Mangle HTTP and HTTPS Traffic and Prepare for Re-Routing

Remember that all workstations in our network have our router with IP address of 10.0.0.1 set as default gateway. So when a browser running on any workstation makes HTTP (or HTTPS) connection to a web server in the Internet, traffic from that workstation to port 80 (or 443) will actually be sent to our router. We will need to re-route that traffic to a separate proxy box running at 10.0.0.10.

Re-routing of traffic is a two step process. First we will mark the packets to port 80 (or 443) and then re-route those packets through the proxy box. Open Winbox / IP / Firewall and select the Mangle table as shown on the following screenshot. Please note that Mangle table is initially empty.

../../_images/mangle_table_initial.png

We will need to add five rules to the mangle table. First two rules will simply accept any traffic from proxy box to ports 80 and 443 without marking. Then we will add two more rules that will mark the traffic from any workstation to ports 80 and 443. Finally, the fifth rule will also accept that marked traffic. This final step is mandatory to let router re-route the marked traffic to proxy box.

Rule 1. Accept HTTP traffic from proxy box

Click + (Add) and fill the following info in the popup dialog box as shown on the following screenshot.

Setting

Value

Chain

prerouting

Src Address

10.0.0.10

Protocol

6 (TCP)

Dst. port

80

In interface

ether2
../../_images/proxy_accept_80.png

After you click OK the new rule will be added into the Mangle table. Please note that the rule was added with default action of Accept.

Rule 2. Accept HTTPS traffic from proxy box

Click + (Add) and fill the following info in the popup dialog box as shown on the following screenshot.

Setting

Value

Chain

prerouting

Src Address

10.0.0.10

Protocol

6 (TCP)

Dst. port

443

In interface

ether2
../../_images/proxy_accept_443.png

After you click OK the new rule will be added into the Mangle table. Note that again, this rule was added with default action of Accept. The rule is positioned after the first rule.

Rule 3. Mark Traffic to Port 80

To be able to mark the traffic we first need to add a new routing table. Open Winbox / Routing / Tables as shown on the following screenshot. Click + (Add) add name the table to_proxy.

../../_images/add_routing_table.png

Now go back to Winbox / IP / Firewall and select the Mangle table again. Click + (Add) and fill the following info in the popup dialog box, tab General.

Setting

Value

Chain

prerouting

Src Address

10.0.0.0/24

Protocol

6 (TCP)

Dst. port

80

In interface

ether2
../../_images/lan_mark_general_80.png

Switch to tab Action and fill in the following.

Setting

Value

Action

Mark routing

New Routing Mark

to_proxy
../../_images/lan_mark_action_80.png

After you click OK the new rule will be added into the Mangle table. Note that again, the rule is positioned after the second rule.

Note

This rules translates into normal human language as Put a ‘to_proxy’ mark on all traffic from within our LAN coming into the router through NIC ether2 and destined to port 80 aka HTTP.

Rule 4. Mark Traffic to Port 443

Click + (Add) and fill the following info in the popup dialog box, tab General.

Setting

Value

Chain

prerouting

Src Address

10.0.0.0/24

Protocol

6 (TCP)

Dst. port

443

In interface

ether2
../../_images/lan_mark_general_443.png

Switch to tab Action and fill in the following.

Setting

Value

Action

Mark routing

New Routing Mark

to_proxy (select from box)
../../_images/lan_mark_action_443.png

After you click OK the new rule will be added into the Mangle table. Note that again, the rule is positioned after the third rule.

Note

This rules translates into normal human language as Put a ‘to_proxy’ mark on all traffic from within our LAN coming into the router through NIC ether2 and destined to port 443 aka HTTPS.

Rule 5. Accept Marked Packets

Finally, we will add the fifth rule to accept the marked traffic. This rule is mandatory to let router re-route the marked traffic to proxy box. So, click + (Add) and fill the following info in the popup dialog box, tab General.

Setting

Value

Chain

prerouting

In interface

ether2

Routing Mark

to_proxy
../../_images/lan_accept_marked.png

After you click OK this final rule will be added into the Mangle table as the last rule. Please note that the rule was added with default action of Accept.

Final Mangle Table

The Mangle table should now look like the following.

../../_images/mangle_table_collapsed.png

Or in detail mode:

../../_images/mangle_table_detail.png

Important

The order of rules in the Mangle is IMPORTANT! It should look exactly like shown on the screenshot.