Setting up Transparent Squid Proxy with Mikrotik

(Last Updated On: 24 September 2018)


This Tutorial explaining how to setup external Squid and redirect HTTP and HTTPS traffic ( SSL Bumping ) to it using policy based routing on Mikrotik.

OS Description

Mikrotik using version 6.43 and Squid Proxy is 3.5.28 on Ubuntu 16.04.5 LTS.

Network Description

This tutorial assumes your Mikrotik based network is up and running. The following screenshot shows simple network diagram.


Specifically the following settings are in effect.

Mikrotik Router

Setting Value
WAN Interface Public, IP settings assigned by ISP provider
LAN Interface Local
LAN IP Address
LAN Network
PROXY Interface Proxy
PROXY IP Address
PROXY Network


Squid Proxy Box

Setting Value
IP Address
Network Mask
Default Gateway
DNS Server


Client Workstation in the LAN

Any client workstation in the LAN is configured by DHCP server running on Mikrotik router and typical settings look like the following.

Setting Value
IP Address –
Network Mask
Default Gateway
DNS Server


Install Squid 3.5 from Source on Ubuntu 16.04

Install Squid 3 dependencies


Grab a copy of the source code


Compile your Squid 3


Configure Squid

Replacing squid.conf by your new squid configuration.


Build squid service runtime

/etc/init.d/squid file


Preparing execution directories, make sure you have the log, cache, and spool directories and create the access control to those directories with the following command line!


Creating our Self-Signed SSL Cert:


Check squid configurations


Initializing Squid Cache


start your squid service


Transparent Redirects

In Squid Server, type this

NOTE: change squid-server-IP with your squid ip.


Mikrotik Configuration

Login to your mikrotik. Open new terminal. Paste this command


  • is LAN Address
  • 00:0c:29:56:11:02 is Squid Mac Address
  • is Squid Ip Address

That command will make SQUID proxy server in transparent mode.

Now, make Mikrotik to bypass Squid Cache HIT object




We have successfully set up policy based routing of HTTP and HTTPS traffic from our Mikrotik router to a separate proxy box. Both HTTP and HTTPS traffic can now be filtered for adult language and unwanted sites.





Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.