External Proxy Server for Mikrotik

Mikrotik routerboard has a built-in proxy in it, but it has main constraint : very limited storage capacity. Therefore, most network administrators whom using mikrotik will use an external proxy to overcome this constraint. Here you can found an easy ways to implementing external proxy server for Mikrotik.

Squid is the most widely used proxy daemon for linux (including its derivative such as lusca). Some several advantages in the implementation of external proxy are :

  • Easy to adjust the configuration to suite your needs
  • The use of access control lists (ACLs) that can be used for specific purposes
  • Squid (especially version 2.7) can be “armed” with a url redirector. In some condition, url redirector can be used to force squid to cache dynamic content (such as Youtube videos).
  • Greater storage capacity as the general computer or server use the harddisk as data storage.

In this post, I’ll describe how to integrate external proxy with mikrotik using 2 methods : using NAT or using mangle.

ext proxy mikrotik

Annotation :

  1. Mikrotik to proxy IP address : 192.168.90.1
  2. Proxy to Mikrotik IP address : 192.168.90.2
  3. Clients IP address : 192.168.1.0/24
First method : Using NAT
We can used Mikrotik built in NAT to forward HTTP request (port 80) from clients to external proxy.
/ip firewall address-list
add address=192.168.90.0/24 list=ip-proxy
/ip firewall nat
add action=dst-nat chain=dstnat comment="transparent proxy" dst-port=80 protocol=tcp src-address-list=!ip-proxy to-addresses=192.168.90.2 to-ports=3128

Explanation :

First, we define IP address class for proxy server.

/ip firewall address-list
add address=192.168.90.0/24 list=ip-proxy

Then add new rule on NAT to forward http  request to external proxy.

/ip firewall nat
add action=dst-nat chain=dstnat comment=”transparent proxy” dst-port=80 protocol=tcp src-address-list=!ip-proxy to-addresses=192.168.90.2 to-ports=3128

Second method : Using built-in mangle

/ip route
add check-gateway=ping distance=1 gateway=192.168.90.2 routing-mark=to-ext-proxy
/ip firewall mangle
add action=mark-routing chain=prerouting comment="mark routing to proxy" dst-port=80 new-routing-mark=to-ext-proxy protocol=tcp src-address=192.168.1.0/24

Another method to forward http requests from clients is using mangle by adding new route. This method will work if external proxy able to act as gateway.

Explanation :

First, add route to external proxy.

/ip route
add check-gateway=ping distance=1 gateway=192.168.90.2 routing-mark=to-ext-proxy

Then, mark http requests from all clients to use route to external proxy.

/ip firewall mangle
add action=mark-routing chain=prerouting comment=”mark routing to proxy” dst-port=80 new-routing-mark=to-ext-proxy protocol=tcp src-address=192.168.1.0/24

Proxy server requirements :

You may need to configure some options in order to make it works for both methods such as enabling IPv4 forwarding (by editing systcl.conf) and allowing access to port 3128 in iptables. Add the following lines into the file /etc/rc.local then save :

route add default gateway 192.168.90.1
iptables -A PREROUTING -t nat -j REDIRECT -p tcp -s 192.168.1.0/24 -d 0/0 --dport 80 --to-ports 3128
iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 192.168.90.2 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.90.2 --sport 3128 -d 0.0.0.0/0 -m state --state ESTABLISHED -j ACCEPT

53 Comments

  1. naarah

    how can I put this rules
    route add default gateway 192.168.90.1
    iptables -A PREROUTING -t nat -j REDIRECT -p tcp -s 192.168.1.0/24 -d 0/0 –dport 80 –to-ports 3128
    iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 192.168.90.2 -m state –state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s 192.168.90.2 –sport 3128 -d 0.0.0.0/0 -m state –state ESTABLISHED -j ACCEPT

    to /etc/rc.local

    • rc.local is not longer automatically shipped during install (such as on latest Ubuntu Linux). you can manually create /etc/rc.local then put this lines in your rc.local

      #!/bin/bash
      route add default gateway 192.168.90.1
      iptables -A PREROUTING -t nat -j REDIRECT -p tcp -s 192.168.1.0/24 -d 0/0 --dport 80 --to-ports 3128
      iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 192.168.90.2 -m state --state NEW,ESTABLISHED -j ACCEPT
      iptables -A OUTPUT -p tcp -s 192.168.90.2 --sport 3128 -d 0.0.0.0/0 -m state --state ESTABLISHED -j ACCEPT

      then save it. you can read detailed information about enabling rc.local on Ubuntu Server -> https://lms.onnocenter.or.id/wiki/index.php/Ubuntu:_rc.local_di_ubuntu_20.04 (use translate services).

    • fazar

      difficult to implement https caching transparently without installing cert in client’s browsers.

  2. Great post, Proxy servers offer a lot of advantages and one of them is to hide you from the external networks so you can surf the internet anonymously. If you are looking for private proxies? I suggest you visit our website for more information. https://microleaves.com/

  3. Enrique Gil

    After you setup all those configurations, do we also need to put proxy settings in Firefox or System Settings?
    i.e Proxy Address=192.168.90.2 Port=3128 in Firefox

    • fazar

      no, its transparently proxify all http connections from clients.

      • Enrique Gil

        I already set the network using your concept. But it doesnt work when you set database authentication in the squid side. Have you tried this before?
        Thank you.

        • fazar

          Ah, i see.. this methods should work with squid without auth. It seems you should define proxy for each app/browser so authentication can be done.

  4. AMGAD

    I Try this link many times before but I fail as it is not the same situation.

    anyway Thank you for your time.

  5. AMGAD

    Yes it is a stand alone proxy server that only accept connection on defined port.
    So please Help me with NAT rules
    My Info are:
    My proxy server ip is : 172.30.7.211
    My Proxy server Port : 808
    Mikrotik wan input is : 172.30.6.209/24
    Mikrotik Local card : 172.30.6.239/24
    No Gateway as we will use proxy server

    Please help me with :
    DNS settings
    Nat Settings
    Route Settings
    WebProxy Settings if needed

    • fazar

      I’ve never done this before, and I currently didn’t have enough equipment to reproduce your configuration on my local network. please kindly check http://wiki.mikrotik.com/wiki/Manual:IP/Proxy – you might do experimentation by yourself with mikrotik webproxy with IPS’s proxy as its parent proxy.

Leave a Reply

Your email address will not be published. Required fields are marked *