But RouterOS won't help you with it.

optio · Thu Feb 16, 2023 9:32 pm

Never tried, but see: https://danstechjourney.com/posts/socks ... interface/

There is a docker container for tun2socks (https://hub.docker.com/r/xjasonlyu/tun2socks) but ROS on your Mikrotik device architecture (MIPS) doesn't support containers.
You can try with OpenWrt (https://openwrt.org/toh/mikrotik/rb951g_2hnd) on your device and setup there https://github.com/shangjiyu/openwrt-ex ... -tun2socks or setup tun2socks and forwarding on some local machine and then setup routing for virtual wlan on Mikrotik device to go over that machine.

anav · Thu Feb 16, 2023 9:45 pm

Clearly sob I dont understand the request.
Attaching a vlan to a virtual WLAN and only allowing the vlan internet access is dirt easy.
Why should I care if its a video camera, proxy, or any other device on the vlan ?????

optio · Thu Feb 16, 2023 9:53 pm

Clearly sob I dont understand the request.
Attaching a vlan to a virtual WLAN and only allowing the vlan internet access is dirt easy.
Why should I care if its a video camera, proxy, or any other device on the vlan ?????

I think he wants that all traffic from virtual wlan goes through proxy connection. Tor maybe? - it is a bad idea

mohamadreza0101 · Thu Feb 16, 2023 10:09 pm

Thanks everyone for the advice

mikrotik connect to proxy and share internet to another bridge

mikrotik connect to proxy and share internet to another bridge

Re: mikrotik connect to proxy and share internet to another bridge

Re: mikrotik connect to proxy and share internet to another bridge

Re: mikrotik connect to proxy and share internet to another bridge

Re: mikrotik connect to proxy and share internet to another bridge

Re: mikrotik connect to proxy and share internet to another bridge

Re: mikrotik connect to proxy and share internet to another bridge

Re: mikrotik connect to proxy and share internet to another bridge

Who is online