Route Marked Traffic to Squid Proxy

Now we need to actually re-route the marked traffic to the proxy box at Open WinBox / IP / Routes to show the route list. Default route list will be populated automatically and should look something like the following screenshot.


Click + (Add) and fill the following info in the popup dialog box as shown on the following screenshot.



Dst Address


Routing Mask




This rules translates into normal human language as Send all packets with mark ‘to_proxy’ to gateway at

Click OK and your route list should now look like the following screenshot. Note that our rule was added higher than general routing rule for network This is important!


Ensure NAT Rule is Applied to WAN Interface Only

Finally we need to make sure the NAT rule in the Mikrotik router applies only when traffic is leaving the network on the ether1 interface. If we do not do that, Squid sees all re-routed connections as if they come from our router ( and limits our ability to apply different web filtering policies based on source IP.

Click WinBox / IP / Firewall and then NAT tab. Your initial NAT rule may look like the following screenshot.


If so, double click the NAT rule to edit it and specify the Out Interface as ether1.


Click OK. Your NAT rule should now look like the following.


Good, our router setup is now complete. All traffic coming from workstations to port 80 and 443 should be re-routed to the proxy box. Reboot your router now and continue setting up the proxy box on the next page.