Queue with Masquerading and Internal Web-Proxy

From MikroTik Wiki
Revision as of 03:49, 25 October 2006 by Valens (talk | contribs)
Jump to: navigation, search

in progress, please visit later.

This page will tak about how to make QUEUE TREE in RouterOS that also running Web-Proxy and Masquerading. Several topic in forum say it's impossible to do.

Let's set the basic setting first. I'm using a machine with 2 network interface: 

admin@instaler] > in pr
#    NAME       TYPE    RX-RATE    TX-RATE    MTU  
0  R public     ether   0          0          1500 
1  R lan        wlan    0          0          1500

And this is the IP Address for each interface: 

[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic 
#  ADDRESS           NETWORK      BROADCAST      INTERFACE
0  192.168.0.217/24  192.168.0.0  192.168.0.255  public   
1  172.21.1.1/24     172.21.1.0   172.21.1.255   lan

Don't forget to set the transparant web-proxy 

[admin@instaler] > ip web-proxy pr
                enabled: yes
            src-address: 0.0.0.0
                   port: 3128
               hostname: "proxy"
      transparent-proxy: yes
           parent-proxy: 0.0.0.0:0
    cache-administrator: "webmaster"
        max-object-size: 4096KiB
            cache-drive: system
         max-cache-size: none
     max-ram-cache-size: unlimited
                 status: running
     reserved-for-cache: 0KiB
 reserved-for-ram-cache: 154624KiB

Make 2 NAT rules, 1 for Masquerading, and the other for redirecting transparant proxy. 

[admin@instaler] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic 
0   chain=srcnat out-interface=public 
    src-address=172.21.1.0/24 action=masquerade 
1   chain=dstnat in-interface=lan src-address=172.21.1.0/24 
    protocol=tcp dst-port=80 action=redirect to-ports=3128

And now is the most important part in this case.

As we will make Queue for uplink and downlink traffic, we need 2 packet-mark. In this example, we use "test-up" for uplink traffic, and "test-down" for downlink traffic.

For uplink traffic, it's quite simple. We need only one rule, using SRC-ADDRESS and IN-INTERFACE parameters, and using PREROUTING chain. Rule number #0.

But for downlink, we have to make sevaral rules. As we use masquerading, we need Connection Mark, named as "test-conn". Rule no #1.

Then we have to make 2 more rules. First rule is for non-HTTP connection / direct connection. We use chain forward, as the data traveling through the router. Rule no #2.

The second rule is for data coming from web-proxy to the client. We use OUTPUT chain, as the data coming from internal process in the router itself. Rule no #3.

For both rules (no #2 and #3) we named it "test-down".

Please be aware, we use passthrough only for connection mark (rule no #1). 

[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
0   ;;; UP TRAFFIC
    chain=prerouting in-interface=lan 
    src-address=172.21.1.0/24 action=mark-packet 
    new-packet-mark=test-up passthrough=no 

1   ;;; CONN-MARK
    chain=forward src-address=172.21.1.0/24 
    action=mark-connection 
    new-connection-mark=test-conn passthrough=yes 

2   ;;; DOWN-DIRECT CONNECTION
    chain=forward in-interface=public 
    connection-mark=test-conn action=mark-packet 
    new-packet-mark=test-down passthrough=no 

3   ;;; DOWN-VIA PROXY
    chain=output out-interface=lan 
    dst-address=172.21.1.0/24 action=mark-packet 
    new-packet-mark=test-down passthrough=no
Retrieved from "https://wiki.mikrotik.com/index.php?title=Queue_with_Masquerading_and_Internal_Web-Proxy&oldid=3640"