Hi,

I would like to know, is it possible to route port 80 traffic to an external machine with original src-address. I am talking about an external proxy / cache machine, mikrotik routing port 80 traffic with original src-address to an external machine.

add route with gateway=your_proxy_machine, mark packets to route with this routing table

Dear chupaka,

i tried this, but the traffic that i recieve at proxy has the src address of my mikrotik machine, not the original host machine.

then you probably have a NAT rule translating the src-address. Check your MikroTik NAT rules.

Hi,

yes i have a "masquerade" rule in my NAT table, without it internet will not work at the client side.

If you have any other method then "masquerade" please let me know, becasue it will help me in obtaining the desired result

create a new rule before the masquerade

src-address=your internal LAN
dst-protocol=tcp
dst-port=80
action =接受

yesss, you should not masquerade http traffic to your proxy. is it Balabit TProxy? please describe your configuration

--- SOLVED ---

Hi all,

I have the same problem. I want to log the users IP in IPCOP (Squid).

Anyone can help us?.

Thanks in advance.

yesss, you should not masquerade http traffic to your proxy.

Chupaka, are you referring to internal proxy servers (on the LAN) or to only external ones?

I don't see how any http traffic would reach the external proxy server is masquerading is turned off. Unless I need a rule like andreacoppini mentioned. But I can only see this making a difference if it's internal.

If your proxy server is not internal, then how will it be able to send the replies back to the internal clients?

the proxy server needs to have a route into your internal network. This can be done either by masquerading to the router's public IP (but then all requests will be coming from that single IP) or by setting a route on the external proxy back to your internal network.

You could also do one-to-one NAT, although that would defeat the scope of having a masquerade rule in the first place

Chupaka, are you referring to internal proxy servers (on the LAN) or to only external ones?

I don't see how any http traffic would reach the external proxy server is masquerading is turned off. Unless I need a rule like andreacoppini mentioned. But I can only see this making a difference if it's internal.

if you are using external proxy, you cannot send packets with original client's IP address unless you are using public IP range. if you are using public IP range, you do not need masquerade =)

So if I was trying to automatically redirect port 80 traffic on my LAN to another internal proxy server, I would add this rule BEFORE my normal masquerade rule?

src-address=your internal LAN
dst-protocol=tcp
dst-port=80
action =接受

这将有效地“接受”的所有流量for port 80 and would then NOT change the source IP address and would then be redirected to my internal proxy by my second dst-nat rule?

When the proxy in turn redirects the request to the internet this traffic will be caught by the normal src-nat masquerade rule?

Am I making sense?

something like this. it depends on your network structure

Hi,

Thanks to all, i have resolved my problem.
Thanks again.

hi mudasir , how did u solve ur problem . will u plz post ur configuration.

Its simple.

In mangle table just add a simple rule to accept traffic of port 80....