Route Marked Traffic to Squid Proxy

Now we need to actually re-route the marked traffic to the proxy box at 10.0.0.10. Open WinBox / IP / Routes to show the route list. Default route list will be populated automatically and should look something like the following screenshot.

../../_images/routes_initial.png

Click + (Add) and fill the following info in the popup dialog box as shown on the following screenshot.

Setting

Value

Dst Address

0.0.0.0/0

Gateway

10.0.0.10

Routing Mask

to_proxy
../../_images/routes_add.png

Note

This rules translates into normal human language as Send all packets with mark ‘to_proxy’ to gateway at 10.0.0.10.

Click OK and your route list should now look like the following screenshot. Note that our rule was added higher than general routing rule for network 10.0.0.0/24. This is important!

../../_images/routes_final.png

Ensure NAT Rule is Applied to WAN Interface Only

Finally we need to make sure the NAT rule in the Mikrotik router applies only when traffic is leaving the network on the ether1 interface. If we do not do that, Squid sees all re-routed connections as if they come from our router (10.0.0.1) and limits our ability to apply different web filtering policies based on source IP.

Click WinBox / IP / Firewall and then NAT tab. Your initial NAT rule may look like the following screenshot.

../../_images/src_nat_initial.png

If so, double click the NAT rule to edit it and specify the Out Interface as ether1.

../../_images/src_nat_edit.png

Click OK. Your NAT rule should now look like the following.

../../_images/src_nat_final.png

Good, our router setup is now complete. All traffic coming from workstations to port 80 and 443 should be re-routed to the proxy box. Reboot your router now and continue setting up the proxy box on the next page.