I have been long searching for a solution and finally this morning I got it to work. My setup is as follows: Wan>>16port Dlink switch>>Clearos>>mikrotik>>netequalizer>>24 port Dlink switch I have added a squid with its input from the Wan directly and then I have put the squid directly to the mikrotik. I did the following configurations: Wan: Wan -> mikrotik 172.16.10.1/24 Wan -> squid 172.16.11.1/24 Mikrotik Ether1 172.16.10.2/24 Via setup CLI Ether2 (Hotspot) 10.5.50.1/24 Ether3 to squid 192.168.50.2 Via setup CLI Squid Ether1 from Wan 172.16.11.2 Ether2 from mikrotik 192.168.50.1:3128 The squid is configured transparently. The CLI commands used are as follows: #Mark All HTTP Port 80 Traffic, so that you can use these Marked Packets in Route section. /ip firewall nat add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp /ip firewall mangle add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(192.168.50.1) routing-mark=http scope=30 target-scope=10 add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=(172.16.10.1) scope=30 target-scope=10 /ip firewall mangle add chain=postrouting tos=48 action=mark-packet new-packet-mark=proxy-hit passthrough=no /ip firewall mangle add chain=postrouting action=mark-packet new-packet-mark=proxy-hit passthrough=no /queue tree add name="pmark" parent=global-out packet-mark=proxy-hit \ limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \ comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\ disabled=no protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp add action=drop chain=input\ comment="Block all access to the winbox - except to support list add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\ connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp add action=accept chain=input comment="Accept to established connections" connection-state=established\ disabled=no add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support add action=drop chain=input comment="Drop anything else! add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=10.5.50.5 to-ports=8080 ip firewall nat add action=dst-nat dst-port=80 protocol=tcp src-address=10.5.50.0/24 to-addresses=10.5.50.5 to-ports=8080 chain=dstnat ip firewall nat add chain=dstnat src-address=10.5.50.0/24 in-interface=ether1 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080 ip firewall nat add chain=dstnat src-address=10.5.50.5 dst-port=80 protocol=tcp action=accept ip firewall nat add chain=dstnat src-address=10.5.50.0/24 dst-port=80 protocol=tcp action=dst-nat to-address=10.5.50.5 to-port=8080 When i run the tail command in the squid i get a lot of activity within the cache; for example 1394214401.152 103 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 - 1394214401.216 0 192.168.50.2 TCP_IMS_HIT/304 285 GET http://www.fifa.com/imgml/worldcup/dots_03.png - HIER_NONE/- image/png 1394214401.255 96 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 - 1394214401.363 101 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 - 1394214401.473 102 192.168.50.2 TCP_MISS_ABORTED/000 0 GET http://facedakar.com/ - HIER_DIRECT/178.33.239.95 - 1394214401.502 982 192.168.50.2 TCP_MISS_ABORTED/000 0 POST http://dlarray-europ-secsrv021.gdatasecurity.de/query - HIER_DIRECT/92.51.171.68 - Also when i run a NetStat grep the result i get seems okay: squid:/home/netsnap # netstat -a | grep 443 -h tcp 1 0 squid.squidoz:44358 a92-122-210-13:www-http CLOSE_WAIT tcp 0 1 squid.squidoz:35443 ns236400.ovh.n:www-http SYN_SENT tcp 1 0 squidoz:ndl-aas 192.168.50.2:34439 CLOSE_WAIT tcp 1 0 squidoz:ndl-aas 192.168.50.2:34443 CLOSE_WAIT tcp 1 0 squidoz:ndl-aas 192.168.50.2:34436 CLOSE_WAIT tcp 1 0 squid.squidoz:44350 a92-122-210-13:www-http CLOSE_WAIT tcp 1 0 squidoz:ndl-aas 192.168.50.2:34438 CLOSE_WAIT Now the browsing is not really faster just that pages like yahoo.com, gmail.com & such that you have to sign in to open pretty fast but other pages crawl to say the least and if at at they open it just shows text and links without pictures especially for siites like bbc.co.uk etc and most times it brings this error essage out: ERROR The requested URL could not be retrieved Die volgende fout is teëgekom tydens verkryging van die URL: http://www.speedtest.net/user-settings.php Verbinding na 93.184.219.82 het misluk Die stelsel het die volgende teruggestuur: (110) Connection timed out Die afgeleë gasheer of netwerk is dalk af. Probeer die navraag gerus weer. Die kasbediener se administrateur is webmaster. Gegenereer op Fri, 07 Mar 2014 15:29:27 GMT deur squid.squidoz (squid/3.2.11) I am not sure what exactly it is i am doing wrong! I am not even sure at this point if it is mikrotik or squid that is giving me the problem. I would appreciate any help that I can get to make this happen. Thanks in advance.
