Syed Jahanzaib Personal Blog to Share Knowledge !

April 28, 2014

Howto connect Squid Proxy with Mikrotik with Single Interface

Filed under: Linux Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 12:20 PM

This short reference guide was made on request by a creature called 'Humans' living on planet earth 😉
☻

Scenario:

We want to connect Squid proxy server with mikrotik, and Squid server have only one interface.
Mikrotik is running PPPoE Server and have 3 interfaces as follows

MIKROTIK INTERFACE EXAMPLE:

MIKROTIK have 3 interfaces as follows…

LAN = 192.168.0.1/24
WAN = 1.1.1.1/24 (gw+dns pointing to wan link
proxy-interface = 192.168.2.1/24
PPPoE Users IP Pool = 172.16.0.1-172.16.0.255

 

SQUID  INTERFACE EXAMPLE:

SQUID proxy have only one interface as follows…

LAN (eth0) = 192.168.2.2/24
Gateway = 192.168.2.1
DNS = 192.168.2.2

.

As showed in the image below …

0-interface

.

To redirect traffic from the mikrotik to Squid proxy server, we have to create a redirect rule
As showed in the example below …

.

.

Mikrotik Configuration:

CLI Version:


/ip firewall nat

add action=dst-nat chain=dstnat comment="Redirect only PPPoE Users to Proxy Server 192.168.2.2" disabled=no dst-port=80 protocol=tcp src-address=172.16.0.1-172.16.0.255 to-addresses=192.168.2.2 to-ports=8080

add action=masquerade chain=srcnat comment="Default NAT rule for Internet Access" disabled=no

 Also showed in the image below …

1- redirect rule.

.

.

No IPTABLES configuration is required at squid end 😀

.

Now try to browse from your client end, and you will see it in squid access.log
As showed in the image below …

2- squid logs with mt ip

 

DONE 🙂

.

.

.

TIPs and Tricks !

Just for info purposes …

How to view client original ip in squid logs instead of creepy mikrotik ip

As you have noticed that using above redirect method, client traffic is successfully routed (actually natted) to  Squid proxy server. But as you have noticed that squid proxy logs is showing Mikrotik IP only, so we have no idea which client is using proxy. To view client original ip address instead of mikrotik, you have to explicitly define the WAN interface in default NAT rule so that traffic send to Proxy interface should not be natted 🙂
Mikrotik Default NAT rule configuration
As showed in the image below …

3- client original ip

.

Now you can see its effect at squid logs
As showed in the image below …

4-CLIENT ORIGNIAL IP

.

.

Regard’s

☺☻♥
SYED JAHANZAIB
SKYPE – aacable79

December 30, 2011

Howto add SQUID Proxy Server with MIKROTIK [Short Reference Guide]


To add SQUID Proxy Caching Server support in Mikrotik, Assuming the following Scenario.

DSL MODEM IP = 192.168.1.1
MIKROTIK LAN IP = 10.0.0.1
SQUID LAN IP = 192.168.2.1

I assume that you already have working Mikrotik in place, and Already configured SQUID Server ready, (You can search guides about there configurations at my blog), I will just show you how to interconnect them together so All users browsing port 80 request will go to SQUID for caching facility)

We will divide this article in two sections.

1#  MIKROTIK CONFIGURATION
2#  SQUID CONFIGURATION

.

1#  MIKROTIK CONFIGURATION

Mikrotik Have 3 Interfaces.

ether1 = 10.0.0.1
Connected to LAN

ether2 = 192.168.2.2
Connected Directly to PROXY’s eth0 via crossover cable.

ether3 = 192.168.1.2
Connected Directly to WAN/DSL
As shown in the image below . . .

Open New Terminal and create new NAT rule to redirect port 80 traffic to SQUID proxy server. Command as follows.

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=192.168.2.1 to-ports=8080

[192.168.2.2 is the SQUID proxy server ip]

As shown in the image below . . .


That’s it for mikrotik configuration, If internet sharing is already configured at SQUID server, then now you don’t need to adjust any configuration at squid box, all requests will be served by squid.

Now moving on to squid . . .

.

.

2#  SQUID CONFIGURATION

SQUID PROXY SERVER have two Interfaces

eth0 = 192.168.2.1
Connected Directly with Mikrotik’s PROXY interface via crossover cable.

eth1 = 192.168.1.3
Connected Directly with WAN/DSL

Note: I Will not discuss howto configure SQUID here as it have already been well described in my other articles as follows, Therefore I assume you have already configured SQUID and must be running it in TRANSPARENT mode (using squid.conf directives and iptables)

Add the following line in /etc/squid/squid.conf

# PORT and Transparent Option
http_port 8080 transparent

For iptables to redirect user request to port 8080 transparently, Also masquerade traffic , Add the following line in /etc/rc.local or issue the command at CLI,

# Redirect users request to squid port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.2.1:8080

# Set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface 192.168.1.3 -j MASQUERADE

Where eth0 is LAN interface of  SQUID.

.

Now Try to Browse, and at Proxy Server , Monitor SQUID Log by following command

tail -f /var/log/squid/access.log

and you will see User Browsing request coming  via Mikrotik ip.

As shown in the image below . . .

.

.

If you want to log USER’s Original IP address instead of Mikrotik, Either add route in Squid server for your local user subnet pointing to mikrotik proxy interface, OR you have to use Packet Marking + ROUTING method as described in the following article.

https://aacable.wordpress.com/2011/07/21/mikrotik-howto-redirect-http-traffic-to-squid-with-original-source-client-ip/

More are here …

For more information, Read the below . . .

https://aacable.wordpress.com/2011/08/08/linux-transparent-squid-proxy-server-guide/
https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/
https://aacable.wordpress.com/2012/01/19/youtube-caching-with-squid-2-7-using-storeurl-pl/

.

.

Regard’s
SYED JAHANZAIB

July 21, 2011

MIKROTIK :Howto Redirect HTTP traffic to SQUID with Original Source Client IP


Howto connect SQUID box with Mikrotik and Log user’s original source ip in squid proxy log.

Consider the following Scenario.

Mikrotik + SQUID + Client Source IP Loggin

In this scenario Mikrotik is acting as PPPoE Server. All internet traffic is passed from Mikrotik, except the HTTP PORT 80 data, which is marked and route to SQUID proxy server for caching facility and some other filtering task. We want to preserve source client IP address in squid logs, so that user web activity can be tracked via squid access log, sometimes it can be require by law enforcing agencies or can be required by administration / reporting / management purposes. So how to do it ?

I assume you already have working SQUID and Mikrotik (pppoe server with pppoe user ip pool 172.16.0.0/16 pool in place. however you can change it according to your scenario)

We will divide this article in two sections

1# MIKROTIK RouterOS Configuration
2# SQUID Proxy Server Configuration


1# MIKROTIK  RouterOS CONFIGURATION !

In this example, Mikrotik have 3 LAN interfaces,  Details are as following . . .

[admin@MikroTik] > ip address print
#   ADDRESS            NETWORK         INTERFACE
 0   192.168.0.1/24     192.168.0.0     ether1       >> LAN INTERFACE
 1   192.168.2.1/24     192.168.2.0     ether2       >> PROXY INTERFACE
 2   192.168.1.2/24     192.168.1.0     ether3       >> WAN - DSL INTERFACE

Now we will start with the Mikrotik configuration:


 

# Add ip addresses for interface cards,

/ip address
add address=192.168.0.1/24 disabled=no interface=ether1 network=192.168.0.0
add address=192.168.2.1/24 disabled=no interface=ether2 network=192.168.2.0
add address=192.168.1.2/24 disabled=no interface=ether3 network=192.168.1.0

# Set DNS for Host Resolving

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=8000KiB max-udp-packet-size=512 servers=192.168.1.1

# Mark All HTTP Port 80 Traffic, so that we can use these Marked Packets in Route section.

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp

 

# Masquerade all traffic (Except http] on ether3 Only, which is connected with DSL Router. This is important to masquerade traffic on WAN Interface only, otherwise http packets will also be masqueraded with mikrotik ip.

/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=ether3

 

# Define Route for HTTP Marked packets, and set default rule for all other traffic, This is called policy base or pre traffic base routing

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-mark=http scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10

(Where 192.168.2.2 is the Squid Proxy Server LAN IP , and 192.168.1.1 is our DSL Router IP)

That’s all for MIKROTIK, Now Mikrotik will Redirect HTTP Traffic to Squid Proxy via interface ether2. and all rest of traffic will be masqueraded/nat to WAN (ether3) which is connected with DSL.

Now moving on to SQUID section !

 


 

2# SQUID Proxy Server CONFIGURATION !

I assume you already have working squid in transparent mode [its necessary you set this via iptables and some directives in squid.conf

For example: (squid.conf)

#==============================
#Transparent Mode & Example ACL
#==============================
http_port 8080 transparent
acl mylocalnet src 0.0.0.0/0.0.0.0
http_access allow mylocalnet

and IPTABLES example:

# DNAT port 80 request comming from LAN systems to squid 8080 aka transparent proxy .zaib.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.2.2:8080

In this example, Squid proxy server have 2 Interface cards

eth0: LAN (connected with Mikrotik’s PROXY INTERFACE ether2) = 192.168.2.2

eth1: WAN (connected with DSL Router) = 192.168.1.3 /  Default GW = 192.168.1.1  / DNS = 192.168.1.1 , 8.8.8.8

It is necessary that SQUID can directly communicate with the users by setting ROUTE to communicate user subnet via mikrotik, otherwise it won’t be able to communicate with the user , Issue the following command ,

route add -net 172.16.0.0 netmask 255.255.0.0 gw 192.168.2.1 dev eth0

172.16.0.0/16 is pppoe user IP pool, After successfully execution, Squid will be able to see the Users ip. Also add the above route command in /etc/rc.local (u must add any command in rc.local before ‘exit 0’  if using ubuntu)

Above command Explanation:  172.16.0.0 are pppoe users ip pool and 192.168.2.1 is Mikrotik ether2 which is directly connected to Squid via crossover cable , thus we are telling Squid to look after for users 172.16.0.0 via gateway 192.168.2.1 which is mikrotik, if we don’t use this, squid and users wont be able to communicate with each other)

That’s it. Now when user will try to use internet, his HTTP traffic will be marked by Mikrotik and then all HTTP marked traffic will be ROUTED to SQUID proxy [192.168.2.2]  with original client ip, instead of Mikrotik ip.

Some useful links for fine tuned working squid.conf and Linux internet sharing script.

https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/
 https://aacable.wordpress.com/2011/06/01/working-squid-conf-example-fil/

 


 

 

Cheers,
🙂

ALLAH  HAFIZ ,
Syed Jahanzaib !

%d bloggers like this: