Redirecting web traffic from Mikrotik to internal Squid using policy based routing

2,420 views
Skip to first unread message

rafael....@diladele.com

unread,
Feb 5, 2018, 9:26:57 AM2/5/18
to Diladele Web Safety
Hello all,

There is a beginner's guide on how to set up transparent interception of HTTP and HTTPS traffic in the network with help of external Squid proxy, Mikrotik router and Policy Based Routing.
The tutorial is available at https://docs.diladele.com/tutorials/mik ... index.html

Please if you find it not easily understandable, interesting or even not correct - say so in comments.

Best regards,
Rafael

Rino Muhamad Nur

unread,
Feb 8, 2018, 4:26:54 AM2/8/18
to Diladele Web Safety
Hi, 

Ive already follow this tutorial, but my Diladele Websafety cant reach the target domain. 
My mikrotik : 
Mangle Rule : 
 2   
      chain=prerouting action=accept protocol=tcp src-address=192.168.40.11 
      in-interface=vlan100 dst-port=80 log=no log-prefix="" 

 3    
      chain=prerouting action=accept protocol=tcp src-address=192.168.40.11 
      in-interface=vlan100 dst-port=443 log=no log-prefix="" 

 4   
      chain=prerouting action=mark-routing new-routing-mark=TO_PROXY
      passthrough=yes protocol=tcp src-address=192.168.50.15 
      in-interface=vlan100 dst-port=443 log=no log-prefix="" 

 5    
      chain=prerouting action=mark-routing new-routing-mark=TO_PROXY
      passthrough=yes protocol=tcp src-address=192.168.50.15 
      in-interface=vlan100 dst-port=80 log=no log-prefix="" 

 6    ;;;       chain=prerouting action=accept routing-mark=TO_PROXY
      src-address=192.168.50.15 in-interface=vlan100 log=no log-prefix="" 


---
My Squid : 
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem

Iptables : 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 3126
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 3127

sysctl : 
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0

tcpdump : 
16:25:21.683133 IP 192.168.50.15.56164 > 138.201.244.64.443: Flags [S], seq 552192431, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:25:21.683137 IP 192.168.50.15.56164 > 138.201.244.64.443: Flags [S], seq 552192431, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:25:21.683363 IP 192.168.50.15.56164 > 138.201.244.64.443: Flags [S], seq 552192431, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:25:21.683367 IP 192.168.50.15.56164 > 138.201.244.64.443: Flags [S], seq 552192431, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0


Theres packet to my squid but it cant reach the domain. 
But when i try to manually add proxy address to browser, its succes to display html content. 

Please helpme.

Thanks,

Rino M Nur

Rino Muhamad Nur

unread,
Feb 8, 2018, 4:28:59 AM2/8/18
to Diladele Web Safety
Sorry, 

My mikrotik route rule : 

7 X S  ;;; #DISABLE TRANSPROXY
        0.0.0.0/0                          192.168.40.11             1


Pada Senin, 05 Februari 2018 21.26.57 UTC+7, rafael....@diladele.com menulis:

Rafael Akchurin

unread,
Feb 8, 2018, 4:31:07 AM2/8/18
to web-s...@googlegroups.com
Hello Rino,

Traffic from proxy box is able to reach the outside world, right?

If so I would suggest disabling tge foreard on the proxy box first. This is not needed as box does nit do any forwarding.

Best regards,
Rafael Akchurin
--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Rafael Akchurin

unread,
Feb 8, 2018, 4:31:57 AM2/8/18
to web-s...@googlegroups.com
Sorry for many mistakes, typing from phone :(

Best regards,
Rafael Akchurin

Op 8 feb. 2018 om 10:31 heeft Rafael Akchurin <rafael....@diladele.com> het volgende geschreven:

This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing
 Feedback

Rino Muhamad Nur

unread,
Feb 8, 2018, 4:44:01 AM2/8/18
to Diladele Web Safety
Ok, 

I disabled tcp forwarding from my squid box, and still cant reach outside world.

---
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_use_pmtu = 0

Rino Muhamad Nur

unread,
Feb 8, 2018, 6:11:33 AM2/8/18
to Diladele Web Safety
Hi, 

Ive already edit my iptables and now its works ... thanks :) . Now i have another problem. 

my web.whatsapp.com cant be reached. whether due to the certificate problem ?

can i bypass whatsapp domain to not redirected squid or any idea ? thanks.


Rino M Nur

Rafael Akchurin

unread,
Feb 8, 2018, 6:13:11 AM2/8/18
to web-s...@googlegroups.com
Please try something like https://docs.diladele.com/faq/squid/sslbump_exlusions/whatsapp.html

Best regards,
Rafael Akchurin

Rino Muhamad Nur

unread,
Feb 8, 2018, 6:16:46 AM2/8/18
to Diladele Web Safety
Great, 

It works ... thanks Sir,
Reply all
Reply to author
Forward
0 new messages