5

The RouterOS docs show how to transparently proxy all web traffic via the HTTP proxy built into RouterOS:

/ip firewall nat 
add in-interface=ether1 dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat 
/ip proxy
set enabled=yes port=8080

I'd like to run a proxy on another machine, so that I can take advantage of more sophisticated filtering rules available in Squid or the like. However, if I use NAT to redirect traffic to another machine running Squid it won't work, since the HTTP request will need to be rewritten in order to be a proxy HTTP request; just redirecting the traffic gives bad request errors from Squid.

Tim
  • 277

3 Answers3

4

No need of setting proxy in RouterOS. You can route all outgoing HTTP traffic to the server directly thru NAT:

ip firewall nat add in-interface=eth1 src-address=!<IP of Squid machine> dst-port=80 protocol=tcp action=dst-nat to-addresses=<IP of Squid machine> to-ports=8080

The last parameter "src-address=!..." is needed in case which squid machine communicates thru same interface as the other machines. Otherwise it would go like this:

  1. Computer sends HTTP request
  2. RouterOS destinates this packet to squid
  3. Squid sends HTTP request to webserver
  4. RouterOS destinates squid request again to squid -> loop
mkudlacek
  • 1,667
  • 1
  • 12
  • 15
3

It can be done with the parent-proxy setting:

/ip proxy
set parent-proxy=<IP of Squid machine> parent-proxy-port=3128
Tim
  • 277
2
/ip proxy
set parent-proxy=<IP of Squid machine> parent-proxy-port=3128

/ip firewall nat
chain=dstnat src-address=!<IP of Squid machine> protocol=tcp dst-port=80  src-address-list=<IP of Local machine> action=redirect to-ports=8080
slm
  • 8,010
vhickry
  • 21