Hi I would like to use Mikrotik with an external Squid transparent proxy.
I would however like to know, how do you setup the forwarding rules on Mikrotik so that the IP of the user is passed to the squid. If you do a normal dstnat rule the Mikrotik passes its own IP to squid.

Im sure you can do it by using routing marks but im not at all sure how to go about.



Thanks

If the router is used as a proxy with a parent proxy set the packets MUST have the source IP address of the router, that's how chained proxies work.

If you're destination NATing to the Squid proxy directly and the router source NATs the packets to itself then it's doing so because you specifically told it to do so in the source NAT rule set. Reconfigure your ruleset so that it stops doing that. If you need help with that please post a network diagram with IP addresses and device names, and the output of /ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export".

Hi Thanks for the reply

Here is the IP addresses detail:
0 address=10.100.0.1/24 network=10.100.0.0 broadcast=10.100.0.255 interface=ether1 actual-interface=ether1

1 address=172.16.0.2/29 network=172.16.0.0 broadcast=172.16.0.7 interface=ether2 actual-interface=ether2

IP Route detail

0 A S dst-address=0.0.0.0/0 gateway=172.16.0.1 gateway-status=172.16.0.1 reachable ether2 distance=1 scope=30 target-scope=10

1 ADC dst-address=10.100.0.0/24 pref-src=10.100.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=200

2 ADC dst-address=172.16.0.0/29 pref-src=172.16.0.2 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10

Firewall Export:

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=!443 protocol=tcp src-address=10.100.0.0/24 to-addresses=172.16.0.1 to-ports=8080
add action=masquerade chain=srcnat comment="" disabled=no src-address=10.100.0.0/24

Your only option is to remove the masquerade rule and do all source NAT on the Squid box, or to introduce another NAT router behind the squid box. If all traffic goes through the squid box anyway why are you destination NATing at all?

Has anyone got this working correctly? I have a squid server that works fine when i manually put the proxy settings into Internet exploder. When i use the dst-nat rule I only get invalid request from the squid box.
Getting error "The requested URL could not be retrieved"
The following error was encountered:
Invalid Request

I want to send all port 80 traffic from 172.16.0.2 to 172.16.1.1 port 3128, which appears to be working, however this error message is telling me that it is NOT working... but this message is of course coming from the squid server. any insight would be greatly appreciated.