Proxy mikrotik
Howto to enable Mikrotik RouterOS Web Proxy in Transparent Mode
Web proxy is a service that is placed between a client and the internet for HTTP web surfing. It can cache certain contents / http pages in its local cache. Mikrotik have basic PROXY package builtin called WEB PROXY. It is suitable for basic caching for small to mid size networks.
For advance caching capabilities, Use 3rd party external proxy server like SQUID.
MikroTik WEB.PROXY Recommendation
Always try NOT to use the same storage disk to store your your cache and your your Router OS, to ensure there is always enough space on your router OS Disk for logs, upgrade / update packages & Backups. Therefore It is highly recommended that the web-proxy cache is stored on a physically separate drive (store) other than the Router OS. Placing the cache on a separate drive ensures maximum performance and reduces problems if the disk becomes full or fails as the OS will then still be OK!
Caching Internet access will require a lot of read and writes to the disk, chose fast disk as for maximum performance / concurrent user request support.
Cache performance also largely depends on RAM size, the More RAM you have in your server, the Better performance you will get.
We will divide this article in 3 Sections.
1# Preparing Secondary Partition for Cache
2# Configuring Web Proxy
3# Transparent Proxy
Let’s BEGIN . . .
1# Preparing Secondary Drive for CACHE
First we will Format secondary harddrive (to be used for cache ), IF YOU DON’T WANT TO USE SECONDARY HARD-DIVE, SKIP THIS STEP.
Goto SYSTEM > STORES > DISKS
Select the Secondary Hard drive and click on FORMAT DRIVE
As shown in the image below.
.
Now go to STORES tab (by navigating to SYSTEM > STORES)
Select the WEB-Proxy package and click on COPY
It will ask you where to copy WEB-Proxy package, Select Secondary Drive in TO box.
As shown in the image below.
2# Configuring Web Proxy
Now We have to Enable Mikrotik Web Proxy by navigating to
IP > WEB PROXY
As shown in the image below.
.
Now Click on “Enable”
in Port, Type 8080
Max Cache Size , Select Unlimited from drop down menu, OR if you have limited Disk Space, then use your desired amount.
You have to specify space in KiloBytes for example 1024 KB = 1MB , so if you want to set 5 GB Cache, then use 5242880 , I am using 5 GB in this example. The cache size is really based off of how much RAM you have in the machine
As shown in the image below . . .
.
Click on Apply and your Mikrotik’s Web Proxy is Ready to be used, But Every client have to set proxy address pointing to Mikrotik IP to be able to use Proxy Service.
3# Transparent Proxy
If we want that every user must be automatically redirected to Proxy transparently, then we have to create additional rule to forcefully redirect users to proxy service, which is called TRANSPARENT PROXY.
.
Goto IP > FIREWALL > NAT and create new rule
In Chain , Select dsntant,
In Protocol, Select 6 (tcp)
In Dst. Port, Type 80
As shown in the image below . . .
.
Now goto Action Tab,
In Action, Select redirct
In To Ports, Type 8080
As shown in the image below . . .
.
Now your newly created rule will look like something below image.
As shown in the image below . . .
OR the CLI version of above rule would be something like below.
1
/ip firewall nat add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp to-ports=8080
Done. Now Mikrotik web proxy will perform as TRANSPARENT PROXY , Every user’s HTTP PORT 80 request will automatically be redirected to Mikrotik built-in Web Proxy.
You can View Proxy Status and other info via going to IP > WEB PROXY > SETTINGS > STATUS and other tabs in the same window.
As shown in the image below . . .
=========================================
WEB-PROXY Tips ‘N’ Tricks !! by Zaib (December, 2011)
=========================================
.
Howto Send CACHED Contents to user at Full Speed / Ignoring QUEUE Limit for cached-hits marked packets :)
First Mark Cached Contents by MANGLE Rule.
1
2
3
/ip firewall mangle
add action=mark-packet chain=output comment="CACHE HIT/Zaib" disabled=no dscp=4 \
new-packet-mark=cache-hits passthrough=no
Now Create an Queue Tree which will send cache-hits packets to users at full LAN speed, ignoring the user’s Static OR Dynamic QUEUES
1
2
3
4
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Unlimited Speed for CACHE by zaib" packet-mark=cache-hits \
parent=global-out priority=8 queue=default
Now Try to download any cacheable content , for example download following file,
http://www.rarlab.com/rar/wrar410b5a.exe
Once Downloaded, Try to download it again from any other computer or via same test pc. You will see the Queues and rules in action, sending cache-hits packets to users at full LAN speed.Remember Mikrotik web proxy is very basic and simple proxy server with not much tweaks and nuts ‘N’ Bolts to set, So it will cache what it can. For advancements, Use SQUID instead.
As shows in the image below . . .
.
Also you can view the cache contents via going to IP > WEBPROXY > CACHE CONTENTS
As shows in the image below . . .
Howto Block Web Sites by Domain Name
You can block any web site via domain name as shown below.
1
2
/ip proxy access add action=deny disabled=no dst-host=yahoo.com
/ip proxy access add action=deny disabled=no dst-host=www.yahoo.com
Howto Block Downloading via File EXTENSION Types
You can block Downloading by file types using following code,
1
/ip proxy access add path=*.mp3 action=deny
Howto Block OPEN PROXY
Please Make sure You are not running your proxy in OPEN PROXY mode, If so any one cane use your proxy service over the internet, and can use perform any illegal activity and your proxy IP will be logged at remote server, So Block it immediately.
Use the following.
1
2
/ip firewall filter
add action=drop chain=input comment="Block Open PROXY <span class="wp-smiley wp-emoji wp-emoji-smile" title=":)">:)</span> Zaib" disabled=no dst-port=8080 in-interface=wan protocol=tcp src-address=0.0.0.0/0
In in-interface , select your WANinterface.
Howto Add LOGO and Edit Proxy Default ERROR Pages
Goto IP > WEB PROXY
Click on RESET HTML
It will ask you that “Current html pages will be lost ! Reset anyway?” CLick on YES
As shown in the image below . . .
,
Now goto FILES and you will see webproxy/error.html ,
As shown in the image below . . .
Just copy this error.html file to your desktop and edit it using your favorite html editor.
(I personally use MS FRONTPAGE 2003 due to its easy and user friendly interface, You can use notepad to edit this file content as its very small and contains basic text only. just don’t mess with the codes, only change the text you want, for example network name support numbers etc. after saving , upload it back to Mikrotiok under web-proxy section.)
Howto Block Web Site for Single User
To block any website for a single user , Use the following …
1
2
3
/ip proxy access
add action=deny comment="Block yahoo for single user" disabled=no dst-host=www.yahoo.com src-address=192.168.2.5
(192.168.2.5 is the user ip)
To block single user and redirect him to your policy page on any loacl web server defining the reason why he is blocked , use the following.
1
2
/ip proxy access
add action=deny comment="Block yahoo for single user" disabled=no dst-host=www.yahoo.com redirect-to=192.168.2.3/policy/deny.htm src-address=192.168.2.5
(192.168.2.3 is the web server ip , & 192.168.2.5 is the user ip)
As shown in the image below . . .
-------------------------XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX------------------------------
Step by Step installation Guide of a Caching Proxy
Winbox into the Router OS Hardware that you intend to install the webproxy onto, Click on IP \ Web proxy as shown below
Click on Settings as shown below
Fill in the following details as shown in the picture below
Port:-- select 3128 (standard Squid TCP Port) or 8080 (typically used Http proxy server TCP port) however any available port on the Router OS Appliance can be used (provided that the port is not already being used by another process)
Host name -- Select a host name that you desire (it is not crucial however it is useful for handing out a dns name such as proxy1.wirelessconnect.eu ... (Remember to update your DNS server with the Proxy IP address before issuing the name to clients
Transparent Proxy -- Tick this Box if the Proxy Server is to be Transparent, ie the user will not be required to configure their browser (note additional firewall configuration (redirect rule will need to be inserted to make this work see bottom of article for more details)
Cache Administrator-- Select an Administrative Email-address for receiving feedback on your Proxy Appliance Performance
Maximum Object Size -- Select a reasonable size (It should be large enough for most users uses ...e.g Service Pack 2 Download ... Patch CD ISO,) however it should not exceed the Size of the Caching Disk (We Recommend that the Maximum Object Cache be a tiny fraction of the total cache size i.e. Maximum Object Size should << 1% of Caching Disk)
Select the correct Drive (secondary-master) as the Cache Drive and then click Format as shown below (Note that Router OS wont Let you format the System Drive)
When prompted to confirm the formatting as shown below
While the cache drive is formatting , "formatting harddrive" will appear on the status bar on the bottom of the dialogue box as shown below
After the formatting process is complete the Cache will be created & "Creating Cache" will appear on the status bar at the bottom of the dialogue box as shown below.
Select the Maximum RAM Cache Size, this should be no greater than the result of the following formula -- (Total RAM on Proxy Appliance) - 64 MB Ram (For Router OS and Other Router OS Process) in this example one has an appliance with 1GB of Memory installed and one wishes to reserve 68 MB of RAM for system use therefore one should set the Maximum RAM Cache Size to 934MB as shown in the image below
Next Turn on the Proxy Server by clicking Enable as shown below
Once the Proxy Service is running the status bar will show "Running" on the bottom of the dialogue box as shown below