Syed Jahanzaib Personal Blog to Share Knowledge !

April 28, 2014

Howto connect Squid Proxy with Mikrotik with Single Interface

Filed under: Linux Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 12:20 PM

This short reference guide was made on request by a creature called 'Humans' living on planet earth 😉


We want to connect Squid proxy server with mikrotik, and Squid server have only one interface.
Mikrotik is running PPPoE Server and have 3 interfaces as follows


MIKROTIK have 3 interfaces as follows…

WAN = (gw+dns pointing to wan link
proxy-interface =
PPPoE Users IP Pool =



SQUID proxy have only one interface as follows…

LAN (eth0) =
Gateway =


As showed in the image below …



To redirect traffic from the mikrotik to Squid proxy server, we have to create a redirect rule
As showed in the example below …



Mikrotik Configuration:

CLI Version:

/ip firewall nat

add action=dst-nat chain=dstnat comment="Redirect only PPPoE Users to Proxy Server" disabled=no dst-port=80 protocol=tcp src-address= to-addresses= to-ports=8080

add action=masquerade chain=srcnat comment="Default NAT rule for Internet Access" disabled=no

 Also showed in the image below …

1- redirect rule.



No IPTABLES configuration is required at squid end 😀


Now try to browse from your client end, and you will see it in squid access.log
As showed in the image below …

2- squid logs with mt ip






TIPs and Tricks !

Just for info purposes …

How to view client original ip in squid logs instead of creepy mikrotik ip

As you have noticed that using above redirect method, client traffic is successfully routed (actually natted) to  Squid proxy server. But as you have noticed that squid proxy logs is showing Mikrotik IP only, so we have no idea which client is using proxy. To view client original ip address instead of mikrotik, you have to explicitly define the WAN interface in default NAT rule so that traffic send to Proxy interface should not be natted 🙂
Mikrotik Default NAT rule configuration
As showed in the image below …

3- client original ip


Now you can see its effect at squid logs
As showed in the image below …





SKYPE – aacable79


  1. Great info, all that I need in my previus request. Many thanks.
    Best regards


    Comment by Ivan — April 28, 2014 @ 12:52 PM

  2. very smart solution

    please need more information about squid server configration and requrmet to work


    Comment by masy — April 28, 2014 @ 1:40 PM

  3. Good Work


    Comment by Waseem Ahmed — April 28, 2014 @ 5:52 PM

  4. 😀 Nyc Share


    Comment by Learner — April 28, 2014 @ 11:20 PM

  5. Nice sharing 🙂


    Comment by FSK — April 29, 2014 @ 1:17 PM

  6. sir can we apply this setting on hotspot server


    Comment by Ahmed Burhan — April 30, 2014 @ 1:51 AM

  7. sir you a the best thanks thanks thanks……………………..thanks


    Comment by Muhammad Nauman — April 30, 2014 @ 3:04 AM

  8. what about connecting Squid to Mikrotik with 2 WAN and 1 LAN configured as PPPoE server and PCC configured ??
    can it be connected on a switch to the LAN interface and used there ?


    Comment by Moaz Dabsheh — May 1, 2014 @ 7:20 AM

  9. Hello Mr., I had made a machine lik you explain here : , I only use one nic and I configure mikrotik like you explain here but I got a problem that cannot solve: my clients do not are in one subnet range like in the example. I had a different subnet in every access point, AP1 ->, AP2 -> and so on. If I want visit site I put src-address otherwise nobody can visit any site. I try to input a range like but it was not accepted. can you help me please. Thanks. Ivan


    Comment by Ivan — May 2, 2014 @ 4:45 AM

    • I mistake, proxy il not used, maybe because no correct range of address


      Comment by Ivan — May 2, 2014 @ 4:47 AM

  10. AOA…. Dear jahanzaib bhai…….plz guide me to connect squid with mikrotik core router ….where the core router is doing 8 wan loadbalancing with hotspot………the router model is *CCR1036*-12G-4S…….I be very thankful to you…

    On Mon, Apr 28, 2014 at 12:20 PM, Syed Jahanzaib Personnel Blog to Share


    Comment by qdsl.dsl — May 6, 2014 @ 1:30 PM

  11. How do I appear in the User sarg instead of the IP?


    Comment by José Rodrigues Filho — May 11, 2014 @ 11:40 AM

  12. hi mr. jahanzaib….i use your squid.conf an but got this error message and the squid stopped…not everytime but about once or twice in a day
    Can’t call method “readline” on an undefined value at /etc/squid/ line 151, line 21
    would you help me…
    thanks in advance……..


    Comment by drain — May 16, 2014 @ 1:29 PM

  13. sir, jo nat rule just pppoe ko configure karty hoye add kiya tha…………us ki jaga ye nat rule add ho ga ya 2no add rahy gy?


    Comment by magnumkyo — July 20, 2014 @ 5:41 PM

  14. i did it all but when i browse it does not load page


    Comment by Sanyog Maharjan — November 7, 2014 @ 2:24 PM

  15. what about connecting the squid to same lan interface as clients? noticing that mikrotik have 2 wan interfaces configured as load balancing.


    Comment by Moaz Dabsheh — November 7, 2014 @ 7:13 PM

  16. my squid ip add is and my client pc ip add is, so i redirect all the connection to the squid pc as it is mentioned above just i changed address and proxy port is 8080, even it doesnt work. why


    Comment by Sanyog Maharjan — November 12, 2014 @ 1:39 PM

  17. Hi .. That’s Not Working For me it’s still give me the router IP.

    Help !!


    Comment by Maidine — April 2, 2015 @ 3:39 PM

  18. Hi;; Thanks for the config. but i have a problem. when i enable the redirection all the ppoe client don’t have access to any news webpage (just the page like google, or the page already opened in the computer is responding).In my NAT configuration i just NAT specific src address the PPPOE client pool (is it the problem?). I don’t know if there is a config who accept webtrafic when the proxy server is off, like secondary route directly via the WAN interface??
    Thanks in advance.


    Comment by lex — August 23, 2015 @ 11:17 PM

  19. Salam,
    jnb mene apse aik question posha tha ap ne uska jawab da kar meri probleme resolve kar di .
    us k liye mein apka shukar guzar hu.
    mera new question ap se ye hai k.
    mein mikrotik mein uptime limit lagata hu user mein ja kar par jab wo online hota hai or baaad mein offline hota hai to mein dkhta hu to mikrotik mein uptime mein zero zero likha hota ha .
    jab k user to online hoa tha ab ye kese set kar sakta hu .
    mein chata hu k time mikrotik remember kare or uptime limit k mutabiq user ko bataye k apki limit khatam hogae hai
    plz koe solution batayein.
    thanks in advance.


    Comment by Software Engineer — September 18, 2015 @ 7:11 AM

  20. Hello Mr., Do I have enabled web proxy in mikrotik router with the port 8080 in IP->Web Proxy?


    Comment by Christian — January 6, 2016 @ 8:08 PM

    • it depends on your network.
      you can enable mikrotik web proxy and then use squid as parent proxy. but not recommended
      if you have managed to configure squid as proxy, then simply redirect port 80 traffic from Mikrotik to that squid using nat rule.


      Comment by Syed Jahanzaib / Pinochio~:) — January 14, 2016 @ 12:13 PM

  21. AOA,
    i have setup this… when i configure proxy in pppoe client browser it works fine. but when i used dstnat rule via mk it shows different errors sometimes access denied or sometimes invalid url use http.. i have tested from transparent to normal config but still same issue.
    any idea ??


    Comment by Hak — April 22, 2016 @ 1:28 PM

  22. Dear Jaib Bhai im from Nepal. I have a small isp in remote area of nepal i want to configure squid for my ISP i did try much but no luck i was doing transparent squid3.3.8 ubuntu14.04 with single interface for mikrotik. I tried for a meek or even more but unsuccess with the stuff. Ineed your help. Here in Nepal bandwith is quite costly for communities. Hope reply from you soon.


    Comment by Ranjeet Shah — October 16, 2016 @ 4:23 PM

  23. Dear Jaib please post the proxy configuration because when i tried this setup.. the proxy listens but cannot forward request.. Access Denied in the client side..


    Comment by belkens — December 18, 2016 @ 6:02 AM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: