Hi Everyone
I have a working internet connection from my mikrotik and its connected to a switch that uses a proxy. Here is my setup:
Mikrotik: 192.168.1.254/24 (gateway on bridge)
Mikrotik Dhcp - 192.168.1.100-192.168.1.200 (on bridge to clients)
0.0.0.0/0 - 10.5.56.223/29 (connected on ether 1 and goes to the switch 10.5.56.193 reachable)
I have a static route 10.0.241.1 to gateway 10.5.56.193 (ether 1 reachable)
I do not have access to the switch 10.5.56.193 that supplies the internet and it belongs to another company.
On my client pc's I only add 10.0.241.1:3128 (no password or login required on the proxy) in internet explorer proxy settings and the internet works like a charm! But...here is my dillema, I would like the internet to work on my clients without adding the proxy settings into firefox, IE, the antivirus, etc. The reason being that half of them use laptops that they take home and on bussines trips.
My question is, how to I route all internet traffic to 10.0.241.1:3128 so that all my clients have normal internet? (and will this affect local traffic to the servers and printers?)

I am still a noob, so please go easy on me. Any help would be apprectiated.
Thanks
T

so no-one knows how to do this?

It is not so easy as you may think.
There are some possibilities with a DNS name WPAD but it is a can of worms.
You may google for it...

I got it partially working with a NAT rule to forward all traffic to the proxy, and on my connections on the mikrotik I saw it was going out...had trouble comming back in tho...also I think I might have forwarded everything including local data to the proxy... Please someone help me. I know this mikrotik can do this

Try using a NAT - dst-nat - action masquerade that conveys all traffic with destination ports 80,443 to the proxy on 10.5.56.193 on port 3128.

For your clients use gateway 192.168.1.254

The redirect is not enough. You must reconfigure proxy to transparent mode.

The redirect is not enough. You must reconfigure proxy to transparent mode.

yes, that is why this won't work.
there are methods to automatically configure a proxy on the client (WPAD, DHCP option) but in practice
they don't work that well and you cannot do it with only a MikroTik (because you need a webserver).
so what might seem easy in fact is quite difficult...

The redirect is not enough. You must reconfigure proxy to transparent mode.

As I mentioned busla, the company does not have access to reconfigure the proxy...the company that sponsors it also will not, because they use the exact same setup at all their sites.

Try using a NAT - dst-nat - action masquerade that conveys all traffic with destination ports 80,443 to the proxy on 10.5.56.193 on port 3128.

For your clients use gateway 192.168.1.254

Thanks msatter, this seems to work in a way, but on my browser I now get the message "invalid url" and "the requested url could not be retrieved"...still no internet without proxy settings
I can only add the NAT rule as dst-nat, tcp protocol ports 80,443 then action the dst-nat address 10.0.241.1 to ports 3128. The 10.5.56.193 is only the swich, not the proxy.

I cannot add masquerade to this rule, and my default masquerade is already in place above it.
What am I missing? Thanks for the help so far, I really appreciate it.

You cannot use a port-3128 proxy as a transparent proxy where you forward all traffic and expect it to be proxied.
When you are forced to use this proxy you need to configure it on all your clients.
When you cannot do that, this is where the story ends. No internet via this connection.

Try using a NAT - dst-nat - action masquerade that conveys all traffic with destination ports 80,443 to the proxy on 10.5.56.193 on port 3128.

For your clients use gateway 192.168.1.254

Thanks msatter, this seems to work in a way, but on my browser I now get the message "invalid url" and "the requested url could not be retrieved"...still no internet without proxy settings
I can only add the NAT rule as dst-nat, tcp protocol ports 80,443 then action the dst-nat address 10.0.241.1 to ports 3128. The 10.5.56.193 is only the swich, not the proxy.

I cannot add masquerade to this rule, and my default masquerade is already in place above it.
What am I missing? Thanks for the help so far, I really appreciate it.

I can't test things over here and have to do it in my mind so I am not always correct on the stuff.

Now you can try to change the 3128 port into 1080. If that is not working, connect with the working proxy settings in the browser and look on a second computer in your Mikrobox under IP - Firewall tab connections on which the port the browser is getting out to the internet when having received the answer on 3128.

You then put the shown port instead of 3128 or 1080 in your line and hope all is now going smoothly without the proxy settings on the browser on the client. It is a work around and when the owner of the proxy changes the settings you have to repeat the above bit.

Have fun!

You cannot use a port-3128 proxy as a transparent proxy where you forward all traffic and expect it to be proxied.
When you are forced to use this proxy you need to configure it on all your clients.
When you cannot do that, this is where the story ends. No internet via this connection.

Actually a similar setting works at a different client, the only difference is that proxy is on the same network, in the same range. All internet requests on the mikrotik were redirected to the port 3128 and it worked perfectly. The difference with this site is that the proxy is not on the same network or range and uses a different dns than its gateway.
It does work though. The pc sends all internet traffic to 10.0.241.1:3128, than that whole packet gets sent to the gateway 10.5.56.1 and it gets masquaraded and sent back...so all im trying to do is dirrectly redirect the local internet request from 192.168.0.0/24 to 10.0.241.1:3128 on the mikrotik. Its worked before. This time just a little bit more complicated

Why do jump over the Mikrotik by using the 10.0.241.1 gateway for the clients?

Why do jump over the Mikrotik by using the 10.0.241.1 gateway for the clients?

that means i have to set the mikrotiks ip address as 10.0.241.1....I think that might just create a loop and break the internet. but i catch your drift and it would have been a great idea

When you have the to use the WPAD then it would be complicated and you have to a lot of stuff and even serve your own WPAD.

So what is quick-and-dirty way to have it working and use the Proxy only for traffic that has to go to the Internet. You have your 192.168.1.100-192.168.1.200 for your clients and that is going to the Mikrotik. You have to make a NATto the proxy with at least the following ports TCP 3128,80,443 and I don't know if UDP 53 DNS needed or that the Proxy will handle that.

Now you can keep the local traffic local and internet traffic will go from the browser directly to 10.5.56.193 or the information available from the WPAD. The browsers have to use the automatic proxy settings so if present it will be used by the browser and not then default settings of the computer will be used.

You have to understand that "setting a proxy host:port in the browser" is NOT the same as "directing the normal browser traffic to host:port"!
The protocol between a browser and a proxy is DIFFERENT from the normal protocol direct to the destination.
So when the proxy is configured for use as an explicit proxy (which is normally the case when it listens on port 3128) you will never get
a working solution by just directing the browser traffic there. It may work in another installation but then the proxy in that installation is
probably listening on port 80 and has been configured as a "transparent proxy", i.e. using the same protocol as from browser to webserver.

With WPAD you can arrange that Windows clients will set a proxy server when they are on your network, but it needs a webserver because
the browser will fetch a file from a webserver that contains the details of the proxy configuration. (a PAC file)
This webserver must exist within the network in front of the proxy.

That the WPAD can't be served by the Mikrotik puzzles me. WPAD file could be even dynamic generated every time when there is a request by a client.

It could be severed at by extending the webif with this data in a url: http: //webfig/wpad and http: //webfig/proxy.pac. When the Webinterface is disabled and the WPAD activated it would only serve those two files.

I am not describing what could be done, but only what you can do with the MikroTik router that you have in front
of you, and the software that it is currently running.
Sure, you could file an enhancement request that makes this possible.

(in fact it is not completely accurate: when you have a MikroTik that supports MetaROUTER, you could use
it to run a small Linux system that works as a webserver. However a separate Raspberry Pi appears to be
an easier and more reliable solution)