You are here: Home » Mikrotik » External Proxy Server for Mikrotik

External Proxy Server for Mikrotik

May 28, 2012 | Leave a comment(23) Go to comments

Mikrotik routerboard has a built-in proxy in it, but it has main constraint : very limited storage capacity. Therefore, most network administrators whom using mikrotik will use an external proxy to overcome this constraint. Here you can found an easy ways to implementing external proxy server for Mikrotik.

Squid is the most widely used proxy daemon for linux (including its derivative such as lusca). Some several advantages in the implementation of external proxy are :

  • Easy to adjust the configuration to suite your needs
  • The use of access control lists (ACLs) that can be used for specific purposes
  • Squid (especially version 2.7) can be “armed” with a url redirector. In some condition, url redirector can be used to force squid to cache dynamic content (such as Youtube videos).
  • Greater storage capacity as the general computer or server use the harddisk as data storage.

In this post, I’ll describe how to integrate external proxy with mikrotik using 2 methods : using NAT or using mangle.

Annotation :

  1. Mikrotik to proxy IP address : 192.168.90.1
  2. Proxy to Mikrotik IP address : 192.168.90.2
  3. Clients IP address : 192.168.1.0/24
First method : Using NAT
We can used Mikrotik built in NAT to forward HTTP request (port 80) from clients to external proxy.
/ip firewall address-list
add address=192.168.90.0/24 list=ip-proxy
/ip firewall nat
add action=dst-nat chain=dstnat comment="transparent proxy" dst-port=80 protocol=tcp src-address-list=!ip-proxy to-addresses=192.168.90.2 to-ports=3128

Explanation :

First, we define IP address class for proxy server.

/ip firewall address-list
add address=192.168.90.0/24 list=ip-proxy

Then add new rule on NAT to forward http  request to external proxy.

/ip firewall nat
add action=dst-nat chain=dstnat comment=”transparent proxy” dst-port=80 protocol=tcp src-address-list=!ip-proxy to-addresses=192.168.90.2 to-ports=3128

Second method : Using built-in mangle

/ip route
add check-gateway=ping distance=1 gateway=192.168.90.2 routing-mark=to-ext-proxy
/ip firewall mangle
add action=mark-routing chain=prerouting comment="mark routing to proxy" dst-port=80 new-routing-mark=to-ext-proxy protocol=tcp src-address=192.168.1.0/24

Another method to forward http requests from clients is using mangle by adding new route. This method will work if external proxy able to act as gateway.

Explanation :

First, add route to external proxy.

/ip route
add check-gateway=ping distance=1 gateway=192.168.90.2 routing-mark=to-ext-proxy

Then, mark http requests from all clients to use route to external proxy.

/ip firewall mangle
add action=mark-routing chain=prerouting comment=”mark routing to proxy” dst-port=80 new-routing-mark=to-ext-proxy protocol=tcp src-address=192.168.1.0/24

Proxy server requirements :

You may need to configure some options in order to make it works for both methods such as enabling IPv4 forwarding (by editing systcl.conf) and allowing access to port 3128 in iptables. Add the following lines into the file /etc/rc.local then save :

route add default gateway 192.168.90.1
iptables -A PREROUTING -t nat -j REDIRECT -p tcp -s 192.168.1.0/24 -d 0/0 --dport 80 --to-ports 3128
iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 192.168.90.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.90.2 --sport 3128 -d 0.0.0.0/0 -m state --state ESTABLISHED -j ACCEPT

Incoming search:
mikrotik squid tproxy, using mikrotik as proxy


Related Posts

Filed under

Mikrotik

| Tags:

, ,

Leave a comment ?

23 Comments.

  1. Boss, why Not working for me, After configure with my working transparent proxy ,i even unable to ping google .

    [root@nat ~]# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    182.160.-.- * 255.255.255.240 U 0 0 0 eth0
    192.168.90.0 * 255.255.255.0 U 0 0 0 eth1
    link-local * 255.255.0.0 U 1002 0 0 eth0
    link-local * 255.255.0.0 U 1003 0 0 eth1
    default 192.168.90.1 0.0.0.0 UG 0 0 0 eth1
    default 182.160.-.- 0.0.0.0 UG 0 0 0 eth0
    ——————————————-
    eth1:192.168.90.2
    gat:eth0 wan ip
    —————————————–
    [root@nat ~]# iptables -L -n
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
    ACCEPT tcp — 0.0.0.0/0 192.168.90.2 state NEW,ESTABLISHED

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp — 192.168.90.2 0.0.0.0/0 tcp spt:3128 state ESTABLISHED

  2. using
    rhel 6.4
    squid 3.1

    • I am assuming you are using 2 interface, right? (eth0 and eth1). This tutorial only use single interface and using mikrotik router as gateway. In short, this tutorial wouldn’t meet your requirements. :)

      flush your iptables rules and use this rules:

      iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 3128
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

      and don’t forget to set IPv4 forwarding in sysctl. good luck! :)

  3. Yes, Now all traffic going to squid.
    But the only one ip add 192.168.90.1.
    I need all client original ip address.
    how it is possible.Please help
    Thanks in advance.

    • hello shaon. sorry for my late response.

      with current iptables rules, all incoming connection in eth1 with dest. port 80 (http) should be redirected to squid. re-check your squid configuration (squid.conf), ensure your have configuration like this:

      http_port 3128 intercept

      next thing to do is, use your squid box IP address (192.168.90.2) as your clients gateway. use google dns as your clients primary/secondary DNS.

      if you installing dns resolver in your squid box (eg. pdnsd, bind, dnsmasq, etc), you can use 192.168.90.2 as clients primary dns server. hope that help. :)

Leave a Comment

Current day month ye@r *