i have 2 internet gateways, i also successfully made a transparent proxy running on NAT, but the proxy is also using the main gateway to connect to internet, i tried to mangle(and marked the route) every connection that dst to port 80, so it can use the second route, but it is failed. i can only choose "having transparent proxy over the main gateway" or "having every connection dst to port 80 marked to second route without any transparent proxy", is there any idea why i can't have them both?
thanks
Re: transparent proxy over 2 gateway
pl when un get de solution pl let me know
thanx
thanx
Re: transparent proxy over 2 gateway
Hi, if i understand well, you need to mark all packets from mikrotik to the wan. You can mangle in output chain with port destination port 80 with a route mark, and later in ip route add destination 0.0.0.0/0 mark-route=proxy-out gateway=x.y.z.f (ip of the router of gateway 2).
i hope i help you.
regards.
i hope i help you.
regards.
Re: transparent proxy over 2 gateway
Check
/ip firewall nat
and see if there is a srcnat or dstnat redirect from port 80 to port 8080. You will probably need to use your routing-mark there to avoid the redirect for the second interface route.
I would try:
/ip firewall nat set X routing-mark=proxy-out
where X is the line number of the redirect from 80 to 8080. That is using patagonia's example routing-mark above. That way only the proxy-bound routings will be redirected to the proxy port (8080). The second interface will stay on port 80.
To see the routing-mark assignments on CLI, you must use
/ip firewall nat print detail
ADD: ...and these are routing-marks, not packet-markers. I am awake for this post! Here is part of a previous post:
Here is a simple routing-mark example. Wlan2 goes out ether2, and all else goes out ether1:
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=ether2out in-interface=wlan2
These must be in this order:
/ip firewall nat add chain=srcnat action=masquerade routing-mark=ether2out out-interface=ether2
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
In this case, you would use routing-mark=!ether2out in the nat redirect.
If you are using
/ip proxy
then you may be able to mask off subnets using
/ip proxy access
or
/ip proxy direct
/ip firewall nat
and see if there is a srcnat or dstnat redirect from port 80 to port 8080. You will probably need to use your routing-mark there to avoid the redirect for the second interface route.
I would try:
/ip firewall nat set X routing-mark=proxy-out
where X is the line number of the redirect from 80 to 8080. That is using patagonia's example routing-mark above. That way only the proxy-bound routings will be redirected to the proxy port (8080). The second interface will stay on port 80.
To see the routing-mark assignments on CLI, you must use
/ip firewall nat print detail
ADD: ...and these are routing-marks, not packet-markers. I am awake for this post! Here is part of a previous post:
Here is a simple routing-mark example. Wlan2 goes out ether2, and all else goes out ether1:
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=ether2out in-interface=wlan2
These must be in this order:
/ip firewall nat add chain=srcnat action=masquerade routing-mark=ether2out out-interface=ether2
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
In this case, you would use routing-mark=!ether2out in the nat redirect.
If you are using
/ip proxy
then you may be able to mask off subnets using
/ip proxy access
or
/ip proxy direct