Mangle HTTP and HTTPS Traffic and Prepare for Re-Routing
Remember that all workstations in our network have our router with IP address of 10.0.0.1 set as default gateway. So when a browser running on any workstation makes HTTP (or HTTPS) connection to a web server in the Internet, traffic from that workstation to port 80 (or 443) will actually be sent to our router. We will need to re-route that traffic to a separate proxy box running at 10.0.0.10.
Re-routing of traffic is a two step process. First we will mark the packets to port 80 (or 443) and then re-route those packets through the proxy box. Open Winbox / IP / Firewall and select the Mangle table as shown on the following screenshot. Please note that Mangle table is initially empty.
We will need to add five rules to the mangle table. First two rules will simply accept any traffic from proxy box to ports 80 and 443 without marking. Then we will add two more rules that will mark the traffic from any workstation to ports 80 and 443. Finally, the fifth rule will also accept that marked traffic. This final step is mandatory to let router re-route the marked traffic to proxy box.
Rule 1. Accept HTTP traffic from proxy box
Click + (Add) and fill the following info in the popup dialog box as shown on the following screenshot.
| Setting | Value |
|---|---|
| Chain | prerouting |
| Src Address | 10.0.0.10 |
| Protocol | 6 (TCP) |
| Dst. port | 80 |
| In interface | ether2 |
After you click OK the new rule will be added into the Mangle table. Please note that the rule was added with default action of Accept.
Rule 2. Accept HTTPS traffic from proxy box
Click + (Add) and fill the following info in the popup dialog box as shown on the following screenshot.
| Setting | Value |
|---|---|
| Chain | prerouting |
| Src Address | 10.0.0.10 |
| Protocol | 6 (TCP) |
| Dst. port | 443 |
| In interface | ether2 |
After you click OK the new rule will be added into the Mangle table. Note that again, this rule was added with default action of Accept. The rule is positioned after the first rule.
Rule 3. Mark Traffic to Port 80
To be able to mark the traffic we first need to add a new routing table. Open Winbox / Routing / Tables as shown on the following screenshot. Click + (Add) add name the table to_proxy.
Now go back to Winbox / IP / Firewall and select the Mangle table again. Click + (Add) and fill the following info in the popup dialog box, tab General.
| Setting | Value |
|---|---|
| Chain | prerouting |
| Src Address | 10.0.0.0/24 |
| Protocol | 6 (TCP) |
| Dst. port | 80 |
| In interface | ether2 |
Switch to tab Action and fill in the following.
| Mode | Authentication Type |
|---|---|
| Setting | Value |
| Action | Mark routing |
| New Routing Mark | to_proxy |
After you click OK the new rule will be added into the Mangle table. Note that again, the rule is positioned after the second rule.
Note
This rules translates into normal human language as Put a 'to_proxy' mark on all traffic from within our LAN coming into the router through NIC ether2 and destined to port 80 aka HTTP.
Rule 4. Mark Traffic to Port 443
Click + (Add) and fill the following info in the popup dialog box, tab General.
| Setting | Value |
|---|---|
| Chain | prerouting |
| Src Address | 10.0.0.0/24 |
| Protocol | 6 (TCP) |
| Dst. port | 443 |
| In interface | ether2 |
Switch to tab Action and fill in the following.
| Setting | Value |
|---|---|
| Action | Mark routing |
| New Routing Mark | to_proxy (select from box) |
After you click OK the new rule will be added into the Mangle table. Note that again, the rule is positioned after the third rule.
Note
This rules translates into normal human language as Put a 'to_proxy' mark on all traffic from within our LAN coming into the router through NIC ether2 and destined to port 443 aka HTTPS.
Rule 5. Accept Marked Packets
Finally, we will add the fifth rule to accept the marked traffic. This rule is mandatory to let router re-route the marked traffic to proxy box. So, click + (Add) and fill the following info in the popup dialog box, tab General.
| Setting | Value |
|---|---|
| Chain | prerouting |
| In interface | ether2 |
| Routing Mark | to_proxy |
After you click OK this final rule will be added into the Mangle table as the last rule. Please note that the rule was added with default action of Accept.
Final Mangle Table
The Mangle table should now look like the following.
Or in detail mode:
Danger
The order of rules in the Mangle is IMPORTANT! It should look exactly like shown on the screenshot.