Translate

Tuesday, January 1, 2013

Mikrotik with External Pfsense SQUID Proxy, with Original Source Client IP


Mikrotik with External Pfsense SQUID Proxy, with Original Source Client IP



1. Topology 
2. Pfsense Setting

 0   192.168.0.3/24     gw 192.168.0.1     wan
 1   192.168.1.2/24     gw 192.168.1.1     lan

Note
after installing pfsense with 2 interface ( em0 and em1), 
set ip address of em0 wan = 192.168.0.3, add gateway 192.168.0.1 ( modem ip)
set ip address of em1 lan = 192.168.1.2 then at system -> routing add gateway with ip 192.168.1.1 ( connected to eth1  mikrotik ip for proxy interface later)

and then point to Firewall: Rules: lan, its probably already configure by pfsense installation, make sure the lan subnet allow lan to any rule as pict below
then point to Services: Proxy server: Access control
  make sure you allow subnets 192.168.1.0/24 and 192.168.2.0 through proxy. 
2. Mikrotik Setting

 0   192.168.0.2/24     192.168.0.0    
wan
 1   192.168.2.1/28     192.168.2.0     lan
 2   192.168.1.1/24     192.168.1.0     proxy

# Set DNS



# Set firewall NAT

/ip firewall 
# Accept All TCP Port 80, will not masquerade by mikrotik ip
add chain=srcnat action=accept protocol=tcp dst-port=80

# All traffic masqueraded
add chain=srcnat action=masquerade out-interface=wan

/ip firewall mangle>
 ;;; Mark Cache Hit Packets  
add chain=prerouting action=mark-packet new-packet-mark=proxy-hit passthrough=no dscp=12
# mark routing to-ext-proxy  
;;; mark routing to proxy
add chain=prerouting action=mark-routing new-routing-mark=to-ext-proxy passthrough=yes protocol=tcp src-address=192.168.2.0/28 dst-port=80
then make routing to external proxy like picture below :



Well now Squid show original client request instead of mikrotik ip



#update

someone tell me why i cant access internet from lan, why i cant remote the pfsense ( i assume remoting using putty port 22), and why i cant access pfsense web gui from lan net, and etc

for that similar questions i will explain, because some miss configurations.. remember ur pfsense is behind mikrotik, so u must tell mikrotik to not masquarade that pfsense because he is local net.


ok lets do it:


#mikrotik

add some internal network ip at [ip firewall address List] for this situation are

intern = 192.168.0.2 this is wan modem

intern = 192.168.2.1 this is lan mikrotik
intern = 192.168.1.1 this is lan pfsense proxy side

`this script below tell mikrotik to not masquarade that local or we call it as intern const, assuming only for destination `port 80 (web gui) and 22 (telnet, putty etc) and out-interface is lan (mikrotik)


"add chain=srcnat action=accept protocol=tcp dst-address-list=!intern out-interface=lan dst-port=80,22"


"add chain=srcnat action=masquerade out-interface=wan"

then all connection to internet are masquarade out-interface is wan (mikrotik)

even mikrotik already forward ur request to pfsense, we must also tell to pfsense the 192.168.2.1 to 192.168.2.n is not intruder, or pfsense will reject ur request because that was not his ip lan ranges 192.168.1.n (not same subnets).


#pfsense

[Firewall-> Rules->LAN] tell source 192.168.2.0/28 (client behind mikrotik) is allowable using ur gateway

now pfsense firewall will pass that request but we still have problem, if u have squid or luscha proxy installed, he also still assume u are intruders. then simply we tell squid we are not.


[Services->Proxy server: Access control] Allowed subnets 192.168.2.0/28


thats all folks.. thats it. hope u got it.

Proxy Report using Lightsquid screenshoot