Data Info

After we have made the squid proxy server and do some configuration to optimize and tuning squid proxy server, now we are going to implement it into our network using mikrotik. The proxy servers that we will make is the external proxy side clients by activating the internal proxy mikrotik using parent proxy. Look at the topology of the proxy server side clients on the network as the above picture.

As usual you must know the name of the public and local interfaces are used, LAN IP, the IP and Port of proxy server that you have made, then all clients IP address if using the static IP. Why I use the proxy server side clients, it because I just only have one local interface on the mikrotik as the router. So this is my attempt to build a proxy server without having to buy an additional router again. I am a poor, is that not so?

1. I will make a list of  ip clients addresses at first, if you are using dynamic ip for your clients, just skip this steps. However, one the advantage of making the address list like this, at any time I could easily to exclude the connection via proxy server and directly connecting to the internet server to a particular IP of the clients. Ok, lets go the terminal console winbox and paste the script below!

/ip firewall address-list add list=client address=192.168.1.2 add list=client address=192.168.1.11 add list=client address=192.168.1.17 add list=client address=192.168.1.16 add list=client address=192.168.1.15 add list=client address=192.168.1.14 add list=client address=192.168.1.20 add list=client address=192.168.1.21 

2. Activate the internal proxy of mikrotik with the parent proxy that leads to the external proxy side clients, in this case the ip address that used 192.168.1.8 and the port 3128, as we have made in the Squid proxy configuration.

/ip proxy set enabled=yes set src-address=192.168.1.8 set port=3128 set parent-proxy=192.168.1.8 set parent-proxy-port=3128 set max-cache-size=none set cache-on-disk=no 

3. In order for our client on the network can access the Internet simultaneously, you must already use masquerading the connection on the firewall nat, then you are going to make the process for transparent proxy, by redirecting port 80 and 8080 are used clients on the address list to access any sites to the proxy server port 3128, so in the firewall nat there are two rules, with the following script!

/ip firewall nat add action=masquerade chain=srcnat out-interface=wlan1 src-address=192.168.1.0/24 disabled=no comment="Masquerade Public Traffic" add action=redirect chain=dstnat protocol=tcp in-interface=ether1 src-address-list=client dst-port=80,8080 to-ports=3128 comment="Redirect Web Proxy" 

Once you enter to the terminal console, the results would be like the picture below!

4. This is the basic things for the separation of connection packets to make upload and download, download via proxy packets. The request of the clients that uses TCP port 80 (http) and 8080 will be redirected to the proxy port 3128. Port 80 is commonly used to access the site. While the request to the port 443 (https) for example does not pass through the proxy. It is a weakness of the proxy server that is being developed by the squid and need the additional settings.

/ip firewall mangle add action=change-dscp chain=output out-interface=ether1 new-dscp=4 comment="HIT TRAFFIC FROM PROXY" add action=mark-packet chain=prerouting in-interface=ether1 src-address=192.168.1.0/24 new-packet-mark=up-pkt passthrough=no comment="UPLOAD TRAFFIC" add action=mark-connection chain=forward src-address=192.168.1.0/24 new-connection-mark=down-conn passthrough=yes comment="DOWNLOAD CONNECTIONS" add action=mark-packet chain=forward in-interface=wlan1 connection-mark=down-conn new-packet-mark=down-pkt passthrough=yes comment="DOWNLOAD TRAFFIC" add action=mark-packet chain=output out-interface=ether1 dscp=4 dst-address=192.168.1.0/24 new-packet-mark=proxy-pkt passthrough=no comment="DOWN-VIA PROXY" 

5. The Separation for download traffic into various kinds of connection packets, as I mentioned previously, for not make confused let me just put it here!

/ip firewall layer7-protocol add comment="download" name=high regexp="^.*get.+.(exe|rar|iso|zip|7zip|0[0-9][1-9]|flv|mkv|avi|mp4|3gp|rmvb|mp3|img|dat|mov).*$" add comment="download" name=document regexp="^.*get.+.(pdf|doc|docx|xlsx|xls|rtf|ppt|ppt).*$" add comment="video" name=youtube regexp="^.*get.+.(c.youtube.com|cdn.dailymotion.com|metacafe.com|mccont.com).*$" add comment="video" name=streaming regexp="videoplayback|video" /ip firewall mangle add action=mark-packet chain=forward layer7-protocol=high new-packet-mark=dpkt packet-mark=down-pkt passthrough=no comment="CLIENT DOWNLOAD" add action=mark-packet chain=forward layer7-protocol=document new-packet-mark=dpkt packet-mark=down-pkt passthrough=no comment="" /ip firewall mangle add action=mark-packet chain=forward layer7-protocol=youtube new-packet-mark=spkt packet-mark=down-pkt passthrough=no comment="CLIENT VIDEO" add action=mark-packet chain=forward layer7-protocol=streaming new-packet-mark=spkt packet-mark=down-pkt passthrough=no comment="" /ip firewall mangle add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=5340-5352,6000-6152,10001-10011,14009-14030,18901-18909 comment="CLIENT ONLINE GAMES" add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=39190,27780,29000,22100,10009,4300,15001,15002,7341,7451 add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=40000,9300,9400,9700,7342,8005-8010,37466,36567,8822 add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=tcp dst-port=47611,16666,20000,5105,29000,18901-18909,9015 add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=27005,27015 add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=27005-27020,13055,7800-7900,12060-12070 add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=8005-8010,9068,1293,1479,9401,9600,30000 add action=mark-packet chain=forward packet-mark=down-pkt new-packet-mark=gpkt passthrough=yes protocol=udp dst-port=14009-14030,42051-42052,40000-40050,13000-13080 /ip firewall mangle add action=mark-packet chain=forward connection-bytes=0-1000000 src-port=80,443 passthrough=no new-packet-mark=bpkt packet-mark=down-pkt protocol=tcp comment="CLIENT BROWSING" /ip firewall layer7-protocol add comment="BIT TORENT" name=bittorrent regexp="^(13bittorrent protocol|azver1$|get /scrape\?info_hash=)|d1:ad2:id20:|8’7P)[RP]" add comment="TORRENT WEBSITES" name=torrentsites regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$" /ip firewall mangle add action=mark-packet chain=forward layer7-protocol=bittorrent new-packet-mark=tpkt packet-mark=down-pkt passthrough=no comment="BILLING BIT TORRENT" add action=mark-packet chain=forward layer7-protocol=torrentsites new-packet-mark=tpkt packet-mark=down-pkt passthrough=no comment="BILLING TORRENT WEBSITES" add action=mark-packet chain=forward p2p=all-p2p new-packet-mark=tpkt packet-mark=down-pkt passthrough=no comment="BILLING ALLP2P" add action=mark-packet chain=forward dst-port=58561,58045,14948,58008,58816,59097 new-packet-mark=tpkt packet-mark=down-pkt passthrough=no protocol=tcp comment="BILLING TORRENT PORT" 

6. The rest you just need to make the queue tree rules for all of the connection packets above completed with the proxy upload connection packets.

/queue type add name=pcq_upstream kind=pcq pcq-classifier=src-address add name=pcq_downstream kind=pcq pcq-classifier=dst-address add name=pcq_game kind=pcq pcq-classifier=dst-address add name=pcq_browsing kind=pcq pcq-classifier=dst-address add name=pcq_download kind=pcq pcq-rate=1000k pcq-classifier=dst-address add name=pcq_undefined kind=pcq pcq-rate=512k pcq-classifier=dst-address add name=pcq_extensions kind=pcq pcq-rate=512k pcq-classifier=dst-address add name=pcq_video kind=pcq pcq-rate=512k pcq-classifier=dst-address add name=pcq_p2ptorrent kind=pcq pcq-rate=150k pcq-classifier=dst-address /queue tree add name=a.Upstream parent=global-in queue=pcq_upstream packet-mark=up-pkt priority=8 max-limit=2M add name=b.Downstream parent=global-out queue=pcq_downstream packet-mark=down-pkt priority=8 max-limit=2M add name=c.Proxystream parent=global-out queue=default packet-mark=proxy-pkt priority=8 add name=1.Games parent=b.Downstream queue=pcq_game packet-mark=gpkt priority=1 limit-at=256k max-limit=1000k add name=2.Browsing parent=b.Downstream queue=pcq_browsing packet-mark=bpkt priority=2 limit-at=256k max-limit=1000k add name=3.Download parent=b.Downstream queue=pcq_download packet-mark=down-pkt priority=3 limit-at=256k max-limit=1000k add name=3.1.Undefined parent=3.Download queue=pcq_undefined packet-mark=down-pkt priority=4 limit-at=128k max-limit=420k burst-limit=512k burst-threshold=315k burst-time=5s add name=3.2.Extensions parent=3.Download queue=pcq_extensions packet-mark=dpkt priority=5 limit-at=128k max-limit=420k burst-limit=512k burst-threshold=315k burst-time=5s add name=3.3.Video parent=3.Download queue=pcq_video packet-mark=spkt priority=6 limit-at=128k max-limit=420k burst-limit=512k burst-threshold=315k burst-time=5s add name=3.4.P2P&Torrent parent=3.Download queue=pcq_p2ptorrent packet-mark=tpkt priority=7 limit-at=128k max-limit=256k 

For the proxy traffic packets, we do not make use of pcq on queue type, but rather use the default queue and not given the limit value on the queue tree. Then, because there is still any connection that passes from the proxy we still keep applying pcq on the connections packets other than the proxy traffic. For the connection packets that greedy on bandwidth, i think we need to apply burst limits on the queue tree such as undefined, extensions and video packets, the results are as shown below!

7. Using the proxy server like this is already closed for the access of ip addresses other than those listed in the client address list, to make it safer you need to insert the following security for the proxy server, so if any ip from network others that want to use the proxy server, this script will capture the ip and put to the block list then will dropped for the connection

/ip firewall filter add chain=input in-interface=wlan1 protocol=tcp dst-port=3128 action=add-src-to-address-list address-list=block address-list-timeout=1d comment="filter proxy" add chain=input action=drop src-address-list=block comment="drop ip-block" 

Further for the proxy server security that we have made, we can create the security rules on web proxy access on mikrotik. If you want to block a certain url sites, you can do here!

/ip proxy access add action=deny dst-port=23-25 comment="block telnet & spam e-mail relaying" add action=deny dst-port=!443,563 method=connect comment="allow CONNECT only to SSL ports 443 [https] and 563 [snews]" 

/ip firewall layer7-protocol add name=sip regexp="^(invite|register|cancel) sip[ - -~]*sip/[0-2].[0-9]" add name=h323 regexp="^3..?8...?.?.?.?.?.?.?.?.?.?.?.?.?.?.?5" add name=skypeout regexp="^(1.?.?.?.?.?.?.?.?1|2.?.?.?.?.?.?.?.?2|3.?.?.?.?.?.?.?.?3|4.?.?.?.?.?.?.?.?4|5.?.?.?.?.?.?.?.?5|6.?.?.?.?.?.?.?.?6|7.?.?.?.?.?.?.?.?7|8.?.?.?.?.?.?.?.?8| .?.?.?.?.?.?.?.? | .?.?.?.?.?.?.?.? |B.?.?.?.?.?.?.?.?B|C.?.?.?.?.?.?.?.?C| .?.?.?.?.?.?.?.? |E.?.?.?.?.?.?.?.?E|F.?.?.?.?.?.?.?.?F|10.?.?.?.?.?.?.?.?10|11.?.?.?.?.?.?.?.?11|12.?.?.?.?.?.?.?.?12|13.?.?.?.?.?.?.?.?13|14.?.?.?.?.?.?.?.?14|15.?.?.?.?.?.?.?.?15|16.?.?.?.?.?.?.?.?16|17.?.?.?.?.?.?.?.?17|18.?.?.?.?.?.?.?.?18|19.?.?.?.?.?.?.?.?19|1A.?.?.?.?.?.?.?.?1A|1B.?.?.?.?.?.?.?.?1B|1C.?.?.?.?.?.?.?.?1C|1D.?.?.?.?.?.?.?.?1D|1E.?.?.?.?.?.?.?.?1E|1F.?.?.?.?.?.?.?.?1F| .?.?.?.?.?.?.?.? |!.?.?.?.?.?.?.?.?!|".?.?.?.?.?.?.?.?"|#.?.?.?.?.?.?.?.?#|$.?.?.?.?.?.?.?.?$|%.?.?.?.?.?.?.?.?%|&.?.?.?.?.?.?.?.?&|.?.?.?.?.?.?.?.?|(.?.?.?.?.?.?.?.?(|).?.?.?.?.?.?.?.?)|*.?.?.?.?.?.?.?.?*|+.?.?.?.?.?.?.?.?+|,.?.?.?.?.?.?.?.?,|-.?.?.?.?.?.?.?.?-|..?.?.?.?.?.?.?.?.|/.?.?.?.?.?.?.?.?/|0.?.?.?.?.?.?.?.?0|1.?.?.?.?.?.?.?.?1|2.?.?.?.?.?.?.?.?2|3.?.?.?.?.?.?.?.?3|4.?.?.?.?.?.?.?.?4|5.?.?.?.?.?.?.?.?5|6.?.?.?.?.?.?.?.?6|7.?.?.?.?.?.?.?.?7|8.?.?.?.?.?.?.?.?8|9.?.?.?.?.?.?.?.?9|:.?.?.?.?.?.?.?.?:|;.?.?.?.?.?.?.?.?;|<.?.?.?.?.?.?.?.?<|=.?.?.?.?.?.?.?.?=|>.?.?.?.?.?.?.?.?>|?.?.?.?.?.?.?.?.??|@.?.?.?.?.?.?.?.?@|A.?.?.?.?.?.?.?.?A|B.?.?.?.?.?.?.?.?B|C.?.?.?.?.?.?.?.?C|D.?.?.?.?.?.?.?.?D|E.?.?.?.?.?.?.?.?E|F.?.?.?.?.?.?.?.?F|G.?.?.?.?.?.?.?.?G|H.?.?.?.?.?.?.?.?H|I.?.?.?.?.?.?.?.?I|J.?.?.?.?.?.?.?.?J|K.?.?.?.?.?.?.?.?K|L.?.?.?.?.?.?.?.?L|M.?.?.?.?.?.?.?.?M|N.?.?.?.?.?.?.?.?N|O.?.?.?.?.?.?.?.?O|P.?.?.?.?.?.?.?.?P|Q.?.?.?.?.?.?.?.?Q|R.?.?.?.?.?.?.?.?R|S.?.?.?.?.?.?.?.?S|T.?.?.?.?.?.?.?.?T|U.?.?.?.?.?.?.?.?U|V.?.?.?.?.?.?.?.?V|W.?.?.?.?.?.?.?.?W|X.?.?.?.?.?.?.?.?X|Y.?.?.?.?.?.?.?.?Y|Z.?.?.?.?.?.?.?.?Z|[.?.?.?.?.?.?.?.?[|].?.?.?.?.?.?.?.?]|].?.?.?.?.?.?.?.?]|^.?.?.?.?.?.?.?.?^|_.?.?.?.?.?.?.?.?_|`.?.?.?.?.?.?.?.?`|a.?.?.?.?.?.?.?.?a|b.?.?.?.?.?.?.?.?b|c.?.?.?.?.?.?.?.?c|d.?.?.?.?.?.?.?.?d|e.?.?.?.?.?.?.?.?e|f.?.?.?.?.?.?.?.?f|g.?.?.?.?.?.?.?.?g|h.?.?.?.?.?.?.?.?h|i.?.?.?.?.?.?.?.?i|j.?.?.?.?.?.?.?.?j|k.?.?.?.?.?.?.?.?k|l.?.?.?.?.?.?.?.?l|m.?.?.?.?.?.?.?.?m|n.?.?.?.?.?.?.?.?n|o.?.?.?.?.?.?.?.?o|p.?.?.?.?.?.?.?.?p|q.?.?.?.?.?.?.?.?q|r.?.?.?.?.?.?.?.?r|s.?.?.?.?.?.?.?.?s|t.?.?.?.?.?.?.?.?t|u.?.?.?.?.?.?.?.?u|v.?.?.?.?.?.?.?.?v|w.?.?.?.?.?.?.?.?w|x.?.?.?.?.?.?.?.?x|y.?.?.?.?.?.?.?.?y|z.?.?.?.?.?.?.?.?z|{.?.?.?.?.?.?.?.?{||.?.?.?.?.?.?.?.?||}.?.?.?.?.?.?.?.?}|~.?.?.?.?.?.?.?.?~|7F.?.?.?.?.?.?.?.?7F|80.?.?.?.?.?.?.?.?80|81.?.?.?.?.?.?.?.?81|82.?.?.?.?.?.?.?.?82|83.?.?.?.?.?.?.?.?83|84.?.?.?.?.?.?.?.?84|85.?.?.?.?.?.?.?.?85|86.?.?.?.?.?.?.?.?86|87.?.?.?.?.?.?.?.?87|88.?.?.?.?.?.?.?.?88|89.?.?.?.?.?.?.?.?89|8A.?.?.?.?.?.?.?.?8A|8B.?.?.?.?.?.?.?.?8B|8C.?.?.?.?.?.?.?.?8C|8D.?.?.?.?.?.?.?.?8D|8E.?.?.?.?.?.?.?.?8E|8F.?.?.?.?.?.?.?.?8F|90.?.?.?.?.?.?.?.?90|91.?.?.?.?.?.?.?.?91|92.?.?.?.?.?.?.?.?92|93.?.?.?.?.?.?.?.?93|94.?.?.?.?.?.?.?.?94|95.?.?.?.?.?.?.?.?95|96.?.?.?.?.?.?.?.?96|97.?.?.?.?.?.?.?.?97|98.?.?.?.?.?.?.?.?98|99.?.?.?.?.?.?.?.?99|9A.?.?.?.?.?.?.?.?9A|9B.?.?.?.?.?.?.?.?9B|9C.?.?.?.?.?.?.?.?9C|9D.?.?.?.?.?.?.?.?9D|9E.?.?.?.?.?.?.?.?9E|9F.?.?.?.?.?.?.?.?9F|A0.?.?.?.?.?.?.?.?A0|A1.?.?.?.?.?.?.?.?A1|A2.?.?.?.?.?.?.?.?A2|A3.?.?.?.?.?.?.?.?A3|A4.?.?.?.?.?.?.?.?A4|A5.?.?.?.?.?.?.?.?A5|A6.?.?.?.?.?.?.?.?A6|A7.?.?.?.?.?.?.?.?A7|A8.?.?.?.?.?.?.?.?A8|A9.?.?.?.?.?.?.?.?A9|AA.?.?.?.?.?.?.?.?AA|AB.?.?.?.?.?.?.?.?AB|AC.?.?.?.?.?.?.?.?AC|AD.?.?.?.?.?.?.?.?AD|AE.?.?.?.?.?.?.?.?AE|AF.?.?.?.?.?.?.?.?AF|B0.?.?.?.?.?.?.?.?B0|B1.?.?.?.?.?.?.?.?B1|B2.?.?.?.?.?.?.?.?B2|B3.?.?.?.?.?.?.?.?B3|B4.?.?.?.?.?.?.?.?B4|B5.?.?.?.?.?.?.?.?B5|B6.?.?.?.?.?.?.?.?B6|B7.?.?.?.?.?.?.?.?B7|B8.?.?.?.?.?.?.?.?B8|B9.?.?.?.?.?.?.?.?B9|BA.?.?.?.?.?.?.?.?BA|BB.?.?.?.?.?.?.?.?BB|BC.?.?.?.?.?.?.?.?BC|BD.?.?.?.?.?.?.?.?BD|BE.?.?.?.?.?.?.?.?BE|BF.?.?.?.?.?.?.?.?BF|C0.?.?.?.?.?.?.?.?C0|C1.?.?.?.?.?.?.?.?C1|C2.?.?.?.?.?.?.?.?C2|C3.?.?.?.?.?.?.?.?C3|C4.?.?.?.?.?.?.?.?C4|C5.?.?.?.?.?.?.?.?C5|C6.?.?.?.?.?.?.?.?C6|C7.?.?.?.?.?.?.?.?C7|C8.?.?.?.?.?.?.?.?C8|C9.?.?.?.?.?.?.?.?C9|CA.?.?.?.?.?.?.?.?CA|CB.?.?.?.?.?.?.?.?CB|CC.?.?.?.?.?.?.?.?CC|CD.?.?.?.?.?.?.?.?CD|CE.?.?.?.?.?.?.?.?CE|CF.?.?.?.?.?.?.?.?CF|D0.?.?.?.?.?.?.?.?D0|D1.?.?.?.?.?.?.?.?D1|D2.?.?.?.?.?.?.?.?D2|D3.?.?.?.?.?.?.?.?D3|D4.?.?.?.?.?.?.?.?D4|D5.?.?.?.?.?.?.?.?D5|D6.?.?.?.?.?.?.?.?D6|D7.?.?.?.?.?.?.?.?D7|D8.?.?.?.?.?.?.?.?D8|D9.?.?.?.?.?.?.?.?D9|DA.?.?.?.?.?.?.?.?DA|DB.?.?.?.?.?.?.?.?DB|DC.?.?.?.?.?.?.?.?DC|DD.?.?.?.?.?.?.?.?DD|DE.?.?.?.?.?.?.?.?DE|DF.?.?.?.?.?.?.?.?DF|E0.?.?.?.?.?.?.?.?E0|E1.?.?.?.?.?.?.?.?E1|E2.?.?.?.?.?.?.?.?E2|E3.?.?.?.?.?.?.?.?E3|E4.?.?.?.?.?.?.?.?E4|E5.?.?.?.?.?.?.?.?E5|E6.?.?.?.?.?.?.?.?E6|E7.?.?.?.?.?.?.?.?E7|E8.?.?.?.?.?.?.?.?E8|E9.?.?.?.?.?.?.?.?E9|EA.?.?.?.?.?.?.?.?EA|EB.?.?.?.?.?.?.?.?EB|EC.?.?.?.?.?.?.?.?EC|ED.?.?.?.?.?.?.?.?ED|EE.?.?.?.?.?.?.?.?EE|EF.?.?.?.?.?.?.?.?EF|F0.?.?.?.?.?.?.?.?F0|F1.?.?.?.?.?.?.?.?F1|F2.?.?.?.?.?.?.?.?F2|F3.?.?.?.?.?.?.?.?F3|F4.?.?.?.?.?.?.?.?F4|F5.?.?.?.?.?.?.?.?F5|F6.?.?.?.?.?.?.?.?F6|F7.?.?.?.?.?.?.?.?F7|F8.?.?.?.?.?.?.?.?F8|F9.?.?.?.?.?.?.?.?F9|FA.?.?.?.?.?.?.?.?FA|FB.?.?.?.?.?.?.?.?FB|FC.?.?.?.?.?.?.?.?FC|FD.?.?.?.?.?.?.?.?FD|FE.?.?.?.?.?.?.?.?FE|FF.?.?.?.?.?.?.?.?FF)" add name=skypetoskype regexp="^..2............." add name=teamspeak regexp="^F4BE3.*teamspeak" add name=ventrilo regexp="^..?v$CF" add name=stun regexp="^[12]................?$"