MikroTik Router Web Proxy Configuration

A Proxy Server is usually placed between users and the internet so that the proxy server can track the activities of any user. Formerly, a proxy server was mainly used for caching the static content of any web server because the internet speed was too slow. So, users would get high speed for browsing as if they were browsing a local server. But nowadays the internet bandwidth has increased. So, the proxy server is usually not used for web caching today rather than it is popularly used as ACL (Access Control List) server. MikroTik RouterOS can perform as a HTTP proxy server. As a proxy server MikroTik Router has the following features.

  1. Regular HTTP Proxy Server: MikroTik Router can perform as a regular HTTP proxy server where a user can specify the proxy for him with his/her browser.
  2. Transparent proxy server: MikroTik RouterOS can also perform as a transparent proxy server where users do not know about the proxy being enabled and there is no extra configuration to the user’s browser.
  3. Access Control List: It can do access list by source, destination, URL and requested method (HTTP firewall).
  4. Cache access list: MikroTik can specify which object have to cache and which is not.
  5. Direct Access List: To specify which resources should be accessed directly and which through another proxy server.
  6. Logging facility: MikroTik Router can store information about proxy operation or it can send logging information to another syslog server.

A proxy server may look like below diagram where users must go through the proxy server for accessing internet. So, users activity can easily track with this proxy server.

Transparent Web Proxy
Transparent Web Proxy

Web Proxy Server Configuration with MikroTik

In this article, we will know how to turn our MikroTik router as a proxy server. For configuring a complete proxy server with MikroTik router, we have to perform below 4 steps.

  1. MikroTik Router Basic Configuration
  2. Web Proxy Configuration
  3. Transparent Web Proxy Configuration
  4. Blocking Open Proxy

Devices and IP information those are using in this article for configuring a web proxy are given below.  

  1. MikroTik Router v5.20
  2. WAN IP: 192.168.30.2/30
  3. LAN IP: 192.168.20.0/24

Step 1: MikroTik Router Basic Configuration

First we need to do MikroTik Router basic configuration (IP, Route, NAT and DNS configuration) before configuring a web proxy server. If you have a MikroTik Routerboard, follow my article about MikroTik Router Basic Configuration using Winbox and complete basic configuration. If you plan to install MikroTik OS in a PC, follow my article about Install MikroTik OS on PC and complete MikroTik Router Basic Configuration and then continue the rest of this article for configuring a web proxy server with MikroTik Router.

Step 2: Web Proxy Configuration

After completing MikroTik router basic configuration, we will now enable proxy service so that our MikroTik Router acts as a proxy server. So, follow my below steps to enable proxy service in your MikroTik router.

  • Go to IP > Web Proxy menu. Web Proxy Settings window will appear.
  • Click on enabled checkbox and put your WAN IP address (in this article 192.168.30.2) which will be used as proxy server address in Address input box or you can leave it blank. If you left it blank all interface IP will be used as proxy server IP Address. Optionally you can change Port number or you can leave it to the default port 8080.
  • If you plan to do a caching proxy server, choose Max. Cache Size to unlimited and click on Cache on Disk checkbox. But in this case, MikroTik Router must have enough storage to cache web content. If you have a Routerboard, you have to add an additional hard disk or you can plan to install MikroTik OS on a PC for getting extra storage.
  • Now click Apply and then OK button.
  • Alternatively, you can do this cmd: > ip proxy> set enabled=yes port=8080 src-address=192.168.30.2

Now your MikroTik Router will turn into a regular proxy server. If you set manually this IP and Port in your browser’s proxy settings, your browser will use MikroTik Router as a proxy server. But you rarely want a regular proxy server. So, you need to turn MikroTik Router into a transparent proxy server. For this, a firewall rule should apply that I will show now.

Step 3: Transparent Web Proxy Configuration

Now we will turn our MikroTik proxy server into a transparent proxy server. For this, we should apply a destination NAT rule that will redirect all 80 port (HTTP) requests to 8080 port (Proxy Server Port) so that users cannot know about proxy server and there will be no extra configuration to the user end. To apply NAT rule in your MikroTik router, follow my below steps carefully.

  • Go to IP > Firewall and click on NAT tab and then click PLUS SIGN (+) to add new  NAT rule.
  • In General tab, choose Chain = dstnat, Protocol = 6 (tcp) and Port = 80.
  • In Action tab, choose Action = redirect and To Port = 8080.
  • Now click Apply and OK button.
  • Alternatively, you can do this cmd: > ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

Transparent web proxy configuration has been completed. Now your MikroTik proxy server can be used as both transparent web proxy and normal web proxy at a time. In transparent mode it is possible to use it as standard web proxy too.

Step 4: Blocking Open Proxy

Now MikroTik Router is a Proxy server which can be accessed from anywhere and that is the problem. Thousands of hackers on the internet looking such kind of proxy server to do criminal or unwanted activity. So, we must block internet user to access our proxy. For this do the below steps carefully.

  • Go to IP > Firewall and open Filter Rules tab and then click on PLUS SIGN (+) to add new firewall rule.
  • In General tab, choose Chain = input, Address = 0.0.0.0/0, Protocol = 6 (tcp), Dst. Port = 8080, In Interface = ether1 (WAN Interface Name).
  • In Action tab, choose Action = drop.
  • Alternatively, you can do this cmd: > ip firewall filter add chain=input src-address=0.0.0.0/0 protocol=tcp dst-port=8080 in-interface=”ether1 WAN” action=drop

Now proxy server is safe from doing unwanted activity by the public internet users or hackers.

Transparent web proxy in MikroTik router has been shown in above steps. If you face any confusion to follow above steps successfully, please watch my below video tutorial about MikroTik Transparent Web Proxy Configuration. I hope, it will reduce your any confusion.

Proxy Based Firewall/ACL

MikroTik proxy based firewall or ACL works as the same way as the firewall rule works. ACL is implemented from top to bottom. First matching rule takes decision of what to do with this connection. Connections can be matched by its source address, destination address, destination port, sub-string of requested URL or request method. If none of these parameters is specified, every connection will match this rule.

If connection is matched by a rule, action property of this rule specifies whether connection will be allowed or deny. If connection does not match any rule, it will be allowed.

We have configured a transparent proxy server with MikroTik Router in our previous step. Now we will apply some ACL in our proxy server with example.

Block Particular Website with URL

Say, you want to block a website named Facebook which URL is [https://www.facebook.com]. So, do the below steps to block Facebook URL by proxy server.

  • Go to IP > Web Proxy and click on Access button from right side button panel. Web Proxy Access window will appear. Now click on PLUS SIGN (+) to add new access rule. New Web Proxy Rule window will appear.
  • In this window, type facebook.com in Dst. Host input field and choose deny from Action drop-down menu.
  • Click Apply and OK button.
  • Alternatively, you can do this cmd: > ip proxy access add dst-host=www.facebook.com action=deny

This rule will block Facebook for all users. We can also block a site for a specific IP block users. For this just mention IP block in Src. Address input field or do the below cmd:

ip proxy access add src-address=192.168.20.0/24 dst-host=www.facebook.com action=deny

Where 192.168.20.0/24 is a LAN IP block who cannot access Facebook.

Note: MikroTik Web Proxy cannot track HTTPS connection. So, it cannot block [https://www.facebook.com].

Block Website with Key Phrase

You can also block website that contains certain keyword in URL. Say, you want to block all the URLs which contain mail keyword in URL. For this, do below steps carefully.

  • Go to IP > Web Proxy and click on Access button from right side button panel. Web Proxy Access window will appear now. Now click on PLUS SIGN (+) to add new access rule. New Web Proxy Rule window will appear.
  • In this window, type :mail in Dst. Host input box and choose deny from Action drop-down menu.
  • Click Apply and then OK button.
  • Alternatively, you can do this cmd: > ip proxy access add dst-host=:mail action=deny

This rule will block all the websites those contain key phrase ‘mail’ in URL. Such as, www.gmail.com, www.hotmail.com

Stop Download Specific File Type

You can also stop downloading specific file types like .exe, .flv, .mp4 and so on. For this, do the below steps.

  • Go to IP > Web Proxy and click on Access button from right side button panel. Web Proxy Access window will appear now. Now click on PLUS SIGN (+) to add new access rule. New Web Proxy Rule window will appear.
  • In this window, Type *.exe in Path input filed and choose deny from Action drop-down menu.
  • Click Apply and then OK button.
  • Alternatively, do this cmd: ip proxy access add path=*.exe action=deny

These are few examples that can be done with Access List. You can also try applying your own logic or can do googling for finding your own demand.

MikroTik Router web proxy configuration has been discussed step by step in this article. I hope, you are now able to configure web proxy in your MikroTik router and can apply ACL for your network. However, if you face any problem to configure your web proxy server with MikroTik Router, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.

Why not a Cup of COFFEE if the solution?

mikrotik-router-web-proxy-configuration

ABU SAYEED

I am a system administrator and like to share knowledge that I am learning from my daily experience. I usually work on MikroTik, Redhat/CentOS Linux, Windows Server, physical server and storage, virtual technology and other system related topics. Follow Me: Facebook, Twitter and Linkedin.

Your name can also be listed here. Have an IT topic? Submit it here to become a System Zone author.

16 comments

  • Avatar for Hura S Hura S

    Dear Sir,

    i need to block any site which contain a specific keyword,
    for example: “PORN”

    by using your method above, either it’s :porn or *porn* in the Dst.Host, we can only block some websites for as long as that specific keyword is located before .com or .net
    for example:
    pornhub.com, 88porn.net, etc.

    while other sites like:
    en.wikipedia.com/porn
    can still be accessed..

    i need to block any site which has “porn” anywhere inside the url, such as:
    youtube.com/blablabla/porn/watch
    devil.wordpress.com/porn/blablabla.html

    i have tried everything i found through google as well as those in mikrotik forum..
    from simple Firewall filtering based on Content, to Layer7 and NAT things..
    nothing works..

    Your web proxy method is by far the best..but users can still access Youtube, Vimeo, Xvideos with “Porn” or “Terrorist” keyword inside..

    imagine our employees can access sensitive videos like ISIS bombing, suicide, terrorism and political things..it’s impossible to list all websites..

    any help will be much appreciated..

    Million thanks..

    • Avatar for Muhammad Luqman khan Muhammad Luqman khan

      sir we appreciate ur this help to those who can not find any useful source of learning.We are getting more and help from your site.Actually i am trying to learn mikrotik router that is installed in our office..i m serving as a network admin and sir please help me in learning mikrotik…thank you sir….

      • Hi Luqman,
        Thanks for visiting my website. Do practical work with your MikroTik according to my tutorial. I hope, you get enough help. However, if you face any problem, don’t be hesitate to contact with me.

  • Avatar for Hakaiva Hakaiva

    Hello Sayeed,

    I have a Mikrotik router but when visiting websites, it takes long time to open. It keeps rolling before it finally opens the site. It happens to all sites but after the first opening, it opens easily. Please advice.

  • Avatar for Nazmul Nazmul

    Dear Sayeed,

    Thank you very much for your excellent informative posts.

    I have Configured web proxy in MikroTik Router for Log Analyzer. However, frequently I am getting a message on any page load which is like this.

    (ERROR: Not Found
    While trying to retrieve the URL https://websitename/page
    Address family not supported by protocol)

    Brother please advise how could I solve it.

  • Avatar for Md. Keafayet Ullah Rifat Md. Keafayet Ullah Rifat

    Mikrotik webproxy to https traffic not work. any solution for this problem?

  • Hi Sir
    how are you? Hope you’ll be fine

    i try me best to control pppoe users with radius server in mikrotik but failed. how can i manage my users of pppoe in radius server please give me the detailed procedure. \

    i am useing mikrotik 5.18 cracked on x86

  • Excellent article. Keep writing such kind of info on your page.

    Im really impressed by your blog.
    Hi there, You have performed a great job.
    I will definitely digg it and personally recommend to my friends.
    I am sure they’ll be benefited from this site.

  • Avatar for Ammar Haidar Ammar Haidar

    does these settings also apply for secure connection(HTTPS), or it is only applicable for HTTP?

  • Avatar for opac opac

    hello sir, i got a question from school. Why web proxy access restrictions can only be done on HTTP services? I am very grateful if this question is answered, thank you sir

    • HTTPS is a encrypted protocol. It is end to end encryted. So, none can interface in the middleware. On the otherhand, HTTP is an open protocol. So, a web proxy server can anything sitting in the middle.

      If web proxy needs to be do something, it should be sit as a client.

Leave a Reply

Your email address will not be published. Required fields are marked *

*