MikroTik transparent Web Proxy Setup both HTTP/HTTPS


MikroTik router has been successfully tested with Artica v2.39.080400 or above
In this Article, we will describe how to build MikroTik rules in order to forward HTTP/HTTPS traffic to the proxy.

Architecture – example:

Our MikroTik manage 4 main networks each network have it’s own Interface

2016-08-03_17-30-01

  • LAN 1: 192.168.1.0/24
  • LAN 2: 192.168.200.0/24
  • Ether 3: Dedicated lan where the proxy is.
  • WAN : 192.168.20.0 where the final router is.

1) MikroTik rules:

We want the LAN 1 and the LAN2 to be redirected to the proxy when requests try to reach external 80/443 ports.
To perform this, we have to a rule that “tag” packets according to the 80/443 destination ports.
this “tagging” rule will serve a specific route that will be designed to forward packets to the proxy.
The proxy act as gateway and is able to catch TCP packets before requesting Internet.

A) Mark packets:

Choose IP/Firewall on MikroTik

2016-08-03_17-39-32

  • Click on “Mangle” tab
  • Add a new mangle route.
  • Chain: prerouting
  • protocol: TCP
  • DST Port: 80
  • In Interface: !Important in order to prevent looping, when the proxy try to reach Internet, packet must be not marked.
    Enable the checkbox and select the Interface designed for the proxy.

2016-08-03_17-40-59

  • If you want to forward SSL to the proxy, use 80,443 in Dst Port field

2016-08-03_17-49-34

  • Click on Action tab
  • On the Action list, choose “Mark routing
  • Set the Tag in the “New Routing Mark” field ( we call it “artica” )

2016-08-03_17-53-39

This mangle rule is just designed to mark packets that came from all interfaces except the Interface where the proxy is located.

C) Masquerade rule:

  • Select NAT tab.
  • Add a new rule.
  • On General, in Chain, select srcnat

2016-08-03_23-50-16

  • In Action tab, in Action field, choose “masquerade

2016-08-03_23-52-44

D) Forward packets

  • Choose IP/routes on the MikroTik

 

2016-08-03_17-37-32

  • Create a new route
  • Dst Address: 0.0.0.0/0
  • Gateway: the Proxy box IP address.
  • Check Gateway: “ping”
  • Routing Mark: the tag created in the Mangle rule ( in our case, “artica” )

2016-08-03_17-59-33

The routing is able to change the next hope gateway ( the proxy) according tags added by the mangle rule.
Now, each request to Internet on port 80 or 443 will be forwarded to the proxy

 

2) Make Artica compliance with MikroTik rules.

  • Open the Artica Web Console and navigate to “Your Proxy/Listen ports

2016-08-03_18-24-45

  • Click on New port
  • Select other ports button.

2016-08-03_18-26-22

  • Turn ON the Transparent Proxy ( MikroTik ) option.
  • Choose the correct network interface
  • Click on Add button.
  • The listen port is not important because it is used internally by the proxy.

2016-08-03_18-29-53

  • If you have forwarded HTTPs requests from the MikroTik to the proxy, create a new port with MikroTik option enabled
  • Enable the Use the SSL encryption option and choose the certificate in the drop-down list

2016-08-03_18-36-10

  • Click on the MikroTik option on the top menu table
  • Turn on the MASQUERADE option
  • Click on Apply

2016-08-03_18-44-30

  • Finally, click on Apply button on the table top menu in order to make ports in production mode.

2016-08-03_18-47-55

Note: Artica install a script that able to reconfigure the system according MikroTik rules.
You can perform theses operations:

  • /etc/init.d/MikroTik restart
  • /etc/init.d/MikroTik start
  • /etc/init.d/MikroTik stop

 

Leave a comment