Transparent proxy

mkorban · Thu Jan 25, 2007 12:36 pm

Hi all, i have a strong problem:
Mikrotik RouterBoard with RouterOS v3.0beta5.

[admin@Office.GW] /ip proxy> export
# jan/25/2007 14:22:16 by RouterOS 3.0beta5
# software id = UK5C-3TT
#
/ip proxy 
set cache-administrator="webmaster" cache-drive=CompactFlash \
    cache-hit-tos=0x10 cache-on-disk=yes enabled=yes max-cache-size=111000KiB \
    max-fresh-time=3d maximal-client-connections=1000 \
    maximal-server-connections=1000 parent-proxy=0.0.0.0:0 port=3128 \
    serialize-connections=no src-address=0.0.0.0 
/ip proxy access 
add action=allow comment="" disabled=no dst-address=!10.0.4.0/24 \
    src-address=10.0.4.0/24 
/ip proxy cache 
add action=allow comment="" disabled=no

add action=masquerade chain=srcnat comment="Full Direct Access" disabled=no \
    dst-address-list=!LAN src-address-list=LAN 
add action=redirect chain=dstnat comment="IP-Proxy" disabled=no \
    dst-address-list=!LAN dst-port=80 in-interface=LAN-eth4 \
    protocol=tcp src-address-list=LAN to-ports=3128

Problem : web-traffic to *:80 not redirected to proxy.
Please help my for setup transparent proxy

janisk · Thu Jan 25, 2007 12:39 pm

maybe this -> dst-address-list=!LAN

has something to do with that?

mkorban · Thu Jan 25, 2007 12:45 pm

add address=10.0.4.0/24 comment="" disabled=no list=LAN 
add address=10.0.5.0/24 comment="" disabled=no list=LAN 
add address=10.0.1.0/24 comment="" disabled=no list=LAN 
add address=10.0.3.0/24 comment="" disabled=no list=LAN 
add address=192.168.0.0/24 comment="" disabled=no list=LAN 
add address=192.168.1.0/24 comment="" disabled=no list=LAN

This is segments of our local area network.
dsn-nat rules without *-address-list - no effect

janisk · Thu Jan 25, 2007 1:00 pm

add action=redirect chain=dstnat comment="IP-Proxy" disabled=no \
dst-address-list=!LAN dst-port=80 in-interface=LAN-eth4 \
protocol=tcp src-address-list=LAN to-ports=3128

from this try to remove in-interface

might help

at least i hope so

EDIT:

this should be close to true

http://www.mikrotik.com/testdocs/ros/2.9/ip/proxy.php

mkorban · Thu Jan 25, 2007 1:40 pm

Yes, It worked...
But not good.
Situation 1: Client open https://issa.samara.mts.ru (Browser setting does not have a proxy, used transparent). Site not opened!
Situation 2: Client open https://issa.samara.mts.ru (Browser proxy setting is 10.0.4.254:3128 (MT) - Site opened normaly.

/ip firewall nat 
add action=dst-nat chain=dstnat comment="Torrent MKORBAN" disabled=no \
    dst-address=81.22.60.43 dst-port=63812 protocol=tcp \
    to-addresses=10.0.4.211 to-ports=63812 
add action=masquerade chain=srcnat comment="Full Direct Access" disabled=no \
    dst-address-list=!LAN src-address-list=LAN 
add action=redirect chain=dstnat comment="IP-Proxy" disabled=no \
    dst-address=!10.0.4.0/24 dst-port=80,443,8080,8443 protocol=tcp \
    src-address=10.0.4.0/24 to-ports=3128

Solusan · Tue Jan 30, 2007 12:55 pm

Hi,

Talking abut this topic i have a question:

I have this configuration in mi Mikrotik system.

Add one rule to chain=forward,
'ip firewall filter add action=jump jump-target=hotspot chain=forward',
set for 'guest' user profile,
'ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1', that will redirect current profile traffic to chain=1.

Add rule to chain 1 to drop traffic with specific dst-address,
'ip firewall filter add chain=1 dst-address=172.0.0.0/8 action=drop'.

And I applied this rule at the user 'guest'

I did that for locking to the user 'guest' couldn't acceed to 172.0.0.0/8 but as you can see I obtain a drop
But now I would need that the user could redirect to the hotspot home page or to nay error page where the user can be alerted that can not be acceed to the rank
How could I do it?

I feel that it's dst-nat of table NAT which can solve this.

I have tried it without success.

Many thanks for your help and understanding.

Transparent proxy

Transparent proxy

Who is online