Setting up Transparent Squid Proxy with Mikrotik

0
7661
(Last Updated On: 24 September 2018)

Introduction

This Tutorial explaining how to setup external Squid and redirect HTTP and HTTPS traffic ( SSL Bumping ) to it using policy based routing on Mikrotik.

OS Description

Mikrotik using version 6.43 and Squid Proxy is 3.5.28 on Ubuntu 16.04.5 LTS.

Network Description

This tutorial assumes your Mikrotik based network is up and running. The following screenshot shows simple network diagram.

 

Specifically the following settings are in effect.

Mikrotik Router

Setting Value
WAN Interface Public, IP settings assigned by ISP provider
LAN Interface Local
LAN IP Address 192.168.1.1/24
LAN Network 192.168.1.0
PROXY Interface Proxy
PROXY IP Address 192.168.2.1/24
PROXY Network 192.168.2.0

 

Squid Proxy Box

Setting Value
IP Address 192.168.2.2
Network Mask 255.255.255.0
Default Gateway 192.168.2.1
DNS Server 192.168.2.1

 

Client Workstation in the LAN

Any client workstation in the LAN is configured by DHCP server running on Mikrotik router and typical settings look like the following.

Setting Value
IP Address 192.168.1.2 – 192.168.1.254
Network Mask 255.255.255.0
Default Gateway 192.168.1.1
DNS Server 192.168.1.1

 

Install Squid 3.5 from Source on Ubuntu 16.04

Install Squid 3 dependencies

 

Grab a copy of the source code

 

Compile your Squid 3

 

Configure Squid

Replacing squid.conf by your new squid configuration.

 

Build squid service runtime

/etc/init.d/squid file

 

Preparing execution directories, make sure you have the log, cache, and spool directories and create the access control to those directories with the following command line!

 

Creating our Self-Signed SSL Cert:

 

Check squid configurations

 

Initializing Squid Cache

 

start your squid service

 

Transparent Redirects

In Squid Server, type this

NOTE: change squid-server-IP with your squid ip.

 

Mikrotik Configuration

Login to your mikrotik. Open new terminal. Paste this command

NOTE:

  • 192.168.1.0/24 is LAN Address
  • 00:0c:29:56:11:02 is Squid Mac Address
  • 192.168.2.2 is Squid Ip Address

That command will make SQUID proxy server in transparent mode.

Now, make Mikrotik to bypass Squid Cache HIT object

 

 

Conclusion

We have successfully set up policy based routing of HTTP and HTTPS traffic from our Mikrotik router to a separate proxy box. Both HTTP and HTTPS traffic can now be filtered for adult language and unwanted sites.

References

 

.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.