Hi guys

I have setup my webproxy to use my ISP's proxy as a parent


Heres my setup:

Mr RB433 is running ROS v3.10 and:
is a pppoe client to the ISP on eth1 (international)
is a pppoe client to the ISP on eth2 (local)
has a pppoe server on Bridge1 ( wlan + eth3)

The RB routes all traffic through the respective ISP according to local or international traffic by packet marking using mangle.....

So why doesnt the proxy work? Have I bypassed it because of the mangle rules?

EDIT: I am running webproxy on mikrotik and not an external web proxy

thanks

I don't know what is not working because you didn't mention it, but i can see that you have set the proxy port to 80, which is the http port, so i guess that can be your problem. You have to set it up on a different port then redirect http traffic from port 80 to the proxy port.

Ok

heres my firewall rule

add action=redirect chain=dstnat comment="" disabled=no dst-port=80 \
protocol=tcp to-ports=8080

Here is my web proxy settings



But I still get an error when I try and surf the web...


So what am I missing??

i do not have much experience with ros3, but did you try not to add your ISP's proxy(leave it blank). Try different ways of configuring the proxy.

is 'ERROR: Not found' shown after some time (timeout) or instantly? what do you see in Connection Tracking?

When I open up a webpage a connection is made in ip>firewall>connections to this ip:198.54.202.4:80 but the error message still appears instead of the desired web page

The error message appears instantly so it is definetly not a timeout....

The webproxy stats shows this:
...So the firewall rule is obviously working as the traffic gets redirected to webproxy but thats about it

I tried leaving ISP address blank but no success...

What else can I try?

thanks

is the firewall rule on the top, it can interfere with some other rule! Even though i think this is a proxy problem, because the traffic reaches the proxy

Firewall rule at the top also didnt help

Should I upgrade to 3.11 from 3.10?? or downgrade to 2.9?

When I open up a webpage a connection is made in ip>firewall>connections to this ip:198.54.202.4:80

what source address does this connection have?

James, I think the problem may lie with SAIX and not your router.

I tried using an number of other transparent proxies and this one worked particularly well;
193.227.13.43:80

I then tried dsl-cache.saix.net:8080 and I get a "Forbidden, You were denied access because: Access denied by access control policy."

My next thought was heck, stuff the SAIX proxy just use this other one but then I wondered whether local websites will be accessed via the international proxy and subsequently defeats using a local only DSL account.

However, running torch on the adsl_local interface shows my PC hitting local sites so clearly I don't yet understand the IP flow. I would have expected ALL web traffic to be proxied by this international server and of course use my expensive international DSL bandwidth but not. Interesting hey?

Well anyway, try this other proxy and give some feedback.

BTW, this is on 2.9.51 but I can try on 3.11 if you need me to.

-headstrong-, please post your config so we can see if everything is set good. Export config on telnet under windows, or new terminal on winbox.

Do this:
ip route export
ip firewall nat export
ip firewall filter export
ip proxy export

and then post results here so we can name the problem.

Hi

Hilton, I tried using that proxy but no success

Heres is ip route export:

add comment=B disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
routing-mark=B
add comment=A disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
routing-mark=A
add disabled=no distance=1 dst-address=17.255.248.0/23 gateway=165.146.180.1 \
routing-mark=A scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=32.106.152.0/24 gateway=\
165.146.180.1 routing-mark=A scope=30 target-scope=10
add disabled=no distance=1 dst-address=32.106.153.0/24 gateway=165.146.180.1 \
routing-mark=A scope=30 target-scope=10
add disabled=no distance=1 dst-address=32.107.9.0/24 gateway=165.146.180.1 \
routing-mark=A scope=30 target-scope=10
add disabled=no distance=1 dst-address=32.238.152.0/24 gateway=165.146.180.1 \
routing-mark=A scope=30 target-scope=10
add disabled=no distance=1 dst-address=32.238.153.0/24 gateway=165.146.180.1 \
routing-mark=A scope=30 target-scope=10
add disabled=no distance=1 dst-address=32.239.182.0/24 gateway=165.146.180.1 \
routing-mark=A scope=30 target-scope=10
add disabled=no distance=1 dst-address=41.0.0.0/16 gateway=165.146.180.1 \
routing-mark=A scope=30 target-scope=10
add disabled=no distance=1 dst-address=41.0.248.0/24 gateway=165.146.180.1 \
routing-mark=A scope=30 target-scope=10
add disabled=no distance=1 dst-address=41.1.0.0/18 gateway=165.146.180.1 \
...
...
...
...
There other 1300 odd routes I left out as it is just routing international traffic through international adsl account and local traffic through local only adsl account..

ip firewall nat export:

add action=masquerade chain=srcnat comment="" disabled=no
add action=redirect chain=dstnat comment="Proxy from hilton" disabled=no \
dst-port=80 protocol=tcp to-ports=808

I have no filter rules

ip proxy export:
set always-from-cache=no cache-administrator="" cache-drive=system \
cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=193.227.13.43 parent-proxy-port=80 port=8080 \
serialize-connections=no src-address=0.0.0.0


I am using ROS 3.10 so I would preffere to upgrade to 3.11 as opposed to downgrade to 2.9.....If u culd try it out with 3.11 and it works then I would appreciate that and i'll upgrade.....

but first have a look at my above settings coz maybee if have done sumthing stupid

thanks

OK guys it is working now

I disabled my mangle rules and routes except for 1 route which sent all traffic 0.0.0.0/24 through gateway interface pppoe-out1......no routing marks

Then cache.saix.co.za:8080 worked perfectly

EDIT: The problem is that I cannot assign a routing mark to the traffic, without a routing mark it works fine but with a routing mark it fails.....I was originally assigning all my clients an IP address 10.0.0.0/24 and used mangle to mark all traffic that originates from these IP's with the Route "A"....Then I routed all traffic with the Route mark "A" with destination 0.0.0.0/24 through the gateway interface pppoe-out1 (international).

I needed to remove the mangle rule with market traffic with the route "A" and then the webproxy worked

So the big question now is : How do I mark routes and use a webproxy????

Thanks for the help guys




Thanks guys for the help

so long for me , i can't help you on this because i don't know much. I'm glad you found the problem yourself and someone with help you to succeed to the next point

James I think your issue is related to SAIX and not the web proxy. Remember that dsl-cache.saix.net is really intended to help with international bandwidth. So what SAIX does is block access to this proxy to all local only IP gateways (if this makes sense). To get around this, you need to add a new rule to the routing table to make 196.43.9.21 use the international dsl gateway. It then works but you lose the ability to browse local sites with local only bandwidth.

Let's put it this way, that's how I see it and how I've tested it.

It seems you can't have your cake and eat it.

Hilton, Thankx for the info....helped me understand things better

I however added a few tweaks to my firewall rule that lets me use a local account aswell as international heres how

I created an address list called "sa" and I added all +-1300 local ip addresses ( http://alm.za.net/ip/localroutes4.txt )..I pasted all the ip addresses into an excel spread sheet and used find +replace function to edit the cells to something like this "add address=xxx.xxx.xxx.xxx/xx comment="" disabled=no list=sa"
I then pasted these rules into the terminal, only 150 at a time......
So now we have an address list with all the south african ip's

I then editted the firewall rule which redirected http traffic to the 8080 webproxy port... Under "advanced" > "Dst Address List" I added the "sa" address list and ticked the box so that it excludes all the ip's from South Africa...So only international traffic goes through the proxy and local traffic gets routed over a local only adsl account:) ..pretty cool hey??

thanks Hilton for explaining how the proxy works otherwise I wuldnt have thought to exclude SA ip's...
and to the other guys coz those troubleshooting tips helped alot
It now works perfectly

James this is very good. However I have a further tweak you may want to consider.

Your set-up currently doesn't allow for caching of local sites so in a way this is a bit of a problem, given the cr@p bandwidth we have in this country. It would be good to able to use the web proxy for ALL browsing. No?

If you add a rule like this;

/ip proxy direct add dst-address=196.36.0.0/16

it tells the proxy to resolve the address by connecting to the requested server directly, subsequently using local only bandwidth. This address is for http://www.absa.co.za as a test.

The downside is that you have to add all the local IP ranges (again) but the upside is that now ALL web traffic is proxied/cached eventually.

Ahh great idea...So instead of excluding SA ip's I should rather tell proxy to connect directly....nice idea

I can only try this 2night when every1 is offline but I will let u knw

thanks

Works like a bomb, configured this on two routers today.

In the direct section in the web proxy you can sort by 'Hits' which is somewhat meaningless but gives you the most popular IP ranges.

I just set it up now...works well

How big does your cache get? I only have about 10 pc's on the network so I am running the proxy on a RB433...Do you think I should setup an old PC with an +-80gig HDD coz of the cache?

The one site is running x86 so cache size is not a problem. The other router is at my house running a 532 board so there isn't really an issue there either.

I would suggest a RB433AH, then you can purchase a microSD card for the cache. 8Gb will do well.

Perhaps I should write a wiki entry for this?

Great minds think alike....I have already started a wiki entry for routing local + international traffic through separate adsl accounts:http://wiki.mikrotik.com/wiki/Routing_l ... l_accounts

I was planning on adding the howto for the webproxy.....Or I could leave it out and you make a separate entry?

I say create a separate entry because technically you can also make this work with unshaped accounts. With your permission I'd like to edit your wiki article with a bit of an intro as to why we do this type of thing. It may not make sense to USA guys who don't have the issues we do.

Ok kwl you make a separate entry for the web proxy.....I haven't nearly finished my entry as it is very incomplete and missing a proper introduction, conclusion etc....I am also going to add a section on unshaped accounts for gaming ip's ( SAIX game servers for example....but you can definetly edit the final product

Well here is my wiki so far: http://wiki.mikrotik.com/wiki/Routing_l ... _.27.27.27

It is my first wiki ever so constructive critisism would be appreciated. Oh and I haven't finished it yet hence they unshaped section is still blank