Hello to all,

I would like to redirect all the traffic incoming to the router to another Mikrotik PC for web proxy. Both have internet connection, the RB1000 and the Mikrotik PC, and this is the config I am using

on RB1000: on Mikrotik PC but as a client, when I try to use the browser, I can't surf on the web, what is missing?, do I have to redirect everything back to the RB1000? or what should be done?

Thanks in advance for your responses

I think that you also need to src-nat/masquerade the traffic on the RB1000.

The traffic flow is as follows:
Client with 10.10.10.100 sends an HTTP request to 1.1.1.1 on the Internet. 10.10.10.1 (the RB1000) receives it and dst-nat's the traffic to 10.10.10.2, but the source IP is still 10.10.10.100. 10.10.10.2 receives the request and proxies as it should, but sends the proxied data straight back to 10.10.10.100 because that was the source IP of the request. 10.10.10.100 doesn't know what the hell 10.10.10.2 wants from it since it never talked to it in the first place, and discards the unexpected packets. If you src-nat the traffic to 10.10.10.1 on the RB1000, 10.10.10.2 will send the proxied request back there, the RB1000 will undo the dst-nat and src-nat and send the proxied data back to the client. Of course you lose accounting on the proxy that way because it sees the same source for all requests. Squid with T-Proxy can keep do true transparent proxying which could work around this, but the built in proxy does not have that functionality.

Do some packet sniffing on all involved systems to confirm that - if you sniff on the client, I think you'll see traffic back from the PC proxy as expected, but with the wrong source IP.

I'd rather route from RB to x86, and do NAT only at x86 (proxy machine?)

Hello Fewi...

Thanks for your updates....I will try it and let you know.

Chupaka..

That's what i've been doing...redirecting from RB to x86 but...and in x86 I am doing a web proxy with the rules of dst nat....but I can't browse..well..I haven't tried it by applying a masquerade rule in the RB after redirecting the http traffic to the x86 as Fewi says but i'll try it and let you know how it works

I think he's talking about proper routing rather than forwarding on the same network. Your issue is due to the fact that both routers are on the same subnet as the clients.

You could create a new /30 network between the proxy router and the proper router, and on the proxy router install a static (or dynamic) route back to the client network through the proper router. At that point the client would send web traffic to the proper router, the proper router would forward it to the proxy router on a different subnet, the proxy router would proxy the request, send it back to the proper router, which sends it back to the client. At that point your setup as is just works.

My solution means you don't change your infrastructure, but things are kind of ugly. His solution means a change to your infrastructure (though it's mainly just logical), but is far more elegant.

my solution do not change the infrastructure. you just add one more default route with some mark and gateway=your_proxy_ip_address, and then set routing-mark=that_new_mark for all traffic with in-interface=local and dst-port=80

Ok..

this is the topology of my network...what I want is to redirect all the http traffic to the proxy server...my proxy is not natting, I tried with the two configs but didn't work as i expected, the proxy gave me an error of looping...I've also tried with HAIRPIN NAT but I know it's not for the same purposes...just gave it a shot

this is what i've tried so far on the Router with no luck on the Proxy I just enabled the web-proxy with port 8080, and created a dst-nat rule to make it trasnparent

I've also tried other configurations, and I know this didn't work because the proxy is not redirecting anything back...any idea of how can I solve this?

You need to exempt the proxy from being proxied itself before redirecting everyone else to the proxy. otherwise what you have should work. Though I would remove this: as the specific srcnat for 10.10.10.2 you have is sufficient - and you should only NAT when you have to.

Hi Fewi,

I tried with your config, but I can't see traffic from the Proxy to the Router, it's like the Router sends the http traffic to the Proxy, and the proxy does nothing...

I can see that because when I open the connection I can see this
source destination tcp state
10.10.10.3:6434 10.10.10.2:80 closed

it doesn't establish the handshake...what else could be left maybe on the proxy side?
I just have webproxy enabled on port 8080
with a nat rule

My bad, didn't spot that.

Don't do any NAT on the proxy at all. And change to on the gateway router to push the traffic directly to the right port on the proxy.
If that still doesn't know I am out of ideas.

It happened the same thing....

On the proxy connections I can see that the source ip address 10.10.10.3:65519 is making a connection with 10.10.10.2:8080 but the tcp state is listed as closed...

On the other hand on the router the connection is 10.10.10.3 with 74.125.159.99:80 and the tcp state is SYN SENT...

I have been trying to solve tihs for a while but still no luck...

Thanks fewi for your time, if you come out with any other idea please let me know

That seems to indicate that the proxying process is working fine, and that the proxy router actually tries to fetch something for a client.

Double check the proxy router: does it have a reasonable default gateway? Is the Internet router set up to NAT everything out correctly to the Internet (are other clients behind it working OK)? Can you ping 8.8.8.8 from the proxy router?

Well actually yes...the proxy can ping anything outside, it can ping 8.8.8.8 or also can ping www.google.com

I don't understand why the proxy set the tcp connections as closed...When I check on the router...the proxy never ask anything on the port 80 to the router...is like the connection dies on the proxy, and the proxy doesn't even bother asking the http to the main router...