To add SQUID Proxy Caching Server support in Mikrotik, Assuming the following Scenario.
DSL MODEM IP = 192.168.1.1
MIKROTIK LAN IP = 10.0.0.1
SQUID LAN IP = 192.168.2.1
I assume that you already have working Mikrotik in place, and Already configured SQUID Server ready, (You can search guides about there configurations at my blog), I will just show you how to interconnect them together so All users browsing port 80 request will go to SQUID for caching facility)
We will divide this article in two sections.
1# MIKROTIK CONFIGURATION
2# SQUID CONFIGURATION
.
1# MIKROTIK CONFIGURATION
Mikrotik Have 3 Interfaces.
ether1 = 10.0.0.1
Connected to LAN
ether2 = 192.168.2.2
Connected Directly to PROXY’s eth0 via crossover cable.
ether3 = 192.168.1.2
Connected Directly to WAN/DSL
As shown in the image below . . .
Open New Terminal and create new NAT rule to redirect port 80 traffic to SQUID proxy server. Command as follows.
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=192.168.2.1 to-ports=8080
[192.168.2.2 is the SQUID proxy server ip]
As shown in the image below . . .
That’s it for mikrotik configuration, If internet sharing is already configured at SQUID server, then now you don’t need to adjust any configuration at squid box, all requests will be served by squid.
Now moving on to squid . . .
.
.
2# SQUID CONFIGURATION
SQUID PROXY SERVER have two Interfaces
eth0 = 192.168.2.1
Connected Directly with Mikrotik’s PROXY interface via crossover cable.
eth1 = 192.168.1.3
Connected Directly with WAN/DSL
Note: I Will not discuss howto configure SQUID here as it have already been well described in my other articles as follows, Therefore I assume you have already configured SQUID and must be running it in TRANSPARENT mode (using squid.conf directives and iptables)
Add the following line in /etc/squid/squid.conf
# PORT and Transparent Option http_port 8080 transparent
For iptables to redirect user request to port 8080 transparently, Also masquerade traffic , Add the following line in /etc/rc.local or issue the command at CLI,
# Redirect users request to squid port 8080 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.2.1:8080 # Set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface 192.168.1.3 -j MASQUERADE
Where eth0 is LAN interface of SQUID.
.
Now Try to Browse, and at Proxy Server , Monitor SQUID Log by following command
tail -f /var/log/squid/access.log
and you will see User Browsing request coming via Mikrotik ip.
As shown in the image below . . .
.
.
If you want to log USER’s Original IP address instead of Mikrotik, Either add route in Squid server for your local user subnet pointing to mikrotik proxy interface, OR you have to use Packet Marking + ROUTING method as described in the following article.
https://aacable.wordpress.com/2011/07/21/mikrotik-howto-redirect-http-traffic-to-squid-with-original-source-client-ip/
More are here …
For more information, Read the below . . .
https://aacable.wordpress.com/2011/08/08/linux-transparent-squid-proxy-server-guide/ https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/ https://aacable.wordpress.com/2012/01/19/youtube-caching-with-squid-2-7-using-storeurl-pl/
.
.
Regard’s
SYED JAHANZAIB
Nice sharing !
LikeLike
Comment by faizan — December 30, 2011 @ 4:51 PM
nice post
LikeLike
Comment by qobtan — December 31, 2011 @ 4:45 AM
what do you think the scenario will be if we have more than one internet connection
LikeLike
Comment by qobtan — December 31, 2011 @ 4:54 AM
Just configure PCC as a LB. IT will act as a gateway for Mikrotik and Squid.
OR you can create PCC on Your main Mikrotik Server and make it GW for SQUID, so squid will send request to mikrotik
there r several ways to do it.
LikeLike
Comment by Pinochio~:) — December 31, 2011 @ 11:16 AM
Dear Syad ,
My configuration at the moment
– > Mikrotik public ip : for example 82.114.170.18 ( one nic connected to the switch )
DSL SWITCH – > SQUID publi ip : for example 82.114.170.19 ( one nic connected to the switch )
– > MIkrotik public ip : for example 82.114.170.20 ( one nic connected to the switch )
after doing the nat rule in every mikrotik i get the squid server ip on showip.com
does it mean all the trafic off all users ( with or without cache ) is going throw squid now .
or i see only the public ip of the squid but the trafic goes directly from dsl router -> mikrotik -> user
and not dsl-router – > { squid -> mikrotik } > users
LikeLike
Comment by Nori — January 9, 2012 @ 4:48 AM
Dear Syed Jahanzaib,
i have 70 customers around 50 need 128 kbps/32 and 20 need 256 kbps/64
iam lost how much dedicated bandwidth i should buy
(right now iam load balancing four accounts + squid on ubuntu the problem is that 90% of the bandwidth is cached so users are facing problems with non cached things)
Thanks in advance
LikeLike
Comment by Mohamad Hassan — January 26, 2012 @ 9:01 AM
If you want to provide customers with good quality of internet services, I suggest you to get PTCL 10 mb dsl connection. Its affordable and cheap , 10,000 Rs only per month and you will get around 8-9 mbps from it.
Just config your squid with balanced refresh pattern and all will be fine.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 26, 2012 @ 10:46 AM
How to add SQUID Proxy Server on The Windows OS with MIKROTIK management bandwidth?
thank
LikeLike
Comment by akunk — January 30, 2012 @ 11:32 PM
I will not recommend you tu use squid for windows.
If you wanna stick to windows OS, then use ISA Server instead.
Or move on to linux/squid which will be more reliable and efficient as compared to windows OS.
On Linux you will have many added benefits.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 31, 2012 @ 2:34 PM
Hi Syed, used this tutorial and its working perfectly. one problem though if my squid proxy (ubuntu 10.04) crashes for any reason all other traffic will work fine but HTTP traffic is kaput! any ideas how i can get around this? maybe a failover so that when MK detects that squid service or IP is unresponsive all HTTP traffic goes out directly i.e bypasses squid box. thanks
LikeLike
Comment by Benk — January 31, 2012 @ 10:43 PM
assalam o alaikum All mine ek problem face kar rahi ho firewall nat
add karta ho tu browser of hojati hai place help me its argint thanks
LikeLike
Comment by amir — February 26, 2012 @ 3:28 AM
yaar places koi tu reply kar do i am waiting
LikeLike
Comment by amir — February 27, 2012 @ 5:00 PM
I have RB750GL . Os main PCC load balancing howi hai with hotspot server. 2 WAN and 1 LAN. now just tell me what would be picture (like you have displayed for one WAN) for two WAN’s. Thanx
LikeLike
Comment by SHAFQAT FARHAN — May 12, 2012 @ 11:36 AM
Hi Syed. I have followed your guide to setup squid running on pfSense, but I can’t get it to show the user’s ip in the log. what nat rule do I use in pfSense instead of the iptables you used in Ubuntu? It currently shows the Mikrotik address.
LikeLike
Comment by johan — June 24, 2012 @ 10:28 AM
Cool,
thanks for share
LikeLike
Comment by langga — August 6, 2012 @ 1:07 PM
what if proxy server located in client, so in mikrotik there are only two ethernet (for client and WAN)?
LikeLike
Comment by Arief Firdaus — August 28, 2012 @ 7:14 AM
You can’t place proxy in client subnet, thats a great security threat , put squid on separate subnet and connect it to mikrotik (in dmz)
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — August 28, 2012 @ 9:20 AM
Aslamualikum jahanzaib bhai kaise han sir jee muje aap se aik question puchna han mere pass mikrotik 5.18 os han jo mere paas machin per install han we main mikrotik per bhuat phele se kaam kar raha hun mere pass aik problem aarahe han phele mere pass mikrotik version 2.9.27 tha jis per maine cache configure kya tha tu fine chal raha tha evern ke youtube ki video ka cache bhee ban raha tha likin main kafee din se 5.18 pe configure kar raha hun tu cache kaam nai kar rah even ke sab kuch ok dikha raha han jaisa ke aap ne uper figure main dikhaya hain but cache nai ban raha agar main youtub se koi video dekhta hun 5 mint ki or yahee video dubara open karta hun tu normaly start hote hain please help me .
LikeLike
Comment by farhan khan — September 3, 2012 @ 12:04 PM
salam
how can limit the cache squid to evry user “user manager+hotspot” like user1 give internet bandwith: 256K/256K and cache limit at: 1M/1M
thanks
LikeLike
Comment by khaled — September 5, 2012 @ 8:55 PM
Brother Jehanzeb how can i thanx to u seriously , i have done the lots of big tasks just because of ur detailed description.
I m really thanx full to u and my company is very much happy to see my running awesome projects
LikeLike
Comment by Amjad Iqbal — October 1, 2012 @ 5:09 AM
You are welcome bro !
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — October 1, 2012 @ 9:28 AM
hi,, have you any experience with setting up squid within 1 Virtualbox, and then Mikrotik within a second virtualbox on the same windows 2008r2 machine. The VB machine has 2 eth ports and I wanted the proxy to be transparent.? Is it possible?
LikeLike
Comment by simon — October 7, 2012 @ 2:44 PM
I have configured this scenario in a lab environment.
Yes it can work. I do heavily work on Virtulaization.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — October 7, 2012 @ 2:53 PM
thanks for the really quick feedback.. Well I will try and figure it out, but it will be tough going.. The Dell poweredge PE860 is new to me and I havent got used to it yet.. I have only 1 week experience with Virtualbox and No experience with squid cache or any other system. So it will be in at the deep end.
My MTik is the gateway machine. Its ether1 faces my provider’s cisco machine.
Nowmy MTik will be replaced by a PE860 with 2 VBox machines inside it.
On Vbox1, I will install MTik x86 system… I will bridge 1 of the virtual interfaces to the PE860 real interface, and that interface will face towards the cisco (public network side)
Then I plan to create a second virtual interface within vbox 1.. It will be the interface which will face the public via a squid proxy.
So then I plan to install a second virtual machine and I will load squid inside it (presumably with linux as an OS). On the second VM, I will create another virtual interface.. This interface will be public facing, but will be attached to the local side of the MT virtual interface.
Finally I will create the last virtual interface and bridge that to the other “real” interface on the PE860, which will be the input of the traffic from the clients.
Does this seem the correct way to go about it to you?.
Thanks.
LikeLike
Comment by simon — October 7, 2012 @ 3:11 PM
asalam alikum
i am looking for solution on bloking all website and just eanbling only one link how to do that?
any one know how?
LikeLike
Comment by yzin — November 7, 2012 @ 8:43 PM
sir you are great one and only one is like you..thank you very much
Allah ap ko khush rakhay ..ap kay bachoon ko sehat aur zindage dy
LikeLike
Comment by sohail — December 9, 2012 @ 9:25 PM
thank you soo much bro….. yur really helped me, yur the man…….
LikeLike
Comment by patrick kanja — December 14, 2012 @ 3:29 PM
hi syed, implemented as yu instructed in the tutorial, and it worked perfectly, i really question my connection, should i masquerade eth3 that feeds mikrotik with internet, since squid gets internet from the same source
LikeLike
Comment by patrick kanja — December 20, 2012 @ 1:20 PM
Asalam-o-alecum Dear jahanzaib in the above Scenario how can bypass cache content or download cache content through squid proxy on full Lan speed when i use 128k/128k pppoe user profile limite on mikrotik .?
LikeLike
Comment by khurram — January 26, 2013 @ 2:38 PM
Please read this guide. It explains step bystep on howto bypass cached contents from the queue limit.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 26, 2013 @ 3:17 PM
Thanks to you Syed, I had configured and have been using Dual WAN on my mikrotik box. Following your instructions I have a working Squid as well but I have 2 WAN (1st VSAT link very stable but low bandwidth(1Mb), 2nd WAN 4Mb faster but unstable (frequently goes offline)). How will the connection be done?
LikeLike
Comment by Timi — January 28, 2013 @ 8:41 PM
Thanks to you Syed, I had configured and have been using Dual WAN on my mikrotik box. Following your instructions I have a working Squid as well but I have 2 WAN (1st VSAT link very stable but low bandwidth(1Mb), 2nd WAN 4Mb faster but unstable (frequently goes offline)). How will the connection be done when adding the squid to the mikrotik with 2 WAN?
LikeLike
Comment by Timi — January 29, 2013 @ 4:38 PM
Howto create PPPoE Dialer Installer Package for windows 7 & 8 ?
LikeLike
Comment by khurram — January 30, 2013 @ 12:28 PM
hello Sayeed, am an ardent follower of your blog since am new to mikrotik. am trying to add squid to my current setup but after going through your guide, i have one question:
How do I know which ether card is eth0 and which one is eth1 on the squid server so i can plug in the crossover cables? thanks
LikeLike
Comment by busiwiki — February 14, 2013 @ 1:43 AM
First configure IP address for eth0 (which is connected with the mikrotik box with crossover cable) , now try to ping mikrotik from squid box. if ping ok then its the eth0, if not, then simply pull out cable from this nic and put it in second interface,
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 14, 2013 @ 3:39 PM
Hi,
I have been following up your cache guides since long. Can you suggest me, What is the best way to setup for Mikrotik + Squid to maintain 500 live users and 2000 offline users by using DMA RADIUS. Also please suggest the best version of ubuntu to implement excellent caching functionality.
LikeLike
Comment by Vijay — February 14, 2013 @ 6:12 PM
Unable to determine IP address from host name
Jahanzaib bhai m facing this error
LikeLike
Comment by waqar — March 29, 2013 @ 9:48 PM
Please provide more details. Where you are getting this error. how your network and services roles are setup?
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — April 1, 2013 @ 9:16 AM
Salam Sir,
Please help me to configure my network as this topology :
interface :
ether1=WAN1
ether2=WAN2
ether3=Hotspot
ether4=Proxy Squid
ether5=LAN
i’ve succeeded manage the PCC load balancing and no problem with the hotspot, but can’t configure how to fix it with Proxy Squid
as i want all user redirected to proxy
thanks before
LikeLike
Comment by operatorglobalnet — April 16, 2013 @ 11:15 AM
Reblogged this on globalnetsia and commented:
still confusing…………… 😦
LikeLike
Comment by operatorglobalnet — April 16, 2013 @ 11:23 AM
At which point you are confusing ?
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — April 16, 2013 @ 1:35 PM
how to redirect LAN & Hotspot with 2 WAN?
LikeLike
Comment by operatorglobalnet — April 16, 2013 @ 3:04 PM
To make it simple, use separate RB for LB, this way it will be easy for you to configure and troubleshoot.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — April 17, 2013 @ 8:10 AM
please help me…………
LikeLike
Comment by operatorglobalnet — April 16, 2013 @ 3:44 PM
Hello, thanks for nice writing.
I am wondering if i could setup this in our network
How to setup squid if the squid server is connected directly to switch / mikrotik without having direct connection with modem (the modem is ISP propietary only has 1 port – and you can only connect it via PPPoE without having private IP).
Which one of this topology is feasible and easier to setup / maintenance.
Topology 1 :
user -> switch -> mikrotik -> modem -> internet
|
squid (connected to mikrotik extra ethernet port)
Topology 2 :
user -> switch -> mikrotik -> modem -> internet
|
squid (connected to main switch)
Please advise, any help is appreciated, thank you very much.
LikeLike
Comment by yirwandi — April 24, 2013 @ 7:55 AM
Sorry for the topology, i wanted the ” | ” positioned correctly but it seems the spaces is deleted.
Topology 1 is where the squid is connected to mikrotik
Topology 2 is where the squid is connected to main switch.
LikeLike
Comment by yirwandi — April 24, 2013 @ 7:58 AM
Yes both topology can work. but the recommended is as follow.
User > Switch >>> Mikrotik >>> Modem > Internet
|
> Squid
In this topology Squid have one interface only and is directly connected with the mikrotik. Squid will take its internet data from the mikrotik and mikrotik is connected with the Modem directly.
This way your squid will be in DMZ means no one will touch it without authentication. which is necessary, because if you place it on user subnet, then anyone can use it, even if you place some sort of ACL.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — April 24, 2013 @ 10:17 AM
amin wa’alaikum salam
Good day, I have just been employed in a company and I don’t know much about Mikrotik. Now I have an issue which invariably is a test as they have said that I have to ensure that I build a cache outside the Mikrotik and that if that improves the speed of browsing tremendously that means I have the job.
Let me describe the network to you:
Modem>Gateway(x86 PC)> Mikrotik (Rb1100 or x86)> switch>antennae
I would like to incorporate both the cache option to do both web-pages and also videos, I would like to do both on the same machine. Also I would appreciate it if you could please give me detailed steps on what to do on each; both on the Linux package and the Mikrotik package. The mikrotik version is 5.22 and the Ubuntu version is 13.04 64 bits.
LikeLike
Comment by Ahmed Bello — May 30, 2013 @ 3:22 AM
Mikrotik have builtin cache service called WEB Proxy. Its ok for small number of user and for basic http caching. butit can do video caching.
video cache is an hectic thing to do, even the experienced personnel get in trouble while troubleshooting it.
you can add another box with SQUID configuration, if you have no prior experience in linux, start with Ubuntu, its relatively easier. search my blogs and goodle and you will many articles and guides on hwoto configure squid & connect it with the mikrotik box.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — May 30, 2013 @ 8:27 AM
sir how are you
ubuntu server lusca and mikrotik how march
LikeLike
Comment by amanaman483 — June 29, 2013 @ 5:58 PM
?
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — July 1, 2013 @ 9:34 AM
what about SQUID Proxy Server with MIKROTIK with PCC 2 router’s ???
LikeLike
Comment by qassam — July 20, 2013 @ 6:37 PM
router 1 : 5.5.5.1
router 2 : 6.6.6.1
mikrotikout : 192.168.0.1
LikeLike
Comment by qassam — July 20, 2013 @ 6:39 PM
Salam Syed Jahanzaib,
i just want to ask, is it possible if i just add squid proxy server in same interface of local network (same subnet)
eg:
public 192.168.1.0
local+hotspot user 172.16.0.0/24
proxy server 172,16.0.253
if it cannot be allowed, give me the reason? is it no safe or there is another explenation.
thanks
best rgds
Wassalam
LikeLike
Comment by firman — August 17, 2013 @ 9:04 PM
its not recommended to put the squid server on the same subnet dueto security and other management perspective.
put proxy on separate interface with difference subnet then user subnet
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — August 19, 2013 @ 9:03 AM
What is the IP config of the squid server? can u post it ? Both WAN and LAN with gateway for better understanding
LikeLike
Comment by srijit — August 22, 2013 @ 8:16 AM
Sir i am facing a problem with using mikrotik hotspot + squid proxy + mikrotik radius server when i request radius login page both lan and wan address the mikrotik giving me a error page 404 error. my request goto to squid proxy server. Sir how i bypass my http 80 port request to proxy server. can u help me!
LikeLike
Comment by Muhammad Asif Janjua — February 12, 2014 @ 9:51 AM
in dst-nat (squid redirect) rule, exclude your user manager/radius page from being going to squid. (in dst-address)
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 13, 2014 @ 10:02 AM
i have problem configuration redirect mikrotik in squid
mikrotik can not work cashing
LikeLike
Comment by jawad — March 14, 2014 @ 10:00 PM
i have problem configuration redirect mikrotik in squid
mikrotik can not work cashing
LikeLike
Comment by jawad — April 1, 2014 @ 9:10 AM
hi sir, thanks for sharing your knowledge. I already applied squid proxy and mikrotik configuration, but when I activate the rule: dstnat on the mikrotik, and try to browse (using client computer), the loading process keep on going, it won’t finish loading. I don’t know where the problem is, I try to figure it out but cannot find why.
Hmm, I’m using virtual machine as the squid proxy server, can it be the problem, Sir? kindly help.
Thanks in advance.
LikeLike
Comment by himawari — May 21, 2014 @ 1:08 PM
Dear,
How can I do this with 2 DSL Links come from differents building ?
FYI: The two buildings are connected by the Loco M5 and 2 Mikrotiks 750GL.
Thanks
LikeLike
Comment by Felipe Oliveira — July 25, 2014 @ 8:44 AM
Salaam Jahanzaib Bhai mikrotik me selected client user pe website block karni hai tamam k pass nhe.
LikeLike
Comment by Moiz Ahmed — April 20, 2015 @ 1:10 PM
there are many ways you can accomplish this. either use web proxy and redirect only related user to ti and filter request in it. or create ACL and apply this ACL to specific user, many methods you can follow.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — April 21, 2015 @ 8:46 AM
Dear, Syed can you configure it for me I can pay for it please ?
Thanks
LikeLike
Comment by zahid — October 1, 2017 @ 12:16 AM