Mikrotik routerboard has a built-in proxy in it, but it has main constraint : very limited storage capacity. Therefore, most network administrators whom using mikrotik will use an external proxy to overcome this constraint. Here you can found an easy ways to implementing external proxy server for Mikrotik.
Squid is the most widely used proxy daemon for linux (including its derivative such as lusca). Some several advantages in the implementation of external proxy are :
- Easy to adjust the configuration to suite your needs
- The use of access control lists (ACLs) that can be used for specific purposes
- Squid (especially version 2.7) can be “armed” with a url redirector. In some condition, url redirector can be used to force squid to cache dynamic content (such as Youtube videos).
- Greater storage capacity as the general computer or server use the harddisk as data storage.
In this post, I’ll describe how to integrate external proxy with mikrotik using 2 methods : using NAT or using mangle.
- Mikrotik to proxy IP address : 192.168.90.1
- Proxy to Mikrotik IP address : 192.168.90.2
- Clients IP address : 192.168.1.0/24
/ip firewall address-list add address=192.168.90.0/24 list=ip-proxy /ip firewall nat add action=dst-nat chain=dstnat comment="transparent proxy" dst-port=80 protocol=tcp src-address-list=!ip-proxy to-addresses=192.168.90.2 to-ports=3128
First, we define IP address class for proxy server.
/ip firewall address-list
add address=192.168.90.0/24 list=ip-proxy
Then add new rule on NAT to forward http request to external proxy.
/ip firewall nat
add action=dst-nat chain=dstnat comment=”transparent proxy” dst-port=80 protocol=tcp src-address-list=!ip-proxy to-addresses=192.168.90.2 to-ports=3128
Second method : Using built-in mangle
/ip route add check-gateway=ping distance=1 gateway=192.168.90.2 routing-mark=to-ext-proxy /ip firewall mangle add action=mark-routing chain=prerouting comment="mark routing to proxy" dst-port=80 new-routing-mark=to-ext-proxy protocol=tcp src-address=192.168.1.0/24
Another method to forward http requests from clients is using mangle by adding new route. This method will work if external proxy able to act as gateway.
First, add route to external proxy.
add check-gateway=ping distance=1 gateway=192.168.90.2 routing-mark=to-ext-proxy
Then, mark http requests from all clients to use route to external proxy.
/ip firewall mangle
add action=mark-routing chain=prerouting comment=”mark routing to proxy” dst-port=80 new-routing-mark=to-ext-proxy protocol=tcp src-address=192.168.1.0/24
Proxy server requirements :
You may need to configure some options in order to make it works for both methods such as enabling IPv4 forwarding (by editing systcl.conf) and allowing access to port 3128 in iptables. Add the following lines into the file /etc/rc.local then save :
route add default gateway 192.168.90.1 iptables -A PREROUTING -t nat -j REDIRECT -p tcp -s 192.168.1.0/24 -d 0/0 --dport 80 --to-ports 3128 iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 192.168.90.2 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 192.168.90.2 --sport 3128 -d 0.0.0.0/0 -m state --state ESTABLISHED -j ACCEPT
mikrotik squid tproxy, mikrotik mangle routing mark