Mikrotik and Squid = Transparent Proxy

In business networks there is a big usage of  transparent proxy also home networks can use it also.

Thanks to that kind of server we can monitoring a lot of meta data and value information from client network and also prevent a lot of virus infections.

Lets assume that our server ( have Ubuntu or Debian operation system installed on it and the lan network is

#install squid
apt-get install squid3

#lets make our own squid config file
mv /etc/squid3/squid.conf /etc/squid3/squid.conf.bak
vim /etc/squid3/squid.conf
###begging squid.conf ###
debug_options ALL,1
acl localnet src
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port intercept
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

cache_dir /data/cache 100 16 256
cache_log /var/log/squid3/cache.log
cache_mem 16 MB
cache_mgr webmaster
cache_replacement_policy lru
cache_store_log /var/log/squid3/store.log
cache_swap_high 95
cache_swap_low 90
client_lifetime 1 days
connect_timeout 2 minutes
error_directory /usr/share/squid3/errors/en
ftp_passive on
maximum_object_size 4096 KB
memory_replacement_policy lru
### end squid.conf ###
service squid

On server there is also software firewall (iptables) which we will use to forward connection using commands below:

iptables -t nat -A PREROUTING -s -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP

Next, on Mikrotik router we will add firewall rules to forward chosen clients (via list SQUID_CLIENTS) to server with squid proxy:

/ip firewall mangle
add chain=prerouting comment=squid dst-port=80 protocol=tcp src-address=
add action=mark-routing chain=prerouting dst-port=80 in-interface=ether3 new-routing-mark=2 protocol=tcp src-address-list=SQUID_CLIENTS
add chain=prerouting routing-mark=2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=

/ip route
add distance=1 gateway= routing-mark=2

This way we finished configuration of proxy server which will capture web traffic and don’t need to be configure on client side.

5 thoughts on “Mikrotik and Squid = Transparent Proxy”

    1. squid is
      netmask is or /24
      gateway is
      any other client get ip from dhcp from network

      To be honest not much there is to know more, most important is the squid ip to forward traffic to it.

      Only thing important is to add client IP that you want to push thru squid to mikrotik SQUID_CLIENTS address list;

      1. Thank you so much, I can track HTTP traffic now but the problem is that this doesn’t help in logging https traffic. Please post a solution for it.

        1. you would need to install certificate on your machine and setup https-proxy that would talk with page you want to sniff. Also https was made so sniffing is very hard without access to machine you want to sniff. But if you came up with some solution.

          1. I have generated self-certificate and tried to configure proxy but was not able to do so. If you can provide some guide or link then I really appreciate.

Leave a Reply

Your email address will not be published. Required fields are marked *