Topic: (ask)mikrotik dan eksternal proxy (topologi sejajar)

Dear all (moderator,para master dan rekan-sekan sekalian),,
Mohon bantuan rekan2 sekalian soalnya udah 3 minggu ini ngoprek mikrotik+squid (transparent) ga jadi2 juga.
Topologi:

internet--modem--mikrotik-client
                               |
                               |
                             squid

mikrotik
eth1 (untuk lan):10.10.10.254/24
eth4 (untuk proxy):10.10.12.254/24
eth3 internet
address list lan=10.10.10.0/24
address list proxy=10.10.12.0/24

opensuse (squid):
eht0:10.10.12.2/24 gw 10.10.12.254


setingan nat
9   ;;; nat untuk semua
     chain=srcnat action=masquerade out-interface=ether3

10   ;;; srcnat proxy
     chain=srcnat action=masquerade src-address-list=!proxy
     out-interface=ether4

11   chain=srcnat action=masquerade src-address-list=proxy

12 X ;;; dstnat ke proxy
     chain=dstnat action=dst-nat to-addresses=10.10.12.2 to-ports=3128
     protocol=tcp src-address-list=lan dst-address-list=!proxy dst-port=80

13 X chain=dstnat action=dst-nat to-addresses=10.10.12.2 to-ports=3128
     protocol=tcp src-address-list=lan dst-address-list=!proxy dst-port=8080

14 X chain=dstnat action=dst-nat to-addresses=10.10.12.2 to-ports=3128
     protocol=tcp src-address-list=lan dst-address-list=!proxy dst-port=3128

squid.conf

#hit proxy to mikrotik
#tcp_outgoing_tos 0x30 localnet
#zph_mode tos
#zph_local 0x30
#zph_parent 0
#zph_option 136


http_port 3128 transparent
icp_port 3130
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255


hierarchy_stoplist cgi-bin ? .js .jsp
acl QUERY urlpath_regex cgi-bin \? .js .jsp
no_cache deny QUERY


cache_mem 6 MB
cache_swap_high 100%
cache_swap_low 80%

#cache_swap_low 98
#cache_swap_high 99

max_filedesc 8192
maximum_object_size 700 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 512 bytes

ipcache_size 4096
ipcache_low 98
ipcache_high 99
fqdncache_size 4096
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

cache_dir aufs /var/cache/squid 10000 36 256 
#cache_dir aufs /proxy2 16000 32 246
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log


cache_store_log none
pid_filename /var/run/squid.pid
dns_nameservers 127.0.0.1
dns_nameservers 202.134.1.10 202.134.1.155
cache_swap_log /var/log/squid/swap.state

emulate_httpd_log on
hosts_file /etc/hosts

refresh_pattern -i \.tar.gz$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.mp3$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.zip$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.png$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.gif$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.jpg$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.jpeg$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.swf$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.3gp$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.rm$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.wma$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.mpeg$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.(gif|jp?g|xbm|png|swf|bmp)$ 21600 90% 43200 override-expire override-lastmod reload-into-ims
refresh_pattern -i \.(mov|avi|qtm|mp?)$ 21600 90% 43200 override-expire override-lastmod ignore-reload reload-into-ims
refresh_pattern -i \.(3gp|wmv|wma|mpg|mpeg|mpga|rm|rv|vgp)$ 21600 90% 43200 override-expire override-lastmod ignore-reload reload-into-ims
refresh_pattern -i \.(zip|exe|gz|Z|lha||rar|arj)$ 21600 90% 43200 override-expire override-lastmod ignore-reload reload-into-ims
refresh_pattern -i \.(hqx|pdf|rtf|doc|swf)$ 100000 500% 99000000 ignore-reload override-expire
refresh_pattern -i \.(inc|cab|ad|txt|)$ 100000 500% 99000000 ignore-reload override-expire
refresh_pattern ^http://www.friendster.com/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://photos.friendster.com/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://images.friendster.com/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320
refresh_pattern ^http://mail1.plasa.com/.* 720 100% 4320
refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://*.google.*/.* 720 100% 4320
refresh_pattern ^http://*.friendster.*/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://pb.gemscool.com/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://www.facebook.com/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://kaskus.us/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://perfectworld.lytogame.com/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://seal.lytogame.com/.* 720 100% 4320 override-expire override-lastmod reload-into-ims
refresh_pattern ^http://*.indowebster.*/.* 720 100% 4320
refresh_pattern ^http://*.4shared.*/.* 720 100% 4320
refresh_pattern ^http://www.yahoo.com/.* 720 100% 4320
refresh_pattern ^http://*.yimg.*/.* 720 100% 4320
refresh_pattern ^http://*.boleh.*/.* 720 100% 4320
refresh_pattern ^http://*.detik.*/.* 180 100% 4320
refresh_pattern ^http://*.detikinet.*/.* 180 100% 4320
refresh_pattern ^http://*.detikhot.*/.* 180 100% 4320
refresh_pattern ^http://*.detiportal.*/.* 180 100% 4320
refresh_pattern ^http://*.kompas.*/.* 180 100% 4320
refresh_pattern ^http://*.facebook.*/.* 720 100% 4320
refresh_pattern ^http://*.texas_holdem.*/.* 720 100% 4320
refresh_pattern ^http://*.zynga.com.*/.* 720 100% 4320
refresh_pattern ^http://*.kapanlagi.*/.* 720 100% 4320
refresh_pattern ^http://*.google-analytics.*/.* 720 100% 4320
refresh_pattern ^ftp: 100080 95% 2419200 reload-into-ims override-lastmod
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
                           

quick_abort_max 0                           
#quick_abort_pct 98                           
quick_abort_pct 0
shutdown_lifetime 10 seconds

negative_ttl 1 minutes
half_closed_clients off

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563              # https, snews
acl SSL_ports port 873                  # rsync
acl Safe_ports port 80                  # http
acl Safe_ports port 21                  # ftp
acl Safe_ports port 443 563             # https, snews
acl Safe_ports port 70                  # gopher
acl Safe_ports port 210                 # wais
acl Safe_ports port 1025-65535          # unregistered ports
acl Safe_ports port 280                 # http-mgmt
acl Safe_ports port 488                 # gss-http
acl Safe_ports port 591                 # filemaker
acl Safe_ports port 777                 # multiling http
acl Safe_ports port 631                 # cups
acl Safe_ports port 873                 # rsync
acl Safe_ports port 901                 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

##############################
# SNMP
snmp_port 3401
acl snmpsquid snmp_community public
snmp_access allow snmpsquid localhost
snmp_access deny all

acl ipnet src 10.10.10.0/24 ## Sesuaikan
acl proxy src 10.10.12.0/24  ## Sesuaikan
http_access allow ipnet
http_access allow proxy
http_access deny all
http_reply_access allow all
icp_access deny all
always_direct deny all

cache_mgr nobody@anakmedan.info
visible_hostname http://www.anakmedan.info
half_closed_clients off
cache_effective_user squid
cache_effective_group squid
#coredump_dir /cache1
shutdown_lifetime 10 seconds
logfile_rotate 14

request_body_max_size 1048 KB
error_directory /usr/share/squid/errors/English
server_http11 on
memory_pools off
log_icp_queries off
icp_hit_stale on
query_icmp on
reload_into_ims on
server_http11 on


pertanyaan:
di komputer client ga bisa browsing internet pada saat port 80 di direct ke squid alias squid ga bisa terima request dr mikrotik padahal status squid ready.



mohon bantuannya,, maklum newbie...

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

saya udah ikutin tutorial di http://opensource.telkomspeedy.com/foru … p?id=14946 tetap ga jadi juga.... bantuin donk......

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

sebagai informasi tambahan,ping dari client ke proxy dan dari proxy ke client bisa reply dan ketika nat no 12 sd 14 di disabled client 10.10.10.0/24 bisa akses internet. analisa saya ada yang salah pada squidnya.. mohon pencerahan agan2 sekalian.. thanks yaaa

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

halo ebilma smile

internet--modem--mikrotik-client
                               |
                               |
                             squid

coba bantu2, mohon dikoreksi bila kurang ya :
di-router, peraturan 10, 11, 13 dan 14 sepertinya tidak perlu karena overlapping.
untuk peraturan no 12 coba tambahkan in-interface LAN.

punteun, untuk squid-nya belum dicek lagi smile

insyaAlloh, HTH.

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

thanks gan,atas masukannya.. udah saya tambahkan. perkembangan terakhir belum jadi juga..

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

halo ebilma smile

gmn blm jadinya? smile
boleh tahu errornya gmn?

7 (edited by ebilma2 19-04-2011 13:21:10)

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

belum jadi bro...
kan logikanya saya pake nat untuk belokan port 80 ke squid.. saya pake squid eksternal. nah,ketika pake nat untuk di belokan, client malah ga bisa ngebrowse. padahal squid udah ready. dan saya cek di access.log dan cache.log ga ada perubahan apa2...
Analisa saya squid ga menerima request dari client.... data ga tercache pada squid

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

punteun, abdi kurang hafal dgn perintah mikrotik,
tapi mudah2an perintah iptables ini bisa dijadikan referensi :

iptables -t nat -I PREROUTING -i LAN -s IP_LAN -p tcp --dport 80 -j DNAT --to-destination IP_PROXY

bila untuk redirect/LAN sederhana, insyaAlloh sebenarnya cukup itu aja - sepertinya tidak perlu perlu perintah yg lain kecuali NAT MASQUERADE untuk interface WAN (bukan SNAT - ada perbedaan sedikit antara keduanya).

untuk squid - coba cek ps -Af|grep squid ---> jangan berpatokan pada access.log, dan pastikan saja konfigurasi squid sudah ok semua smile

insyaAlloh, HTH.

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

udah saya pake kayak gini
iptables -t nat -I PREROUTING -i eth0 -s 10.10.10.0/24 -p tcp --dport 80 DNAT --to-destination 10.10.12.2  ....
dan di mikrotik saya make
chain=dstnat action=dst-nat to-addresses=10.10.12.2 to-ports=3128
     protocol=tcp src-address-list=lan dst-address-list=!proxy dst-port=80

ga ada effek di computer client 10.10.10.0/24..  tetap ga bisa browsing.. tapi kalo saya browsing lewat komputer proxy ip 10.10.12.2 pada access.log ada aktivitas (data tercache)... btw.. thanks udah reply...

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

ini - di squid?

[

iptables -t nat -I PREROUTING -i eth0 -s 10.10.10.0/24 -p tcp --dport 80 DNAT --to-destination 10.10.12.2  ....

sebetulnya pada squid tidak perlu ada redireksi lagi smile
cuma kalo mau diterapkan juga insyaAlloh tidak apa2 smile

coba ganti ke :

iptables -t nat -I PREROUTING -i LAN -p tcp --dport -j REDIRECT --to-ports 3128


terus untuk konfigurasi squidnya (bila tanpa iptables diatas) :

http_port 3128 transparent

coba rubah port-nya jadi 80 smile

punteun, kelupaan tadi baru perhatikan kalo hasil redireksinya ke port 80 bukan ke 3128 smile

[admin@r1] > /ip firewall nat add chain=dstnat in-interface=LAN dst-address=0.0.0.0/0 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.12.2

insyaAlloh, HTH.

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

punteun, kelupaan tadi baru perhatikan kalo hasil redireksinya ke port 80 bukan ke 3128 smile

[admin@r1] > /ip firewall nat add chain=dstnat in-interface=LAN dst-address=0.0.0.0/0 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.10.12.2

insyaAlloh, HTH.

maksudnya gmana bro?? port 3128 saya ganti dengan 80??

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

halo ebilma smile

maksudnya gmana bro?? port 3128 saya ganti dengan 80??

smile gak, tadi abdi agak kelupaan lihat urutannya smile

hmm, punteun, ini hasil ujicoba di-lab - topologinya sedikit beda, tapi mudah2an konfignya sama (punteun, bukan maksud hati sombong/takabur - tapi memang agak repot/rumit merubah kabel labnya soalnya terlalu banyak) :

                                       [internet]
                                              |
[r1]---10.10.2.0/24---[r4]---10.10.3.0/24---[r5]
 |                                             |
LAN 10.10.1.0/24                       PROXY 10.10.4.2/24

pada r1 :

[admin@r1] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=10.10.4.2 protocol=tcp src-address=10.10.1.0/24 dst-address=0.0.0.0/0 in-interface=ether5 
     dst-port=80 

pada r5 :

[admin@r5] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=ether1 

pada proxy :

sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 678 packets, 65033 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 3128 

pada /etc/squid3/squid.conf :

http_port 3128 transparent
acl mynet src 10.10.1.0/24
http_access allow mynet

ps -Af|grep squid
root     11663     1  0 17:26 ?        00:00:00 /usr/sbin/squid3 -D -YC -f /etc/squid3/squid.conf
proxy    11666 11663  0 17:26 ?        00:00:00 (squid) -D -YC -f /etc/squid3/squid.conf

hasilnya :

wget http://repo/iso/centos/5.6/isos/i386/CentOS-5.6-i386-LiveCD.iso
--2011-04-19 17:51:14--  http://repo/iso/centos/5.6/isos/i386/CentOS-5.6-i386-LiveCD.iso
Resolving repo... a.b.c.d, 2403:da00:1:3::1e
Connecting to repo|a.b.c.d|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 726630400 (693M) [application/octet-stream]
Saving to: `CentOS-5.6-i386-LiveCD.iso'

 0% [                                                                                                  ] 7,086,275   59.9K/s  eta 3h 15m  

sudo tail /var/log/squid3/access.log 
1303210338.478 121478 10.10.1.2 TCP_MISS/200 7086720 GET http://repo/iso/centos/5.6/isos/i386/CentOS-5.6-i386-LiveCD.iso - DIRECT/a.b.c.d application/octet-stream

insyaAlloh, HTH smile

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

bro... ether1 dan ether 5 mengarah kemana?? bro saya ucapkan terima kasih atas masukannya.. ntar saya teruskan besok udah waktunya pulang kantor.. puyeng heheheeheh. mudah2an besok udah jadi .. nice share bro.. GBU

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

Dear bro abdi...
nat dan masque sudah saya ganti kayak punya mas abdi

19   chain=dstnat action=dst-nat to-addresses=10.10.12.2 to-ports=3128
     protocol=tcp src-address=10.10.10.0/24 dst-address=0.0.0.0/0
     in-interface=ether4 dst-port=80

20   chain=srcnat action=masquerade out-interface=ether3

ether 3=publik /internet
ether 4=proxy

perkembangan terakhir: client 10.10.10.0/24 sudah bisa browsing tapi pada access log belum ada aktivitas alias blum menyimpan cache...
Trus pada proxy ketika di sudo iptables -t nat -nvL
belum ada aktivitas....

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

mas setelah saya tambahin iptables
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

pada iptables -t nat -nvL udah ada aktivitas mirip punya mas abdi.. tapi pada access.log tetap ga bisa tercache...

16 (edited by abdi_wae 20-04-2011 14:31:59)

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

@ebilma smile

punteun, tadi pagi kelupaan jawab euy smile

ether1 dan ether 5 mengarah kemana??

ether5 ke LAN, (edit : punteun, kelupaan)
ether1 ke internet smile

19   chain=dstnat action=dst-nat to-addresses=10.10.12.2 to-ports=3128
     protocol=tcp src-address=10.10.10.0/24 dst-address=0.0.0.0/0
     in-interface=ether4 dst-port=80
---> in-interface disiini pastikan port ke LAN, bukan ke proxy

20   chain=srcnat action=masquerade out-interface=ether3

ether 3=publik /internet
ether 4=proxy

interface yg kearah proxy jangan dirubah - cukup interface dari LAN saja, dan yg ke internet smile

pada iptables -t nat -nvL udah ada aktivitas mirip punya mas abdi.. tapi pada access.log tetap ga bisa tercache...

gmn maksudnya? smile boleh lihat hasil perintah ls -lh access.log? dan tail access.log-nya?

insyaAlloh, HTH.

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

in-interface mengarah ke lan... client ga bisa browsing..

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

Dear mas abdi
udah saya ganti natnya
19   chain=dstnat action=dst-nat to-addresses=10.10.12.2 to-ports=3128
     protocol=tcp src-address=10.10.10.0/24 dst-address=0.0.0.0/0
     in-interface=ether1 dst-port=80

20   chain=srcnat action=masquerade out-interface=ether3

ether1=lan
ether2=internet/public

pada proxy :
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

ls -lh /var/log/squid/access.log
-rw-r----- 1 squid nogroup 452K 2011-04-19 15:49 /var/log/squid/access.log

nano /var/log/squid/access.log
10.10.12.2 - - [20/Apr/2011:14:26:24 +0800] "GET http://bcp.crwdcntrl.net/px? H$
10.10.12.2 - - [20/Apr/2011:14:26:24 +0800] "GET http://i1.goal.com/web/goal/20$
10.10.12.2 - - [20/Apr/2011:14:26:25 +0800] "GET http://ad.doubleclick.net/acti$
10.10.12.2 - - [20/Apr/2011:14:26:26 +0800] "GET http://tap.rubiconproject.com/$
10.10.12.2 - - [20/Apr/2011:14:26:26 +0800] "GET http://i1.goal.com/web/goal/20$
10.10.12.2 - - [20/Apr/2011:14:26:30 +0800] "GET http://p.brilig.com/contact/bc$
10.10.12.2 - - [20/Apr/2011:14:26:30 +0800] "GET http://ib.adnxs.com/seg? HTTP/$
10.10.12.2 - - [20/Apr/2011:14:26:30 +0800] "GET http://osmdcs.interclick.com/p$
10.10.12.2 - - [20/Apr/2011:14:26:36 +0800] "GET http://view.atdmt.com/iaction/$
10.10.12.2 - - [20/Apr/2011:14:29:03 +0800] "GET http://www.goal.com/en/betting$

ket: ip 10.10.12.2 adalah ip proxy external, pada saat browser di proxy external disetting proxy configuration mengarah ke 10.10.12.2:3128 terlihat access.log mengcache data tapi pada client 10.10.10.0/24 tetap tidak bisa browsing

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

@ebilma smile

19   chain=dstnat action=dst-nat to-addresses=10.10.12.2 to-ports=3128
     protocol=tcp src-address=10.10.10.0/24 dst-address=0.0.0.0/0
     in-interface=ether1 dst-port=80

to-portsnya dibuang saja smile

20   chain=srcnat action=masquerade out-interface=ether3 ---> ini yg benar yg mana nih yg ke internet? smile

skrg :

ether1=lan
ether2=internet/public

sebelumnya :

20   chain=srcnat action=masquerade out-interface=ether3

ether 3=publik /internet
ether 4=proxy

---

in-interface mengarah ke lan... client ga bisa browsing..

ya, insyaAlloh bila konfigurasinya sdh disesuaikan dgn punya abdi (tidak ada firewall dsb yg menghambat) - mudah2an bisa jalan smile sila dicoba dulu saja smile

ok, sepertinya dari abdi cukup sekian dulu ya smile

insyaAlloh, HTH.

Re: (ask)mikrotik dan eksternal proxy (topologi sejajar)

thanks mas atas masukan dan bimbingan nya...