This short reference guide was made on request by a creature called 'Humans' living on planet earth 😉
☻
Scenario:
We want to connect Squid proxy server with mikrotik, and Squid server have only one interface.
Mikrotik is running PPPoE Server and have 3 interfaces as follows
MIKROTIK INTERFACE EXAMPLE:
MIKROTIK have 3 interfaces as follows…
LAN = 192.168.0.1/24
WAN = 1.1.1.1/24 (gw+dns pointing to wan link
proxy-interface = 192.168.2.1/24
PPPoE Users IP Pool = 172.16.0.1-172.16.0.255
SQUID INTERFACE EXAMPLE:
SQUID proxy have only one interface as follows…
LAN (eth0) = 192.168.2.2/24
Gateway = 192.168.2.1
DNS = 192.168.2.2
.
As showed in the image below …
.
To redirect traffic from the mikrotik to Squid proxy server, we have to create a redirect rule
As showed in the example below …
.
.
Mikrotik Configuration:
CLI Version:
/ip firewall nat add action=dst-nat chain=dstnat comment="Redirect only PPPoE Users to Proxy Server 192.168.2.2" disabled=no dst-port=80 protocol=tcp src-address=172.16.0.1-172.16.0.255 to-addresses=192.168.2.2 to-ports=8080 add action=masquerade chain=srcnat comment="Default NAT rule for Internet Access" disabled=no
Also showed in the image below …
.
.
No IPTABLES configuration is required at squid end 😀
.
Now try to browse from your client end, and you will see it in squid access.log
As showed in the image below …
.
.
.
TIPs and Tricks !
Just for info purposes …
How to view client original ip in squid logs instead of creepy mikrotik ip
As you have noticed that using above redirect method, client traffic is successfully routed (actually natted) to Squid proxy server. But as you have noticed that squid proxy logs is showing Mikrotik IP only, so we have no idea which client is using proxy. To view client original ip address instead of mikrotik, you have to explicitly define the WAN interface in default NAT rule so that traffic send to Proxy interface should not be natted 🙂
Mikrotik Default NAT rule configuration
As showed in the image below …
.
Now you can see its effect at squid logs
As showed in the image below …
.
.
Regard’s
☺☻♥
SYED JAHANZAIB
SKYPE – aacable79
Great info, all that I need in my previus request. Many thanks.
Best regards
Ivan
LikeLike
Comment by Ivan — April 28, 2014 @ 12:52 PM
very smart solution
please need more information about squid server configration and requrmet to work
LikeLike
Comment by masy — April 28, 2014 @ 1:40 PM
Good Work
LikeLike
Comment by Waseem Ahmed — April 28, 2014 @ 5:52 PM
😀 Nyc Share
LikeLike
Comment by Learner — April 28, 2014 @ 11:20 PM
Nice sharing 🙂
LikeLike
Comment by FSK — April 29, 2014 @ 1:17 PM
sir can we apply this setting on hotspot server
LikeLike
Comment by Ahmed Burhan — April 30, 2014 @ 1:51 AM
sir you a the best thanks thanks thanks……………………..thanks
LikeLike
Comment by Muhammad Nauman — April 30, 2014 @ 3:04 AM
what about connecting Squid to Mikrotik with 2 WAN and 1 LAN configured as PPPoE server and PCC configured ??
can it be connected on a switch to the LAN interface and used there ?
LikeLike
Comment by Moaz Dabsheh — May 1, 2014 @ 7:20 AM
Hello Mr., I had made a machine lik you explain here : https://aacable.wordpress.com/2014/04/21/howto-cache-youtube-with-squid-lusca-and-bypass-cached-videos-from-mikrotik-queue/ , I only use one nic and I configure mikrotik like you explain here but I got a problem that cannot solve: my clients do not are in one subnet range 172.16.0.0/24 like in the example. I had a different subnet in every access point, AP1 -> 10.10.1.0/24, AP2 -> 10.10.2.0/24 and so on. If I want visit site I put src-address 0.0.0.0 otherwise nobody can visit any site. I try to input a range like 10.0.0.0/8 but it was not accepted. can you help me please. Thanks. Ivan
LikeLike
Comment by Ivan — May 2, 2014 @ 4:45 AM
I mistake, proxy il not used, maybe because no correct range of address
LikeLike
Comment by Ivan — May 2, 2014 @ 4:47 AM
AOA…. Dear jahanzaib bhai…….plz guide me to connect squid with mikrotik core router ….where the core router is doing 8 wan loadbalancing with hotspot………the router model is *CCR1036*-12G-4S…….I be very thankful to you…
On Mon, Apr 28, 2014 at 12:20 PM, Syed Jahanzaib Personnel Blog to Share
LikeLike
Comment by qdsl.dsl — May 6, 2014 @ 1:30 PM
How do I appear in the User sarg instead of the IP?
LikeLike
Comment by José Rodrigues Filho — May 11, 2014 @ 11:40 AM
hi mr. jahanzaib….i use your squid.conf an store.pl but got this error message and the squid stopped…not everytime but about once or twice in a day
Can’t call method “readline” on an undefined value at /etc/squid/storeurl.pl line 151, line 21
would you help me…
thanks in advance……..
LikeLike
Comment by drain — May 16, 2014 @ 1:29 PM
sir, jo nat rule just pppoe ko configure karty hoye add kiya tha…………us ki jaga ye nat rule add ho ga ya 2no add rahy gy?
LikeLike
Comment by magnumkyo — July 20, 2014 @ 5:41 PM
i did it all but when i browse it does not load page
LikeLike
Comment by Sanyog Maharjan — November 7, 2014 @ 2:24 PM
what about connecting the squid to same lan interface as clients? noticing that mikrotik have 2 wan interfaces configured as load balancing.
LikeLike
Comment by Moaz Dabsheh — November 7, 2014 @ 7:13 PM
my squid ip add is 192.168.88.11 and my client pc ip add is 192.168.88.10, so i redirect all the connection to the squid pc as it is mentioned above just i changed address and proxy port is 8080, even it doesnt work. why
LikeLike
Comment by Sanyog Maharjan — November 12, 2014 @ 1:39 PM
Hi .. That’s Not Working For me it’s still give me the router IP.
Help !!
LikeLike
Comment by Maidine — April 2, 2015 @ 3:39 PM
Hi;; Thanks for the config. but i have a problem. when i enable the redirection all the ppoe client don’t have access to any news webpage (just the page like google, or the page already opened in the computer is responding).In my NAT configuration i just NAT specific src address the PPPOE client pool (is it the problem?). I don’t know if there is a config who accept webtrafic when the proxy server is off, like secondary route directly via the WAN interface??
Thanks in advance.
LikeLike
Comment by lex — August 23, 2015 @ 11:17 PM
Salam,
jnb mene apse aik question posha tha ap ne uska jawab da kar meri probleme resolve kar di .
us k liye mein apka shukar guzar hu.
mera new question ap se ye hai k.
mein mikrotik mein uptime limit lagata hu user mein ja kar par jab wo online hota hai or baaad mein offline hota hai to mein dkhta hu to mikrotik mein uptime mein zero zero likha hota ha .
jab k user to online hoa tha ab ye kese set kar sakta hu .
mein chata hu k time mikrotik remember kare or uptime limit k mutabiq user ko bataye k apki limit khatam hogae hai
plz koe solution batayein.
thanks in advance.
LikeLike
Comment by Software Engineer — September 18, 2015 @ 7:11 AM
Hello Mr., Do I have enabled web proxy in mikrotik router with the port 8080 in IP->Web Proxy?
LikeLike
Comment by Christian — January 6, 2016 @ 8:08 PM
it depends on your network.
you can enable mikrotik web proxy and then use squid as parent proxy. but not recommended
if you have managed to configure squid as proxy, then simply redirect port 80 traffic from Mikrotik to that squid using nat rule.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 14, 2016 @ 12:13 PM
AOA,
i have setup this… when i configure proxy in pppoe client browser it works fine. but when i used dstnat rule via mk it shows different errors sometimes access denied or sometimes invalid url use http.. i have tested from transparent to normal config but still same issue.
any idea ??
LikeLike
Comment by Hak — April 22, 2016 @ 1:28 PM
Dear Jaib Bhai im from Nepal. I have a small isp in remote area of nepal i want to configure squid for my ISP i did try much but no luck i was doing transparent squid3.3.8 ubuntu14.04 with single interface for mikrotik. I tried for a meek or even more but unsuccess with the stuff. Ineed your help. Here in Nepal bandwith is quite costly for communities. Hope reply from you soon.
LikeLike
Comment by Ranjeet Shah — October 16, 2016 @ 4:23 PM
Dear Jaib please post the proxy configuration because when i tried this setup.. the proxy listens but cannot forward request.. Access Denied in the client side..
LikeLike
Comment by belkens — December 18, 2016 @ 6:02 AM