Transparent Squid Proxying with MikroTik
Once you have squid working, you can now start forcing traffic to use it. If you have a single gateway box, this is most likely the easiest place to do this. In our network we run MikroTik's RouterOS which is in turn based on Linux and supplies all the hooks necessary to do what's needed.
The basic idea is to redirect all outbound traffic on port 80 to the squid server. The devil is the details!
more to come, but basic idea follows
- Set up a rule for Destination Nat that sends all traffic on port 80 to the squid server, except traffic from the server itself, and, in our case where we have a captive portal, excepting traffic to the captive portal too (though maybe it works ok anyway?).
make sure the squid server is exempt from captive portal signon. The tricky part is making it exempt but not a client that signs on through it (hence exception above that the captive portal destination is exempt).
The squid box must send all replies back to the gateway, not to the requesting machine directly - its not expecting them! So in the squid box's file
/etc/network/interfaces is the extra line:
up "route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1"
which adds a static route to force all traffic on the squid's subnet (10.0.0.x) back to the gateway which will in turn route back to the correct host.