Sunday, December 01, 2013

Transparent Proxy with Squid 3.3.11 + Ubuntu + Shorewall + Mikrotik (Update)

This is my update posting, about Transparent Proxy with Squid 3.3.x + ubuntu + Shorewall + Mikrotik. Someone told me that the configuration worked but they had TCP_MISS, I was curious. Then I try to re-configure the above experiment with some recent software updates, and this is it.
network transparent proxy mikrotik as router

Network configuration as shown above. I use virtual box to test it. Ubuntu server 13.10, mikrotik 5.20, shorewall, and squid 3.3.11. The instruction how to configure the network above, still same like at previous posting

And the result is successfull, there is no problem. An important note to remember. Follow my instruction carefully. Don’t ever miss any step. If you miss just one step, you will get error and user will be not connected.
In theory, packet from users go to internet (port 80) via a proxy server (squid). The important thing here is the Squid considers the request comes from the IP. 10.10.10.xx/24. Look at picture below.
Packet Path

and the image below as proof, that the above configuration are able to cache web.
access.log request from IP

Another way to make Transparent Proxy
Next, I tried a different way, at the proxy firewall.
/ ip firewall nat
add chain=srcnat action=masquerade src-address=
add chain=srcnat action=masquerade src-address=

IP firewall nat

Can you see the difference between the above configuration, and the configuration of the previous posts?? absolutely right. The difference lies in the "IP address" and out interface. Then in the acl in squid.conf, modified to So it should be like this.

acl bamboe src
access.log request from IP

With command "tail -f /var/log/squid/access.log", so the result as shown above. Users connected to the Internet (browsing) through a proxy server (squid). But this time Squid considers the request comes from an IP gateway
Which is good? Both are good. But I prefer to use the previous method, squid view the request from the real IP address of user. Then we will know IP address of user that connected to the Internet.

Update about caching youtube.
Cache youtube with using nginx, now is not working. I think algoritma youtube has changed. 
More than 3 weeks I tried various methods to caching youtube, but it not 100% work. I'm still looking for the good method to caching youtube. 
If you have any information about this, please command...oops, sorry... I mean please comment... :)
( Update January 2th, 2014). Look at for another method, it's 100% working.


  1. Thanks for efforts, in this example our proxy server will have one NIC card right? if yes then we will need to configure the proxy in client browser or how this work?
    Please add me in your Skype as (sherwali93) I will need your help...

    1. look at here...
      yes, proxy server just have one nic card... you must to configure router (mikrotik), to make rules, before packet go to destination (internet), packet must go to server proxy... this is the transparent proxy, so you dont need to configure manual the proxy in client browser...

  2. mas...itu SSL nya harus di import lagi ya..??

  3. We are the worlds leading publisher of blacklist domain data for web filtering platforms. We have domain blacklists for not only Squid Proxy, but also for Mikrotik Web Proxy as well as RouterOS DNS.

    Blacklisting has evolved.

  4. BlueHost is ultimately one of the best website hosting company for any hosting plans you need.

  5. Do you need free Twitter Re-tweets?
    Did you know that you can get these AUTOMATICALLY AND TOTALLY FOR FREE by using Like 4 Like?