Mikrotik Squid Proxy Server

[Evo1ve]

Ok so i'm running Proxmox on my small HP server and the caching works perfectly under Ubuntu Server with Windows clients.
I decided to make my proxy server transparent but can't seem to get it up and running?

My layout

Mikrotik RB
ether 1 -> WAN/Internet
ether 2 -> WiFi link
ether 3-5 -> LAN (192.168.1.0/24)

Ubuntu Server connected to Ether 5 on Mikrotik RB (192.168.1.9)

I did add DSNAT to 192.168.1.9:8118 but Squid cant seem to resolve the address in Firefox?
With Mikrotik's own Proxy Server this method works without a doubt.

Should the Squid Server be on a different subnet and interface on the Mikrotik(Not Bridged)?
Also I did make sure to change the Squid server to transparent.


I know this is a simple setup but I cant get it to works
Any help would be great!

 

[nomdeplume]

Like you say it should just require a simple dstnat from 80 to in your case 8118

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.9 to-ports=8118

 

[SauRoNZA]

Does the proxy work when you point to it directly?

 

[controlc]

Just doing a dstnat for TCP80 is opening a whole different can of worms. You don't want to change the destination IP's of the packets, you want to redirect or route them to your Squid proxy.

Easiest solution is to enable the webproxy on the Mikrotik, and set your Squid box as the parent proxy. Then add a redirect NAT rule for web traffic *not* comming from the Squid proxy.

Alternatively, use Policy Based Routing/Mangle rules to reroute all web traffic to the Squid box, but not for traffic coming *from* the Squid IP.

 

[Tinuva]

Well I think his original setup would work, he just needs to add a rule before the DSTNAT rule to exclude traffic coming from the server running the proxy to not hit the DSTNAT rule, intended for the rest of the pcs.

You want the whole internal network to get forced to the proxy, but the proxy you want to bypass that rule. In mikrotik speak, you need to do that on a rule before the DSTNAT rule.

 

[controlc]

DSTNAT is not the answer, even if you add an accept/exclude rule for the Squid IP. Try it. If a client tries to open any web page, he'll always end up at the Squid's web page.

 

[Tinuva]

DSTNAT is not the answer, even if you add an accept/exclude rule for the Squid IP. Try it. If a client tries to open any web page, he'll always end up at the Squid's web page.

You dont really know what you are talking about are you?

I used google to find a random howto, searchign for "mikrotik squid proxy" only.
Link: http://aacable.wordpress.com/tag/howto-add-squid-proxy-server-with-mikrotik/

Oh what do you know, action=dst-nat chain=dstnat.

The difference is, in the above howto, the layer2 interfaces for the squid proxy and the lan are separated on the Mikrotik, so you don't need the exclude rule like when they are on the same layer2 interface.

@Evo1ve, are you not perhaps missing the fact that you also need an iptables rule on your squid proxy server? eg. from the guide:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.9:8118

 

[controlc]

Sigh.

@OP, please try Tinuva's suggestion and link.

Please try mine once you start getting issues with sites not loading correctly, and when you want to be able to use the logs on your Squid box.

Actually, don't use either of our methods. I'll PM you the contact details for MikrotikSA, you can ask them what the best solution is.

 

[Evo1ve]

Hey guys,

Thank you for all the replys.
I'm going to try a few of these options you guys gave me!

 

[Peon]

Sorry to hash up an old post but can you guys assist me perhaps?

I also am forwarding with a DST NAT rule to my Ubuntu squid3 box proxy. Trying to keep it short.

The thing is I understand the problem and understand the solution yet I dont know how to put that in iptables.

Setting a PC's internet settigs to use the proxybox directly works.

http_port 3128 (works directly but not when taking direct off - get Invalid URL)
http_port 3128 intercept (Error: No forward proxy ports configured+ Forwarding loop error)

Now I understand one cant have the box looping back on itself. Somehow I need to build an iptables ruleset to make this work but I'm buggered if I know how.

Please could someone help.

 

[Peon]

I added this to my .conf file and it seems to be working now.

http_port 3128 accel vhost allow-direct (Can work)
http_port 3128 intercept (The difference is I used a mangle rule instead of a DSTNAT rule in Mikrotik.

Getting lots of TCP_MISS at the moment with only a few HITS.