How do I set up RouterOS to use web proxy on another machine?

Question

The RouterOS docs show how to transparently proxy all web traffic via the HTTP proxy built into RouterOS:

/ip firewall nat 
add in-interface=ether1 dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat 
/ip proxy
set enabled=yes port=8080

I'd like to run a proxy on another machine, so that I can take advantage of more sophisticated filtering rules available in Squid or the like. However, if I use NAT to redirect traffic to another machine running Squid it won't work, since the HTTP request will need to be rewritten in order to be a proxy HTTP request; just redirecting the traffic gives bad request errors from Squid.

score 3 · Answer 1 · answered Sep 16 '10 at 11:19

3

No need of setting proxy in RouterOS. You can route all outgoing HTTP traffic to the server directly thru NAT:

ip firewall nat add in-interface=eth1 src-address=!<IP of Squid machine> dst-port=80 protocol=tcp action=dst-nat to-addresses=<IP of Squid machine> to-ports=8080

The last parameter "src-address=!..." is needed in case which squid machine communicates thru same interface as the other machines. Otherwise it would go like this:

Computer sends HTTP request
RouterOS destinates this packet to squid
Squid sends HTTP request to webserver
RouterOS destinates squid request again to squid -> loop

answered Sep 16 '10 at 11:19

mkudlacek

1,657
1
11
15

I can do that, but when I originally did it I got Squid bad request errors, which I assumed was down to the fact that it ends up arriving at the Squid with the HTTP request as "GET /bar HTTP/1.1" rather than "GET http://foo.com/bar HTTP/1.1". I assumed something needed to rewrite the plain HTTP request into a proxy request. – Tim Sep 16 '10 at 12:18
make sure squid is in "transparent" mode.. which it won't like if you aren't doing NAT on the Squidbox, but it will work. – Grizly Feb 24 '13 at 23:25

score 2 · Accepted Answer · answered Sep 16 '10 at 08:23

2

It can be done with the parent-proxy setting:

/ip proxy
set parent-proxy=<IP of Squid machine> parent-proxy-port=3128

answered Sep 16 '10 at 08:23

Tim

257
4
5
12

score 1 · Answer 3 · edited Jun 22 '13 at 08:37

1

/ip proxy
set parent-proxy=<IP of Squid machine> parent-proxy-port=3128

/ip firewall nat
chain=dstnat src-address=!<IP of Squid machine> protocol=tcp dst-port=80  src-address-list=<IP of Local machine> action=redirect to-ports=8080

edited Jun 22 '13 at 08:37

slm

7,355
16
54
72

answered Jun 22 '13 at 05:38

vhickry

11
1

How do I set up RouterOS to use web proxy on another machine?

3 Answers3