Hi all,

I'm trying to configure a transparent web proxy, and am not sure if I'm doing everything correctly, so if some of you can take a gander and tell me if I'm doing this right or wrong, that would be great. I'm not a network tech, so please reply in layman terms. ^^

OK, here goes:

//ip firewall filter
chain=input action=drop src-address=0.0.0.0/0 in-interface=LOCAL dst-port=8080 protocol=tcp

QUESTION: I was supposed to secure the proxy so it won't be used as a relay, right? And to my understanding, this is where I do it. Am I doing it right? I'm kinda confused as to whether I should put 'LOCAL' or 'PUBLIC' in the in-interface...

//ip firewall nat
chain=dstnat action=redirect to-ports=8080 in-interface=LOCAL dst-port=80 protocol=tcp

QUESTION: Does those two lines (filter and NAT) have to be the first ones in the filter and NAT section? I mean, they are doing those rules from the top one first, no?

//ip proxy access> pr
Flags: X - disabled
# DST-PORT DST-HOST PATH METHOD ACTION HITS
0 ;;; block telnet & spam e-mail relaying
23-25 deny 0
1 X ;;; Test blocking website
http://www.yahoo.com deny 0

QUESTION: The mikrotik proxy help page said that "It is strongly recommended to deny all IP addresses except those behind the router as the proxy still may be used to access your internal-use-only (intranet) web servers." So should I put something like "src-address=0.0.0.0 action=deny" line in there?

//ip proxy> pr
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: system
cache-administrator: "myadmin"
max-cache-size: 100000KiB
cache-on-disk: yes
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 2w
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4

OK, that's what 'print' gave me. So lesse, filter, check. NAT, check. Access list, check. Anything else I'm missing?

Any inputs, anything at all, on this issue will be greatly and deeply appreaciated.

Anyone? Help, please?

//ip firewall filter
chain=input action=drop src-address=0.0.0.0/0 in-interface=LOCAL dst-port=8080 protocol=tcp

change LOCAL to PUBLIC

and give it try

So the way I'm doing it now (using LOCAL) does actually opens up the proxy for public? ack...

Will try it. Thanks.

Uh, changed LOCAL to PUBLIC, didn't see anything different... I'm keeping it at PUBLIC at the moment, hope I'm doing it right. Do correct me if I'm wrong...

Anyway, I have some more questions, hope you guys can lend me a hand one more time...

1. Well, I see a ton of 0kb files in the cache, mainly avatar images from forums, buttons from websites, stuff like that... I have no problem using my bandwidth for these items, but they are just taking up cache space... Is there any way to set the MINIMUM size limit for files to be cached? Say, anything less than 1kb should not be cached. I thought I saw something like that in 2.9, but it's gone in 3.9... Any ideas?

2. If I printed "/ip proxy cache-content", I get a list of EVERYTHING in the cache. What command should I type to display only things that are, oh, say, more than 10kb, or more than 3 days old?

3. What does "serialize connection" means?

4. And if I set "Always from cache" to "yes", does that mean that the router will always read from the cache and never load new sites? That would be odd, now wouldn't it? Oh well...

Thanks a bunch you guys.

uhh... Anyone can help? Please?

[quote="thermant"]
1. Well, I see a ton of 0kb files in the cache, mainly avatar images from forums, buttons from websites, stuff like that... I have no problem using my bandwidth for these items, but they are just taking up cache space... Is there any way to set the MINIMUM size limit for files to be cached? Say, anything less than 1kb should not be cached.
[/quote]

You're missing the point of caching. It's all these little, seldom changing files that you WANT to cache.

[quote]
2. If I printed "/ip proxy cache-content", I get a list of EVERYTHING in the cache. What command should I type to display only things that are, oh, say, more than 10kb, or more than 3 days old?
[/quote]

try this;
/ip proxy cache-contents print value-list where file-size
and/or
/ip proxy cache-contents print value-list where last-accessed

[quote]
3. What does "serialize connection" means?
[/quote]

from the manual;

serialize-connections (yes | no; default: no) - Do not make multiple connections to server for multiple client connections, if possible (i.e. server supports persistent HTTP connections). Clients will be served on FIFO principle; next client is processed when response transfer to the previous one is completed. If a client is idle for too long (max 5 seconds by default), it will give up waiting and open another connection to the server.

[quote]
4. And if I set "Always from cache" to "yes", does that mean that the router will always read from the cache and never load new sites? That would be odd, now wouldn't it? Oh well...
[/quote]

again, from the manual;

always-from-cache (yes | no; default: no) - ignore client refresh requests if the content is
considered fresh

thermant your //ip firewall filter in-interface always will be public, cause if you want to secure your proxy from out side access you must have to put your in-interface=public because you don't want anyone access to your proxy from out side(WEB).

Dear Hilton can you please explain what is Max fresh time does? Cause I can't have cache objects older than 7 days, like if I download any file which is 15 MB then first time I have my simple queue bandwidth limite after that if I download it again then I get my full lan speed from cache, it's all ok by the time being but after 7 or 8 days if I download the same file again then I get my simple queue bandwidth again but not from my cache as lan bandwidth. Please explain what is wrong here!

Thanks a lot

Dear Hilton can you please explain what is Max fresh time does? Cause I can't have cache objects older than 7 days, like if I download any file which is 15 MB then first time I have my simple queue bandwidth limite after that if I download it again then I get my full lan speed from cache, it's all ok by the time being but after 7 or 8 days if I download the same file again then I get my simple queue bandwidth again but not from my cache as lan bandwidth. Please explain what is wrong here!

I don't think anything is wrong. The time limit for any file is set by the originating server so it will time out eventually and you don't have any control over that. What you can do is force it to time out quicker but that's not what you want to do.

Perhaps you should look at hosting a simple sharepoint server to serve up large files that don't change that often?