I use an external squid transparent proxy for my clients. We recently switched to a RouterOS firewall and I discovered a great way to route traffic to my proxy without having to configure each client's proxy settings.I dug around on the internet and found this lovely guide that describes pretty close to what i'm looing for. !he way we handled it in the past was to redirect port "# traffic from the firewall to the ip and port number of our squid proxy. $iro!i offers ways I can do this while still preserving the source ip address. %efore i setup my new config anyone who didn't have their client proxy setup was listed as the filewall's ip address in squid's logs.&ere's my setup'irewall($iroti )*+.),".).)Squid -roxy )*+.),".).+ .-roxy port "#"#/0lients )*+.),".)##1)*+.),".).)**I already have the mangle and masquerading setup for my main firewall so I'm only going to list the settings that affect and redirect http traffic to my proxy server.'irst I setup an address list of the client ip addresses i wanted to be redirected to my proxy server. In my case its my dhcp pool addressesCode: Select all/ip frewall address-listadd address=192.168.1.100-192.168.1.199 list=Proxy_Cliets!hen i setup mangle to tag web traffic for rerouting laterCode: Select all/ip frewall !a"lec#ai=prero$ti" actio=!ar%-ro$ti" ew-ro$ti"-!ar%=to_proxy passt#ro$"#=yes protocol=tcp src-address-list=Proxy_Cliets dst-port=802ext i setup a custom route for the mared pacetsCode: Select all/ip ro$teadd disa&led=o distace=1 dst-address=0.0.0.0/0 "ateway=192.168.1.2 ro$ti"-!ar%=to_proxy scope='0 tar"et-scope=10What we're doing now is routing all traffic from clients )*+.),".).)##1)*+.),".).)** on port "# to the proxy server. !he last piece of the pu33le is to setup the proxy server .squid/ to redirect all traffic on port "# to the proxy port ."#"#/. !his is easily done with iptables.Code: Select allipta&les -t at -( P)*)+,-./0 -p tcp --dport 80 -1 2/(- --to 192.168.1.2:8080!hat should do it. 2ow you are forwarding all port "# traffic to the squid proxy. $ost importantly is you are preserving the source ip address. !his way if you want to use squid reporting you can trac your users usage by ip address. $ost of the information i used to get this solution was borrowed from this website. I changed up the syntax a little to fit my needs. $y next pro4ect is to figure out how to exclude streaming services .netflix/ from being forwarded to the proxy server. I've already toyed with using ip blocs. !he biggest problem i've run into there is adding all netflix's ip ranges to an address list. I eep finding new ones. 'or those interested5 &ere's my modified mangle rule for not forwarding netflix traffic to the proxy6 but forwarding everything else.Code: Select all/ip frewall !a"lec#ai=prero$ti" actio=!ar%-ro$ti" ew-ro$ti"-!ar%=to_proxy passt#ro$"#=yes protocol=tcp src-address-list=Proxy_Cliets dst-address-list=3/et4ix dst-port=80$y address list for netflixCode: Select all/ip frewall address-listadd address=69.165.0.0/18 list=/et4ixadd address=208.111.128.0/18 list=/et4ixadd address=68.152.65.0/18 list=/et4ixadd address=108.167.'2.0/20 list=/et4ixI found a better way to handle netflix traffic. !he address list is fine6 but after more digging i found a way to dynamically generate the list. !his guide shows a queueing system for prioriti3ing or throttling video sites. I too his example and made it fit into my proxy forwarding solution. I'm still using my route forwardCode: Select all/ip ro$teadd disa&led=o distace=1 dst-address=0.0.0.0/0 "ateway=192.168.1.2 ro$ti"-!ar%=to_proxy scope='0 tar"et-scope=10Remember my external squid proxy ip address is )*+.),".).+ and my firewall address is )*+.),".).)What I've changed is the way I generate my address1list. Instead of adding entire ip blocs I added + mangle rules in 7front7 of my proxy forwarding one. &ere's what they loo lie .I've listed them in the order required. !he proxy routing mar mangle rule must be the last./Code: Select all/ip frewall !a"lec#ai=prero$ti" actio=add-dst-to-address-list protocol=tcp address-list=/et4ix address-list-ti!eo$t=1d dst-port=80 cotet=4x8ideo.etc#ai=prero$ti" actio=add-dst-to-address-list protocol=tcp address-list=/et4ix address-list-ti!eo$t=1d dst-port=80 cotet=et4ix.co!c#ai=prero$ti" actio=add-dst-to-address-list protocol=tcp address-list=/et4ix address-list-ti!eo$t=1d layer6-protocol=9/et4ix llwd9 dst-port=80In the guide the guy didn't set a timeout for the address list. !hat means that the list will eventually grow to include every ip address netflix uses. In theory this sounds good6 but you have to remember its going to happen ) ip address at a time6 2O! one subnet bloc at a time. I thought )d was plenty of time.I'm still using my mangle rule to add a route tag to traffic with the specified mar. I added a dst1address1list negative to exclude my newly created 2etflix address list that is being generated. .!his mangle rule must be last./Code: Select all/ip frewall !a"lec#ai=prero$ti" actio=!ar%-ro$ti" ew-ro$ti"-!ar%=to_proxy passt#ro$"#=yes protocol=tcp src-address-list=Proxy_Cliets dst-address-list=3/et4ix dst-port=80I also have a layer8 protocol. I'm not great with regexp but the one i'm using wors better than all the other examples i've found out thereCode: Select all/ip frewall layer6-protocola!e=9/et4ix llwd9 re"exp=9et4ix-:0-9;:0-9;:0-9;