Dear Mikrotik Wizards

I hope that someone can help me - I'm so frustrated I'm ready to roar! I've asked many people I know who use RouterOS, but nobody seems to be able to solve this little problem. I've been trying for almost two months with no success, so it must be something really simple.

I have a RB750G with default setup (port 1 WAN, DHCP - ports 2-5 switched internal, 192.168.88.0/24) and I am trying to re-route all internal http traffic (port 80) to my squid proxy which is sitting on a separate box also on the internal network. There are so many examples of this working for people and I've tried each one, but with no luck! I've also tried another RB750G and another squid proxy, but same symptoms persist.

The problem is that the router is not routing the outgoing requests to the squid proxy succesfully. If I manually set the browser to use it, the proxy works fine. If I turn off the proxy and listen on the port with netcat ($netcat -l 3128), I get no incoming traffic to the server. If I click on the Connections tab under Firewall in winbox, I can see the ougoing "syn" on port 80, but thereafter no handshake follows (no ack).

I therefore come to the conclusion that the router is not forwarding the request correctly.

My router: 192.168.88.1
My proxy: 192.168.88.228 (port 3128)

My config:

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=\
ether1-gateway
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=\
ether1-gateway
add action=drop chain=forward comment=";;; drop insecure mail port 25" disabled=no dst-address=0.0.0.0/0 dst-port=25 \
out-interface=ether1-gateway protocol=tcp src-address=192.168.88.0/24
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway

/ip firewall nat
add action=accept chain=dstnat comment=";;; accept proxy through firewall" disabled=no dst-port=80 protocol=tcp src-address=\
192.168.88.228
add action=dst-nat chain=dstnat comment=";;; but re-route everyone else through proxy" disabled=no dst-port=80 protocol=tcp \
src-address=192.168.88.0/24 to-addresses=192.168.88.228 to-ports=3128
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

If anyone could please help me, I would be truly grateful. I have work which urgently needs this to function, and whilst I know this is not anyone else's problem, I've exhausted all my options of support over here. Please help!

Thanks for a fantastic product - this is the only problem I've had with RouterOS. Everything else about it is simply fantastic.

Yours,
Gareth

http://wiki.mikrotik.com/wiki/Hairpin_NAT
You will be unable to log access on the proxy as all access will appear to come from the router. The only way to work around that is to not put the Squid proxy on the same network as the clients that are to be proxied. This would be trivial to do on the RB750G by taking one port out of the switch group and building a second LAN dedicated to the Squid box. Still, if you want the Squid box to stay on the internal network and can live with access logs being useless hairpin NAT will make this work.

Dear fewi

Thank-you so much for your quick and informative reply. I really appreciate that you explained to me WHY the problem exists, as well as what I can do about it. I tried your suggestion of creating a separate LAN on port 5 of the RB750G and it seems to be working... access via proxy is slightly slower than direct access, but proxied pages are faster. (I'm not sure if I should be able to notice the difference on my little home network - is my setup very clumsy?)

Anyway, in the same spirit of sharing by which you have really helped me (I can't thank you enough!), I've copied the important parts of my config from "/export file=config" below. So, for all new readers, this is what I've done to create a separate logical LAN on a separate physical port. Here is my setup, to make it easy for newcomers and Google spiders to find:

Routerboard 750G
Port 1: WAN, dhcp-client
Port 2: local master for 192.168.88.1/24 network - this is my client network
Port 3: switching Port2
Port 4: switching Port3
Port 5: local master for 192.168.222.0/24 network - this is my server network

I am using the .88.1/24 network for all clients, and I have a dumb switch in the next room connected to Port2 which then connects to 5 other computers . I also have another client in the server room connected to Port3, incidentally.

I am using the .222.1/24 network for all servers. Currently, I only have one physical server, but if I needed more, I would probably extend the new second LAN onto Port4 in order to capitalise on the RB750G's gigabit speeds. (but for even more, I'd put in another switch)

I am using an ubuntu linux server for squid (and subversion, apache, webmin, samba and ssh), and it's address is 192.168.222.222 - looks confusing, but at least I can remember it! As per good policy with servers, I've hardwired this in the server, and then reserved the IP in the RB750G's DHCP server so it doesn't get issued to another machine by some chance.

Diagramatically, my RB750G is wired as follows:

Port 1 -> ADSL router - internet
Port 2 -> dumb switch -> various client machines
Port 3 -> lone client in the server room
Port 4 (unused)
Port 5 -> server

I have chopped out the salient points from my config dump (at the end of this post). To other advanced and more experienced users, if I've made any obvious errors, or done something typically n00bish, please let me know. If anyone can streamline this further, please also say so.

Finally, I want to thank fewi and the community once more. Without your help, there would be no help for guys like me wanting to start out. If you were here, I'd get you a drink for sure, but for now it'll have to be an *e-beer* from South Africa!

######################################################
# Set up the 5th port on the RB750G as a separate LAN
######################################################
/interface ethernet
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 \
master-port=none mtu=1500 name=ether5-server-master speed=1Gbps

/ip neighbor discovery
set ether5-server-master discover=yes

/queue interface
set ether5-server-master queue=ethernet-default

/tool mac-server
add disabled=no interface=ether5-server-master

######################################################
# create a server IP pool and issue DHCP on this port
######################################################

/ip dhcp-server
add address-pool=server-dhcp authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=ether5-server-master lease-time=3d name=\
server

/ip pool
add name=server-dhcp ranges=192.168.222.22-192.168.222.222

######################################################
# now create the networking rules for our new LAN
######################################################

/ip address
add address=192.168.222.1/24 broadcast=192.168.222.255 comment=\
";;; default server configuration" disabled=no interface=\
ether5-server-master network=192.168.222.0

/ip dhcp-server network
add address=192.168.222.0/24 comment=";;; default server configuration" \
dns-server=192.168.88.1 gateway=192.168.222.1

######################################################
# now create NAT rules to redirect port 80 to proxy
######################################################

/ip firewall nat
add action=accept chain=srcnat comment=";;; allow direct access to proxy" \
disabled=no dst-address=192.168.222.222 dst-port=80 protocol=tcp
add action=accept chain=dstnat comment=";;; accept proxy through firewall" \
disabled=no dst-port=80 protocol=tcp src-address=192.168.222.222
add action=dst-nat chain=dstnat comment=\
";;; but re-route everyone else through proxy" disabled=no dst-port=80 \
protocol=tcp src-address=192.168.88.0/24 to-addresses=192.168.222.222 \
to-ports=3128

######################################################
# our new lan needs to be routable so we can see it
######################################################

/ip route
add comment="" disabled=no distance=1 dst-address=192.168.222.1/32 gateway=\
192.168.222.1 scope=30 target-scope=10

Glad you got it working.

This comes up so much, maybe write a wiki page yourself with that information - it is easier to find there than in the forums.

Thanks for the encouragement. I think I would like to write the wiki, to help the community. As you say, if it comes up a lot, then a simple tutorial may help.

I have one final question, about the route which I added using the following command:

/ip route
add comment="" disabled=no distance=1 dst-address=192.168.222.1/32 gateway=\
192.168.222.1 scope=30 target-scope=10

If I use winbox, I see the route in BLUE writing, and it says "unreachable" next to it (see attached screengrab). Have I done something wrong? It works, in the sense that my proxy is now working, but it concerns me that it's blue and unreachable.

Thanks!

Gareth

You cannot have a route to an IP address through itself. Your destination is 192.168.222.1/32 (/32 is CIDR notation for "just this one single IP address"), and you're trying to reach it through that IP address itself. That is redundant. A destination of 192.168.222.0/24 (that entire network) through 192.168.222.1 (the IP the router has on the interface that entire network is behind) makes sense, but you don't have to enter such a route: it will automatically be created the moment you put an IP address on an interface as what is called a 'directly connected' route.

In your screenshot look at the fourth entry: 192.168.222.0/24 is reachable through ether5-server-master with a preferred source of 192.168.222.1. The route has the properties DAC: dynamic (automatically created when the IP address was added to the interface), active (the interface is up, so the route is valid) and connected (the route doesn't point to a network behind a transit network, but to a network the router has an IP address on).

So you can remove that blue static route you created and things will still work, that blue static route isn't used at all as it is right now.

Glamplitude can you plz past the squid configuration you do use
i try what you said but with no luck
squid only work if i set my internal proxy enable

Hi

I use generic settings for squid - i.e. out of the box. (So there is no need to paste my config. It is default.)

If you are using squid version later than 2.6, remember to pass the "transparent" option as part of the "http_port" configuration. The relevant line in my config (line 1115 for me) says:

http_port 3128 transparent

I am familiar with using the config file, but the company I'm working for requires all the products to be configurable via webmin. If you are new to unix administration, I recommend webmin (www.webmin.com) - it is a very easy way to learn unix.

Also, (this is really easy in webmin) remember to edit your ACL's and add a line which says

http_access allow localnet

You must add this line BEFORE the line which says

http_access deny all

because, like RouterOS, squid reads the allow/deny rules in the order they appear (you want to allow before you deny all).

Good luck!

already webmin install and run

http_access allow localnet

can i edit this through webmin am not so familiar with linux if yes where

1) Click on servers. (If you do not see squid listed, first click on "un-used modules", click on squid, then click install)
2) Click Squid Proxy Server
3) Click on Ports and Networking (first icon)
4) The first option, "proxy addresses and ports", this is my config:
If this doesn't solve it for you, I think you're going to have to ask for help over at the squid forum - we're getting quite far away from RouterOS in this thread. (http://www.squid-cache.org is a good place to start)

Glamplitude
you don't use loadbalace like PCC

In his scenario the Squid box is behind a routed interface. Because of that all you need to do exempt the traffic that is going to be redirected to Squid from having the PCC ruleset applied to it (accept traffic with the same parameters you are going to use to NAT to the Squid box as the first step in the prerouting mangle set). Traffic makes it to the proxy without being torn apart by PCC, the proxy takes the traffic and requests the websites, that traffic now matches for PCC and is load shared.

Because of that all you need to do exempt the traffic that is going to be redirected to Squid from having the PCC ruleset applied to it

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp src-address=10.10.10.0/24 (client) to-addresses=172.18.1.2 to-ports=3128

easy
i cant exempt becuse it to port 80 and if i do what you ask i kill pcc 80%

Read my post more carefully. Only exempt traffic with the same source address, interface, protocol, port, etc. Exempt exactly the traffic going to the LAN to Squid. He traffic from Squid to the web still goes through PCC.

so my connection loset when it go out form squid to client (tha waht you mean)

add action=accept chain=input comment="" disabled=no dst-address=10.10.10.0 (my client) dst-port=80 in-interface=Local protocol=tcp src-address=172.18.1.2 src-port=3128

Take the NAT rule, change the chain to prerouting like I said, change the action to accept, put it into firewall mangle, move it to the very top. I don't know how to be more clear than that.

Again, the goal is to ensure that traffic that is going to be redirected to Squid later (and only that traffic) is exempt from PCC.

hi all...

i need to configure my barracuda web filter as external cache engine for mikrotik router... it supports the WCCP protocol for that option...

But Mikrotik doesn't supports WCCP but it is possible to use external cache engines like squid..

If someone have any experience please give me some tips..

thanks advanced

I checked out the product page for the Barracuda webfilter. That's one pimped-out proxy. I can't say I'd buy one... With linux, squid, srg, clam, and some time to learn how they work, you can achieve all of this without spending a thing - and you can build it on old hardware! If you're in a hurry to set it up and your company wants 3rd-party support, I guess there's some motivation, but I can't say I'd spend the money for someone to put together something I can make for free. (I feel the same about Apple computers, but that's another story! If you want to do it yourself, remember that much fail is required before any win can take place. Be patient.

That said, though - you've got this thing now and you want to use it. It seems to be built on linux and with standard modules. You need to find out if it has an option to be a transparent proxy - in squid this is passed as a runtime parameter. NB if you want to use proxy authorisation (proxy_auth), though, this can not be done transparently (obviously).

In all events, though: you need to create one logical network for your clients and a second logical network for your proxy (and other) server(s). In my example, with the RB750G, my logical networks are also physically distinct. Then, as discussed above, get your MikroTik router to forward all port 80 traffic to your Barracuda. I can't imagine a product as specialised as this doesn't have the capability - this is a standard function and application for a proxy.

Oh yes, make sure that you aren't NAT-ting between your various internal networks. NAT must ONLY be applied to your upstream (WAN) connection. Otherwise you won't get useful data on your proxy usage graphs; all requests will appear to originate at the router...

All the best!

Dear Fewi,

I seem to have the same problem here and have been long searching for a solution to no avail and would really appreciate it if you could assist me here. My setup is as follows:

Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink switch


I have added a squid with its input from the Wan directly and then I have put the squid directly to the mikrotik.

I did the following configurations:


Wan:

Wan -> mikrotik 172.16.10.1/24
Wan -> squid 172.16.11.1/24


Mikrotik


Ether1
172.16.10.2/24


Ether2 (Hotspot)
10.5.50.1/24


Ether3 to squid
192.168.50.2


Squid


Ether1 from Wan
172.16.11.2


Ether2 from mikrotik
192.168.50.1:3128


The squid is configured transparently.


Now I have tried several CLI commands I have seen online and still yet I am yet to find one that will eventually push the http traffic to the squid.

The last set of CLI commands i used that i thought will get me up and running is as follows:

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) routing-mark=http scope=30 target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) scope=30 target-scope=10

/ip firewall nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=80 src-address=10.5.50.0/24 to-addresses=192.168.50.1 to-ports=3128
add chain=dstnat action=dst-nat protocol=tcp dst-port=80 src-address=192.168.50.0/24 to-addresses=192.168.50.1 to-ports=3128


I am not sure what exactly it is i am doing wrong!

I would appreciate any help that I can get to make this happen.


Thanks in advance.