MikroTik

Community discussions
https://forum.mikrotik.com/

transparent web proxy not working

https://forum.mikrotik.com/viewtopic.php?t=4031

Page 1 of 1

transparent web proxy not working

Posted: Fri Aug 05, 2005 11:04 am
by robot714
Hi,

Can someone help me out, here is my config please spot my errors

interface enable ether1,ether2
ip dhcp-client set enabled=yes interface=ether1
ip address add address=10.20.0.1/24 interface=ether2
(by the way /24 what does that mean)
ip dns set allow-remote-request=yes
ip firewall src-nat add out-interface=ether1 action=masquerade
ip firewall rule input add /
connection-state=invalid action=drop
connection-state=established
connection-state=related
protocol=udp
protocol=icmp
src-address=10.20.0.0/24
action=drop log=yes
ip pool add name=private ranges=10.20.0.2-10.20.0.254
ip dhcp-server network add gateway=10.20.0.1 address=10.20.0.0/24 dns-server=10.20.0.1
ip dhcp-server add name=home interface=ether2 lease-time=3h address-pool=private
ip dhcp-server enable home
ip web-proxy set enable=yes port=8080 max-cache-size=unlimited
ip web proxy set transparent-proxy=yes
ip firewall dst-nat add in-interface=ether1 protocal=tcp dst:!:80 action=redirect to-dst-port=8080

please help me out, everything on the monitor area still ZERO

Posted: Sat Aug 06, 2005 5:10 am
by robot714
added

ip webproxy access
add src-address=10.20.0.0/24 action=allow disable=no
add action=deny disable=no

but still not work :cry: can anyone PLEASE HELP

regards
Robot

Posted: Sat Aug 06, 2005 10:44 am
by robot714
i have reformat the whole thing and follow exactly on the documents

/interface enable ether1,ether2
/ip dhcp-client set enabled=yes interface=ether1
/ip address add address=192.168.0.1/24 interface=ether2
/ip firewall rule input add connection-state=invalid action=drop
/ip firewall rule input add connection-state=established
/ip firewall rule input add connection-state=related
/ip firewall rule input add protocol=udp
/ip firewall rule input add protocol=icmp
/ip firewall rule input add src-address=192.168.0.0/24
/ip firewall rule input add action=drop log=yes
/ip pool add name=private ranges=192.168.0.2-192.168.0.254
/ip dhcp-server network add gateway=192.168.0.1 address=192.168.0.0/24 dns-server=192.168.0.1
/ip dhcp-server add name=home interface=ether2 lease-time=3h address-pool=private
/ip dhcp-server enable home
/ip web-proxy set enable=yes port=8080 max-cache-size=unlimited
/ip web proxy set transparent-proxy=yes
/ip firewall dst-nat add in-interface=ether1 protocal=tcp dst-address:!:80 action=redirect to-dst-port=8080

*****
ip firewall dst-nat add in-interface=ether1 protocal=tcp dst-address:!192.168.0.1/24:80 action=redirect to-dst-port=8080 (this gives me an error : destination error) why ? anyone please explain to me?
*****
web-proxy works alright !! BUT not the transparent :cry: can anyone HELP me out here, pleaseeeeeeeeeeeeeeeeeeeeee !

regards
Robot :cry:

Posted: Sat Aug 06, 2005 11:30 am
by yancho
/ip firewall dst-nat add in-interface=ether1 change to ether2 protocal=tcp dst-address:!:80 action=redirect to-dst-port=8080

the same in : ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address:!192.168.0.1/24:80 action=redirect to-dst-port=8080

Posted: Mon Aug 08, 2005 9:53 am
by robot714
yancho,

i have re-format the os and follow the same sets of instruction with your suggestions, but now the client MUST set their proxy before they can connect to the web, it is getting worst, can you please point out my errors.

regards

/interface enable ether1,ether2
/ip dhcp-client set enabled=yes interface=ether1
/ip address add address=192.168.0.1/24 interface=ether2
/ip firewall src-nat add out-interface=ether1 action=masquerade
/ip firewall rule input add connection-state=invalid action=drop
/ip firewall rule input add connection-state=established
/ip firewall rule input add connection-state=related
/ip firewall rule input add protocol=udp
/ip firewall rule input add protocol=icmp
/ip firewall rule input add src-address=192.168.0.0/24
/ip firewall rule input add action=drop log=yes
/ip pool add name=private ranges=192.168.0.2-192.168.0.254
/ip dhcp-server network add gateway=192.168.0.1 address=192.168.0.0/24 dns-server=192.168.0.1
/ip dhcp-server add name=home interface=ether2 lease-time=3h address-pool=private
/ip dhcp-server enable home
/ip web-proxy set enable=yes port=8080 max-cache-size=unlimited
/ip web proxy set transparent-proxy=yes
/ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address:!:80 action=redirect to-dst-port=8080
/ip dns set allow-remote-request=yes

*****
ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address:!192.168.0.1/24:80 action=redirect to-dst-port=8080 (this still gives me an error : destination error) why ? anyone please explain to me?
*****

Posted: Mon Aug 08, 2005 11:40 am
by Eugene
Code: Select all
ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address=!192.168.0.1/24:80 action=redirect to-dst-port=8080

Posted: Mon Aug 08, 2005 12:40 pm
by robot714
Eugene,

ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address=!192.168.0.1/24:80 action=redirect to-dst-port=8080

ERROR: destination bad :cry:

regards

Posted: Mon Aug 08, 2005 12:43 pm
by robot714
with

ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address=!:80 action=redirect to-dst-port=8080

the transparent web proxy still wont work

but with

ip firewall dst-nat add in-interface=ether2 protocal=tcp action=redirect to-dst-port=8080

it works.

but will i would like to work with the dst-address=!192.168.0.1/24:80

PLEASE HELP ME OUT :cry:

regards

Posted: Mon Aug 08, 2005 12:46 pm
by Eugene
Ups, obviously, the mask should be /32 for a single host:
Code: Select all
ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address=!192.168.0.1/32:80 action=redirect to-dst-port=8080

Posted: Mon Aug 08, 2005 1:29 pm
by robot714
Ups, obviously, the mask should be /32 for a single host:
Eugene,

i'm new so please let me know

/32 for single host, by that you mean, single server or single broadband line

/24 for multiple host, and is there anything other than /32 and /24

regards
Robot714

Posted: Mon Aug 08, 2005 1:32 pm
by Eugene
http://public.pacbell.net/dedicated/cidr.html

Posted: Mon Aug 08, 2005 2:45 pm
by maroon
on dst-nat remove the ! and it will work !!!

Posted: Mon Aug 08, 2005 2:48 pm
by Eugene
Nope, it should be there to allow accessing the router via Winbox.

Posted: Tue Aug 09, 2005 11:56 am
by robot714
Eugene,

with the /24 change to /32 the command "ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address:192.168.0.1/32!:80 action=redirect to-dst-port=8080" enter without error, but the problem is, the client station are not getting any gateway and dns-server ip address, is there any solution for that :cry: PLEASE HELP

regards

/interface enable ether1,ether2
/ip dhcp-client set enabled=yes interface=ether1
/ip address add address=192.168.0.1/32 interface=ether2
/ip firewall src-nat add out-interface=ether1 action=masquerade
/ip firewall rule input add connection-state=invalid action=drop
/ip firewall rule input add connection-state=established
/ip firewall rule input add connection-state=related
/ip firewall rule input add protocol=udp
/ip firewall rule input add protocol=icmp
/ip firewall rule input add src-address=192.168.0.0/32
/ip firewall rule input add action=drop log=yes
/ip pool add name=private ranges=192.168.0.2-192.168.0.254
/ip dhcp-server network add gateway=192.168.0.1 address=192.168.0.0/32 dns-server=192.168.0.1
/ip dhcp-server add name=home interface=ether2 lease-time=3h address-pool=private
/ip dhcp-server enable home
/ip web-proxy set enable=yes port=8080 max-cache-size=unlimited
/ip web proxy set transparent-proxy=yes
/ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address=!192.168.0.1/32:80 action=redirect to-dst-port=8080
/ip dns set allow-remote-request=yes

Posted: Tue Aug 09, 2005 2:40 pm
by Eugene
You should have changed the mask only in one place (firewall nat), the other two addresses should have /24 mask:
Code: Select all
/ip address add address=192.168.0.1/24 interface=ether2 
/ip dhcp-server network add gateway=192.168.0.1 address=192.168.0.0/24 dns-server=192.168.0.1

Posted: Tue Aug 09, 2005 6:26 pm
by robot714
Eugene,

What about "/ip firewall rule input add src-address=192.168.0.0/32 "

Thanks & Regards

Posted: Tue Aug 09, 2005 7:56 pm
by Eugene
Also should be /24

Posted: Thu Aug 11, 2005 8:17 am
by robot714
:D

Posted: Thu Aug 11, 2005 8:17 am
by robot714
Eugene,

Thanks for everything, it works great now. Can you please let me know if there is any documents i can find on mikrotik for more detail setup guide or training materials.

Regards :D

Posted: Thu Aug 11, 2005 9:34 am
by sergejs
http://www.mikrotik.com/docs/ros/2.9/
http://www.mikrotik.com/docs/ros/2.8/

Posted: Tue Aug 16, 2005 12:29 pm
by robot714
Kipel,

Can find much information here, like firewall rules, cache ruls and etc

regards

Posted: Tue Aug 16, 2005 12:53 pm
by normis
we do not have any more documentation than in those links. ask in the forum if you want to know something that is not there.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/