Conclusion¶
We have successfully set up policy based routing of HTTP and HTTPS traffic from our Mikrotik router to a separate proxy box. Both HTTP and HTTPS traffic can now be filtered for adult language and unwanted sites.
References¶
Mikrotik Policy Based Routing at https://wiki.mikrotik.com/wiki/Policy_Base_Routing. Although it is not directly applicable it still gives a good picture of how policy based routing is configured in Microtik.
SquidWiki policy based routing article https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
Explanation how iptables firewall processes packets http://www.faqs.org/docs/iptables/traversingoftables.html
iptables manual for Ubuntu at https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch (partially applicable, especially how to store/load iptables rules).
Important
If you are using Google chrome, you are advised to block QUIC protocol on your router, otherwise Chrome will be able to bypass the transparently redirected proxy when going to QUIC enabled sites, like google.com, youtube.com, etc. For more information see Squid Wiki article http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol. Adding REJECT rules for UDP protocol on outgoing port 80 and port 443 should be enough.