Community discussions

 
User avatar
kaltersia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Tue Apr 30, 2013 12:22 am

[SOLVED] Error negotiating SSL connection on FD "SQUID SSL_BUMP"

Tue Apr 07, 2015 4:20 pm

i need to redirect a specified website to wan 2

all trafic to wan 1 and http://www.example.com to wan 2

can this be done, i have tried different things but without success. :(

thanks for any help
Regards
Kaltersia
Last edited by kaltersia on Sun Apr 19, 2015 3:58 am, edited 1 time in total.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Redirect www.example.com to WAN 2

Tue Apr 07, 2015 4:56 pm

if example.com is a simple website with only one or two IP addresses, or all from a single range of IP addresses, then just create a static route to that/those IP address using wan2.

e.g. http://www.example.com --> 192.0.2.12 , 192.0.2.14 , and 192.0.2.15
/ip route add dst=192.0.2.0/24 gateway=x.x.x.x
(x.x.x.x = wan2's default gateway)

If you're using PCC or load balancing with routing / connection marks, then you'll need to add this route once for each routing mark that you use, as well as once with no routing mark.
If you don't know what routing marks are, then you're not using them, so ignore that. ;)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
kaltersia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Tue Apr 30, 2013 12:22 am

Re: Redirect www.example.com to WAN 2

Tue Apr 07, 2015 5:02 pm

actually it is www.dropbox.com
i use squid proxy cache in my small network
i need to redirect dropbox.com directly to wan2 couse i can't bump dropbox.com
its a bit complicated... anyway can you show the steps to redirect a range of ip's that belong to dropbox

i have collected some dropbox ip ranges

regards
Kaltersia
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Redirect www.example.com to WAN 2

Tue Apr 07, 2015 5:26 pm

You keep saying "redirect" - and I keep interpreting this to mean "send traffic to this site via wan2 where the usual route would be wan1"

Of course redirect in the firewall/nat sense means to transparently hijack the traffic and redirect to self or some other server. If this is what you mean, then let me know....

As for the first method, static routes are by far the most efficient way to do it.
If you have a list of addresses, then just route the various blocks.

According to Hurricane Electric's fantastic BGP toolkit site
http://bgp.he.net/AS19679#_prefixes

Dropbox has these IP ranges:
45.58.640/20
45.58.76.0/23
108.160.160.0/20
199.47.216.0/22

If you create these 4 static routes with gateway=wan2's gateway IP then you'll be golden. All of the other /24 prefixes shown are just subnets of these 4 main blocks of address space. Those subnet advertisements are most likely there for routing policy reasons - they don't affect you so just use the full blocks.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
kaltersia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Tue Apr 30, 2013 12:22 am

Re: Redirect www.example.com to WAN 2

Tue Apr 07, 2015 5:38 pm

send traffic or redirect its same for me as long as dropbox goes to wan1 , without going firstly to my proxy server..

i use mark routing to send port 80,443 to squid proxy.

i have tried with those ip ranges
45.58.640/20
45.58.76.0/23
108.160.160.0/20
199.47.216.0/22

and those i ranges
23.21.0.0/16
23.23.0.0/16
50.16.0.0/16
50.17.0.0/16
50.19.0.0/16
54.197.0.0/16
54.204.0.0/16
54.221.0.0/16
54.225.0.0/16
54.227.0.0/16
54.235.0.0/16
54.243.0.0/16
54.83.0.0/16
75.101.0.0/16
107.20.0.0/16
107.21.0.0/16
107.22.0.0/16
108.160.0.0/16
174.129.0.0/16
184.72.0.0/16
184.73.0.0/16
204.236.0.0/16
199.47.216.0/22

still no luck ...
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Redirect www.example.com to WAN 2

Tue Apr 07, 2015 5:51 pm

So normally, your mikrotik redirects traffic to a squid proxy, and you want Dropbox NOT to be redirected to the squid proxy.

Ok - make an IP address-list, e.g. noproxy
Add all prefixes to this list which you want to be exempt from the squid proxy.
Then on your nat rule that redirects to squid, add "dst-address-list=!noproxy" to the existing rule.
(in winbox, edit the rule, choose advanced, dst address list, and make sure the little box has a ! in it)

Finally, get rid of any static routes you've added for this project - the standard routing policy should be fine.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
kaltersia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Tue Apr 30, 2013 12:22 am

Re: Redirect www.example.com to WAN 2

Wed Apr 08, 2015 7:08 pm

solved thanks to ZeroByte
ip range used
/ip firewall address-list
add list=noproxy address=178.249.136.0/21 comment=Dropbox
/ip firewall address-list
add list=noproxy address=54.230.94.0/24 comment=soundcloud
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Redirect www.example.com to WAN 2

Wed Apr 08, 2015 7:15 pm

Glad you got it working!
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
kaltersia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Tue Apr 30, 2013 12:22 am

Re: Redirect www.example.com to WAN 2

Sun Apr 19, 2015 3:36 am

for anyone else who have this error in squid
easy catch ip's that causes the ssl bump error in squid using sarg , than just find ip range to that ip and add than to mikrotik using the rule above...

squid error "2015/04/19 02:20:24| clientNegotiateSSL: Error negotiating SSL connection on FD 19: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request (1/-1)
"
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 4 guests