I'm trying to setup a Squid transparent proxy with my Mikrotik, so i don't have to configure my clients to use a proxy.
This however isn't working as expected and i sort of lost it, any help ?
(When i setup the proxy settings in the client's browser, it works as expected)
MT: 192.168.1.1
Squid: 192.168.1.2
Client: 192.168.1.3
Client gateway: 192.168.1.1
Ciient dns: 8.8.8.8
MT NAT:
chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=3128 protocol=tcp src-address=192.168.1.3 dst-port=80
Squid version: 3.1.19
Squid config:
http_port 3128 transparent
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/24
http_access allow manager localhost
http_access allow localnet
http_access allow localhost
Re: Squid transparent proxy
You also have to perform a srcnat for all traffic leaving the client so that its traffic goes through the proxy server. i.e.
Your Dstnat should not be required, DSTNAT are for allowing unsolicited communications inbound, ie Webhosting, as the proxy server would have requested the page first the reply will be solicited and not on port 80 thus that NAT currently does nothing.
Let me know if this does not work or works
Code: Select all
chain=srcnat action=dstnat to-addresses=192.168.1.2 to-ports=3128 src-address=192.168.1.3 dst-port=80 protocol=tcp Out-interface=eth1(Gateway)
Let me know if this does not work or works
-
-
sirEgghead
just joined
- Posts: 19
- Joined:
Re: Squid transparent proxy
CTrain,
You can't have a dstnat action on the srcnat chain.
supfors,
I found the best way to make the setup work is to enable the web proxy in your RouterOS and set the "parent proxy" to your squid server's address and port. After that I disabled the caching on the Mikrotik.
If you decide to do this, you'll need to change your dstnat rule's action to "redirect" and set the port to the port that you used in your RouterOS's webproxy.
sirEgghead
You can't have a dstnat action on the srcnat chain.
supfors,
I found the best way to make the setup work is to enable the web proxy in your RouterOS and set the "parent proxy" to your squid server's address and port. After that I disabled the caching on the Mikrotik.
If you decide to do this, you'll need to change your dstnat rule's action to "redirect" and set the port to the port that you used in your RouterOS's webproxy.
sirEgghead
Re: Squid transparent proxy
I use an external squid transparent proxy for my clients. We recently switched to a RouterOS firewall and I discovered a great way to route traffic to my proxy without having to configure each client's proxy settings.
I dug around on the internet and found this lovely guide that describes pretty close to what i'm looking for.
The way we handled it in the past was to redirect port 80 traffic from the firewall to the ip and port number of our squid proxy. MikroTik offers ways I can do this while still preserving the source ip address. Before i setup my new config anyone who didn't have their client proxy setup was listed as the filewall's ip address in squid's logs.
Here's my setup
Firewall/Mikrotik 192.168.1.1
Squid Proxy 192.168.1.2 (Proxy port 8080)
Clients 192.168.100-192.168.1.199
I already have the mangle and masquerading setup for my main firewall so I'm only going to list the settings that affect and redirect http traffic to my proxy server.
First I setup an address list of the client ip addresses i wanted to be redirected to my proxy server. In my case its my dhcp pool addresses
Then i setup mangle to tag web traffic for rerouting later
Next i setup a custom route for the marked packets
What we're doing now is routing all traffic from clients 192.168.1.100-192.168.1.199 on port 80 to the proxy server.
The last piece of the puzzle is to setup the proxy server (squid) to redirect all traffic on port 80 to the proxy port (8080). This is easily done with iptables.
That should do it. Now you are forwarding all port 80 traffic to the squid proxy. Most importantly is you are preserving the source ip address. This way if you want to use squid reporting you can track your users usage by ip address.
Most of the information i used to get this solution was borrowed from this website. I changed up the syntax a little to fit my needs. My next project is to figure out how to exclude streaming services (netflix) from being forwarded to the proxy server. I've already toyed with using ip blocks. The biggest problem i've run into there is adding all netflix's ip ranges to an address list. I keep finding new ones.
For those interested: Here's my modified mangle rule for not forwarding netflix traffic to the proxy, but forwarding everything else.
My address list for netflix
I dug around on the internet and found this lovely guide that describes pretty close to what i'm looking for.
The way we handled it in the past was to redirect port 80 traffic from the firewall to the ip and port number of our squid proxy. MikroTik offers ways I can do this while still preserving the source ip address. Before i setup my new config anyone who didn't have their client proxy setup was listed as the filewall's ip address in squid's logs.
Here's my setup
Firewall/Mikrotik 192.168.1.1
Squid Proxy 192.168.1.2 (Proxy port 8080)
Clients 192.168.100-192.168.1.199
I already have the mangle and masquerading setup for my main firewall so I'm only going to list the settings that affect and redirect http traffic to my proxy server.
First I setup an address list of the client ip addresses i wanted to be redirected to my proxy server. In my case its my dhcp pool addresses
Code: Select all
/ip firewall address-list
add address=192.168.1.100-192.168.1.199 list=Proxy_ClientsCode: Select all
/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=to_proxy passthrough=yes protocol=tcp src-address-list=Proxy_Clients dst-port=80Code: Select all
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 routing-mark=to_proxy scope=30 target-scope=10The last piece of the puzzle is to setup the proxy server (squid) to redirect all traffic on port 80 to the proxy port (8080). This is easily done with iptables.
Code: Select all
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.2:8080That should do it. Now you are forwarding all port 80 traffic to the squid proxy. Most importantly is you are preserving the source ip address. This way if you want to use squid reporting you can track your users usage by ip address.
Most of the information i used to get this solution was borrowed from this website. I changed up the syntax a little to fit my needs. My next project is to figure out how to exclude streaming services (netflix) from being forwarded to the proxy server. I've already toyed with using ip blocks. The biggest problem i've run into there is adding all netflix's ip ranges to an address list. I keep finding new ones.
For those interested: Here's my modified mangle rule for not forwarding netflix traffic to the proxy, but forwarding everything else.
Code: Select all
/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=to_proxy passthrough=yes protocol=tcp src-address-list=Proxy_Clients dst-address-list=!Netflix dst-port=80Code: Select all
/ip firewall address-list
add address=69.164.0.0/18 list=Netflix
add address=208.111.128.0/18 list=Netflix
add address=68.142.64.0/18 list=Netflix
add address=108.175.32.0/20 list=NetflixRe: Squid transparent proxy
I found a better way to handle netflix traffic. The address list is fine, but after more digging i found a way to dynamically generate the list. This guide shows a queueing system for prioritizing or throttling video sites. I took his example and made it fit into my proxy forwarding solution.
I'm still using my route forward
Remember my external squid proxy ip address is 192.168.1.2 and my firewall address is 192.168.1.1
What I've changed is the way I generate my address-list. Instead of adding entire ip blocks I added 2 mangle rules in *front* of my proxy forwarding one. Here's what they look like (I've listed them in the order required. The proxy routing mark mangle rule must be the last.)
In the guide the guy didn't set a timeout for the address list. That means that the list will eventually grow to include every ip address netflix uses. In theory this sounds good, but you have to remember its going to happen 1 ip address at a time, NOT one subnet block at a time. I thought 1d was plenty of time.
I'm still using my mangle rule to add a route tag to traffic with the specified mark. I added a dst-address-list negative to exclude my newly created Netflix address list that is being generated. (This mangle rule must be last.)
I also have a layer7 protocol. I'm not great with regexp but the one i'm using works better than all the other examples i've found out there
I'm sure the regex statement could be tightened up a little. I ran a few packet sniffers and tried to see exactly what the router was looking at when it ran regex statement against the packets. This was the best i could do. At least i'm not excluding all of llnwd.net from the proxy. I only wanted netflix's content they host. 
What this does is create a dynamic entry in the Netflix address list every time someone tries to access netflix.com, nflxvideo.net, or one of the many content servers they have netflix-####.vo.llnwd.net. Since the address list "Netflix" is excluded from proxy tagging my firewall doesn't try to forward netflix traffic to my external squid proxy server. There is another netflix domain i didn't include in this. nflximg.com Netflix doesn't seem to mind if i cache the images associated with the videos so i left it out. I'd rather have that traffic proxied and save a little bandwidth. If you wanted to include it all that's needed is to add another mangle rule. Simply copy the first mangle rule and modify the content value to nflximg.com (don't forget the order is important). So far its working fairly well. The router load doesn't seem to spike even with 6 different devices running traffic at the same time. I think since i'm marking connections for the router part that helps a lot.
I'm still using my route forward
Code: Select all
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 routing-mark=to_proxy scope=30 target-scope=10What I've changed is the way I generate my address-list. Instead of adding entire ip blocks I added 2 mangle rules in *front* of my proxy forwarding one. Here's what they look like (I've listed them in the order required. The proxy routing mark mangle rule must be the last.)
Code: Select all
/ip firewall mangle
chain=prerouting action=add-dst-to-address-list protocol=tcp address-list=Netflix address-list-timeout=1d dst-port=80 content=nflxvideo.net
chain=prerouting action=add-dst-to-address-list protocol=tcp address-list=Netflix address-list-timeout=1d dst-port=80 content=netflix.com
chain=prerouting action=add-dst-to-address-list protocol=tcp address-list=Netflix address-list-timeout=1d layer7-protocol="Netflix llnwd" dst-port=80I'm still using my mangle rule to add a route tag to traffic with the specified mark. I added a dst-address-list negative to exclude my newly created Netflix address list that is being generated. (This mangle rule must be last.)
Code: Select all
/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=to_proxy passthrough=yes protocol=tcp src-address-list=Proxy_Clients dst-address-list=!Netflix dst-port=80Code: Select all
/ip firewall layer7-protocol
name="Netflix llnwd" regexp="netflix-[0-9][0-9][0-9]\.vo\.llnwd\.net"What this does is create a dynamic entry in the Netflix address list every time someone tries to access netflix.com, nflxvideo.net, or one of the many content servers they have netflix-####.vo.llnwd.net. Since the address list "Netflix" is excluded from proxy tagging my firewall doesn't try to forward netflix traffic to my external squid proxy server. There is another netflix domain i didn't include in this. nflximg.com Netflix doesn't seem to mind if i cache the images associated with the videos so i left it out. I'd rather have that traffic proxied and save a little bandwidth. If you wanted to include it all that's needed is to add another mangle rule. Simply copy the first mangle rule and modify the content value to nflximg.com (don't forget the order is important). So far its working fairly well. The router load doesn't seem to spike even with 6 different devices running traffic at the same time. I think since i'm marking connections for the router part that helps a lot.
Re: Squid transparent proxy
This rules were of great help as we were a bit stuck with all tutorials pointing at configurations where the squid external proxy was accessed via a dedicated ethernet and differente ip range LAN.
We implemented your solution but we have a most weird issue with a delay on the first connection to a website when this transparent rule applies. First page display can hold up for seconds and the subsequent of the same domain improve a bit but the speed is sad. We've tested the squid server on a direct access (via browser proxy conf) and that works just fine.
Our main difference with your setup is that we have PCC balancing over 2 outgoing WANs so we have numerous connection marks applying to outgoing and incoming connections that we are not sure how could affect. We are uncertain how to to do any testing either as the routes/firewall, etc all seem correct.
Thanks.
We implemented your solution but we have a most weird issue with a delay on the first connection to a website when this transparent rule applies. First page display can hold up for seconds and the subsequent of the same domain improve a bit but the speed is sad. We've tested the squid server on a direct access (via browser proxy conf) and that works just fine.
Our main difference with your setup is that we have PCC balancing over 2 outgoing WANs so we have numerous connection marks applying to outgoing and incoming connections that we are not sure how could affect. We are uncertain how to to do any testing either as the routes/firewall, etc all seem correct.
Thanks.
-
-
Silvano1980
just joined
- Posts: 14
- Joined:
Re: Squid transparent proxy
Hello i used this fine tutorial and it is working fine but i would alzo like to use a content filter like dansguardian,but ik cant get it to work. Does someone have got this working? I thinking iTS a problem in rc.local becquse i dont know how to direct from 3128 to 8080 dansguardian
-
-
Silvano1980
just joined
- Posts: 14
- Joined:
Re: Squid transparent proxy
Hi im terging to use it with dansguardian but does someone mayby has a tutorial for this because i cant get it to work
Re: Squid transparent proxy
I got kilrathi's solution to work routing the traffic to DansGuardian. The only trick was to make sure the router masquerading wasn't applied to the packets being sent to DansGuardian. Initially it was, which meant that DansGuardian saw all packets as coming from the router internal IP instead of the workstation IP.