C
C
ChiPer2015-05-28 11:46:19
linux
ChiPer, 2015-05-28 11:46:19

Transparent squid + microtik. How to set up traffic redirection?

There is.
Mikrotik acts as a router. IP 192.168.1.1
Looks inside 192.168.1.0/24
There is a configured squid operating in transparent mode.
IP: 192.168.1.2
Port: 3128
How to make it so that for all clients on the local network, http traffic on port 80 is wrapped on the squid machine, on port 3128.
At the moment there is a rule:
ip firewall nat add chain=dstnat action=dst -nat protocol=tcp src-address-list=clients dst-port=80 to-addresses=192.168.1.2 to-ports=3128
client-list is 192.168.1.10 - 192.168.1.55 the rule should apply)
Packets go, reach the server with a squid. TCPDUMP sees them, but the squid does not work, the logs are empty and the sites do not open. Moreover, if the client, in the browser settings, manually specify the proxy and remove the transparent parameter in the squid config, then everything works fine.
I’ll make a reservation right away that my server with a squid is not in a network break and does not have a bunch of interfaces, but is connected to a common switch and has 1 network card.
Here is the squid config:

http_port 3128 transparent

acl localnet src 192.168.1.0/24
acl officenet src 192.168.0.0/24



acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow localnet
http_access allow officenet

http_access deny all
icp_access deny all
htcp_access deny all

cache_dir ufs /var/spool/squid3 4096 32 256
coredump_dir /var/spool/squid3

url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

I decided to do as in this article:
adminnote2.blogspot.ru/2014/05/mikrotik-squida.html
Traffic went to the squid, but does not open sites: TCP_MISS_ABORTED/

Answer the question

In order to leave comments, you need to log in

5 answer(s)
A
Andrey, 2017-11-06
@andrey71

Good day. I faced a similar task and by googling I succeeded.
Works without brakes.
In fact, I'm tritely consolidating multiple solutions in my answer.
Given: mikrotik + squid with one network card.
Added rules to Mikrotik:

/ip firewall mangle

chain=prerouting action=mark-routing new-routing-mark=SQUID passthrough=yes protocol=tcp 
      src-address=!192.168.адрес.проки dst-port=80 log=no log-prefix=""

and
/ip route
add comment=FOR_SQUID_TEST distance=1 gateway=192.168.адрес.проки routing-mark=SQUID

Next, squid was installed on ubuntu.
its config is almost an empty config, tk. there is no need to limit anything:
http_port 3128 intercept
acl mylocalnet src all
http_access allow mylocalnet

also in the file /etc/sysctl.conf allowed packet forwarding:
net.ipv4.ip_forward = 1
and added a rule to the firewall
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 j DNAT --to 192.168.адрес.прокси:3128

R
Rustem, 2015-05-28
@metsyr

in general, in this form it should work as a first approximation (copied your own line into the config - packets fly to the server), do the packets definitely not reach the server? did something like
tcpdump -i eth0 dst port 3128 -vv do?

D
Dmitry Luponos, 2015-05-28
@Bessome

I want to advise you to take off squid without acl, passing traffic and that's it. If in this conf the redirection does not work. If it works, we pick the squid config

J
JustSoul, 2015-08-17
@JustSoul

I join the question.
With dst-nat, the squid does not work, but this option will not give the correct statistics anyway.
When marking and routing, everything works, but the connection is hellishly slow. Those. after the request, there is a delay of 5-10 seconds and the page loads momentarily, but a little new request - and again we wait ...

A
Andrey, 2019-07-19
@Andreyussur

Hello. I am suffering with the same problem for the second day. Did you manage with the squid (or mikrotik) settings?
Everywhere it is written that after marking the traffic and wrapping it on the ip of the squid, everything should take off. But something like that...
If you manually specify a proxy server on the machine, then everything works fine

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question