MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

Syed Jahanzaib Personnel Blog to Share Knowledge !

July 21, 2011

MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT object with
Queues Tree in RouterOS 5.x & 6.x

Filed under: Linux Related, Mikrotik Related — Tags: cache hit content, DSCP 12, how to bypass Squid Cache HIT
object with mikrotik, how to bypass Squid Cache HIT object with Queues Tree in RouterOS 3+, Marking packets with
DSCP, Mikrotik redirect HTTP traffic to SQUID proxy Server, squid transparent mode, tcp_outgoing_tos 0x30, zph —
Syed Jahanzaib / Pinochio~:) @ 9:53 AM
About these ads

i
19 Votes

aacable@hotmail.com

1 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

Using Mikrotik, we can redirect HTTP traffic to SQUID proxy Server, We can also control user bandwidth, but its a
good idea to deliver the already cached content to user at full lan speed, that’s why we setup cache server for, to save
bandwidth and have fast browsing experience , right :p , So how can we do it in mikrotik that cache content should
be delivered to users at unlimited speed, no queue on cache content. Here we go.

By using ZPH directives , we will mark cache content, so that it can later pick by Mikrotik.

Basic requirement is that Squid must be running in transparent mode, can be done via iptables and squid.conf
directives.
I am using UBUNTU squid 2.7 , (in ubuntu , apt-get install squid will install squid 2.7 by default which is gr8 for our
work)
Add these lines in SQUID.CONF

1 #===============================================================================
2 #ZPH for SQUID 2.7 (Default in ubuntu 10.4) / Syed Jahanzaib aacable@hotmail.com
3 #===============================================================================
4
5 tcp_outgoing_tos 0x30 lanuser [lanuser is ACL for local network, change it to match your's]
6 zph_mode tos
7 zph_local 0x30
8 zph_parent 0
zph_option 136

Use following if you have squid 3.1.19

1 #======================================================
2 #ZPH for SQUID 3.1.19 (Default in ubuntu 12.4) / Syed Jahanzaib aacable@hotmail.com
3 #======================================================
4
5
6 # ZPH for Squid 3.1.19
qos_flows local-hit=0x30

That’s it for SQUID, Now moving on to Mikrotik box ,

Add following rules,

# Marking packets with DSCP (for MT 5.x) for cache hitcontent

coming from SQUID Proxy

1 /ip firewall mangle add action=mark-packet chain=prerouting disabled=no dscp=12 new-packet-mar

2
3 /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit

2 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

# Marking packets with DSCP (for MT 6.x) for cache hitcontent

coming from SQUID Proxy

1 /ip firewall mangle add action=mark-packet chain=prerouting comment="MARK_CACHE_HIT_FROM_PROXY

2 /queue tree add comment="ZPH Cache Hit Queue : ) / Syed Jahanzaib" name=proxy packet-mark=zph-

# If above queue tree donot work with ROS 6.x then try adding simple queue and move it on TOP in simple QUEUE
section,
.

1 /queue simple
2 add max-limit=100M/100M name="ZPH-Proxy Cache Hit Simple Queue / Syed Jahanzaib >aacable@hotma

Now every packet which is marked by SQUID CACHE_HIT, will be delivered to user at Full lan speed, rest of traffic
will be restricted by user Queue.

TROUBLESHOOTING:

the above config is fully tested with UBUNTU SQUID 2.7 and FEDORA 10 with LUSCA

Make sure your squid is marking TOS for cache hit packets. You can check it via TCPDUMP

__________________________________________________________
tcpdump -vni eth0 | grep ‘tos 0×30′

(eht0 = LAN connected interface)

Can you see something like ???

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

20:25:07.961722 IP (tos 0×30, Nl 64, id 45167, offset 0, flags [DF], proto TCP (6), length 409)
20:25:07.962059 IP (tos 0×30, Nl 64, id 45168, offset 0, flags [DF], proto TCP (6), length 1480)
192 packets captured
195 packets received by filter
0 packets dropped by kernel
_________________________________

Regard’s
SYED JAHANZAIB

3 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

You May Like

1. 10 celebrities who dressed as other celebrities for Halloween 2 weeks ago

HitFix HitFix.com (sponsored)

Comments (61)

61 Comments »

1. [...] For ZPH configuration in squid, Please read the following post. hNp://aacable.wordpress.com/2011/07
/21/mikrotik-with-squidzph-unlimited-speed-for-cache-content-tra… [...]

Pingback by Mikrotik as PPPoE Server + DMASOFTLAB Radius Manager + Ubuntu SQUID 2.7 + ZPH > Complete
Guide ! « Syed Jahanzaib Personnel Blog to share knwoledge ! — August 10, 2011 @ 3:13 PM

Reply
2. how about proxy external with only one ethernet…???

Comment by whielyx — November 15, 2011 @ 5:36 AM

Reply
Proxy can work with one ethernet too.
But its beNer to have separate WAN for proxy. anyhow one ethernet will work , just set its default route / dns
pointing to Mikrotik proxy interface.

Comment by Pinochio~:) — November 15, 2011 @ 10:52 AM

Reply
nice…. This the best blog I have ever met who discuss mikrotik and external proxy.
why use routing? why not use NAT to create a transparent proxy ..?

Comment by whielyx — November 15, 2011 @ 4:46 PM

hi i like your work , i just got one problem i used your “yourtube” transparent proxy seNings which you
explained, but my problem is it works if i test it on squid x86 pc itself with ( proxy lan 127.0.0.1:8080) but
when i put it in mikrotik it dont work ive tried all tricks already eg:

ip – firewal l- nat – dstnat -protcol tcp6 – port80 -dst-nat8080 – dst-nat ip (squid ip)
webproxy – parent ip & port = squid ip & port

if you could help me out please

Comment by johan — January 22, 2012 @ 9:31 PM

# Without knowing your network topologies , I can comment.

# SQUID must be running in transparent mode via squid.conf and iptables directives.
# Mikrotik may have 3 interfaces, one for lan, second for squid proxy, third for ISP/WAN. All must be
running on different subnets.

Comment by Syed Jahanzaib / Pinochio~:) — January 23, 2012 @ 11:48 AM

My Mikrotik:

4 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

433UAH as follows:

LAN 1 = master – 192.168.88.1

LAN 2 = ADSL – 192.168.1.251 gateway – 192.168.1.1

DNS – servers: 192.168.1.1
allow-remote-requests: yes
max-udp-packet-size: 512
cache-size: 4096KiB
cache-max-Nl: 1w
cache-used: 538KiB

LAN 3 = HOME PRIVATE INTERNET (LEAVE AS IS) with IP = 192.168.87.0/24

Firewall NAT:
0 ;;; Redirect Rediect Web-Proxy
chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80

1 ;;; Masquerade ADSL Network

chain=srcnat action=masquerade out-interface=ADSL

…………………………………………………………………………………………………………………………….

My LAN 1 connects to 750G Router where all public clients connect to.

My squid is setup on a X86 PC with default seNings again as it was corrupt, i reconfigured ,
reinstalled default “squid.conf”, ive plugged it directly in adsl with DHCP (192.168.1.1/24)
and tested it in Mozilla Firefox with proxy IP & Port ( 127.0.0.1:8080 & 127.0.0.1:3128) results
is it works.
…………………………………………………………………………………………………………………………….

What i need is for it to work through my Mikrotik router as a HTTP Proxy or Transparent & my clients
PC’s to auto detect it without configurations

Thank You

Comment by Johan — January 23, 2012 @ 9:03 PM

# There are couple of ways to accomplish this.

# You can use dst-nat rule to redirect all hNp request to SQUID box.

# You can mark HTTP packets and then route them to SQUID box, This is preferred way and squid can see
users original source ip, not the mikrotik ip, and you can log users original ip address in squid logs. Which
is sometimes requires for management purposes.

Use the below links.

hNp://aacable.wordpress.com/2011/12/30/howto-add-squid-proxy-server-with-mikrotik-short-reference-
guide/

hNp://aacable.wordpress.com/2011/07/21/mikrotik-howto-redirect-hNp-traffic-to-squid-with-original-
source-client-ip/

Comment by Syed Jahanzaib / Pinochio~:) — January 24, 2012 @ 11:22 AM

3. If you use NAT, SQUID will see only Mikrotik IP. so you cant log user ip in access.log

Routing is used so that Proxy can log user ip for record purpose. and also it prevents double NATing, first at
mikrotik , second on proxy.

Comment by Pinochio~:) — November 15, 2011 @ 6:38 PM

Reply
4. ok. so far, I use a dst-nat to make transparent proxy and I can still see the access.log contains client source ip.

5 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

/ip firewall nat

add action=dst-nat chain=dstnat comment=squid disabled=no dst-address=![squid-network]
dst-port=80,81,8080,3128 in-interface=ether3-hotspot protocol=tcp src-address=[lan-network] to-addresses=
[ip-squid] to-ports=[port-squid]

cmiiw,
best regards.

Comment by whielyx — November 16, 2011 @ 2:07 AM

Reply
now, i’m stucked with traffic shaping…

Comment by whielyx — November 16, 2011 @ 9:17 AM

Reply
good.

Comment by Pinochio~:) — November 16, 2011 @ 10:33 AM

Reply
5. Traffic shaping can be easily done via Mikrotik.

Comment by Pinochio~:) — November 16, 2011 @ 10:30 AM

Reply
Can you give me an example of its traffic shaping? or can you make a post that gives an explanation of traffic
shaping, either with or without external proxy.

Comment by whielyx — November 16, 2011 @ 7:43 PM

Reply
Try this link, its easier to do shaping via profile.
hNp://wiki.mikrotik.com/wiki/Cable_setup

Comment by Pinochio~:) — November 17, 2011 @ 11:32 AM

6. thanks sir…

Comment by whielyx — November 17, 2011 @ 2:29 PM

Reply
7. Asalam Aliukom

I have the following network topology (in summary)

{internet}
|
[firewall & squid cache@pfsense]—[MT_AP]~[MT_STA with wds]—[hotspot@MT_router]—[clients]
|
|
[radius@ubuntu]

pfsense: LAN = 172.31.224.1/24 with transparent proxy cache

MikroTik: WAN’s = dhcp client with 172.31.224.x/24

this is the squid.conf on pfsense(freebsd)

Code:
hNp_port 172.31.224.1:3128 transparent
hNp_port 127.0.0.1:80 transparent
icp_port 0

pid_filename /var/run/squid.pid

6 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
icon_directory /usr/local/etc/squid/icons
visible_hostname net4u1.com
cache_mgr admin@net4u1.com
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
logfile_rotate 30
shutdown_lifetime 0 seconds
# Allow local network(s) on interface(s)
acl localnet src 172.31.224.0/255.255.255.0
forwarded_for transparent
via off
hNpd_suppress_version_string on
uri_whitespace strip
dns_nameservers 127.0.0.1

cache_mem 2048 MB
maximum_object_size_in_memory 128 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir coss /var/squid/coss 8000 max-size=419840 block-size=512
cache_dir aufs /var/squid/cache 320000 128 256 min-size=419840
minimum_object_size 0 KB
maximum_object_size 399 MB
offline_mode off
cache_swap_low 90
cache_swap_high 95

# No redirector configured

# Setup some default acls

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1337 3128 1025-65535
acl sslports port 443 563 1337
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl partialcontent_req req_header Range .*
acl mallware url_regex “/usr/local/etc/squid/mallware.url”
acl conficker url_regex “/usr/local/etc/squid/conficker.url”
#acl dynamic urlpath_regex cgi-bin \?
#include /usr/local/etc/squid/include.conf
include /usr/local/etc/squid/tunning.conf
#cache deny dynamic
hNp_access allow manager localhost
hNp_access deny mallware
hNp_access deny conficker
hNp_access deny manager
hNp_access allow purge localhost
hNp_access deny purge
hNp_access deny !safeports
hNp_access deny CONNECT !sslports

# Always allow localhost connections

hNp_access allow localhost

quick_abort_min 32 KB

7 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

quick_abort_max 128 KB
quick_abort_pct 75
range_offset_limit 0 MB
request_body_max_size 0 allow all
reply_body_max_size 0 deny all

delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
# ThroNle extensions matched in the url
acl throNle_exts urlpath_regex -i “/var/squid/acl/throNle_exts.acl”
delay_access 1 allow throNle_exts
delay_access 1 deny all

# Custom options
zph_mode tos
zph_local 0×30
zph_parent 0
zph_option 136

# Allow local network(s) on interface(s)

hNp_access allow localnet

# Default block all to be sure

hNp_access deny all

and add this to mikrotik routers

Code:
/ip firewall mangle
add chain=prerouting action=mark-packet dscp=12 new-packet-mark=proxy-hit passthrough=no
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 /
name=pmark packet-mark=proxy-hit parent=global-out priority=1 queue=default

I try many tests but no bypass cache hit it’s limit with hotspot client profile speed !
and there is something wired, that is while monitoring the mangle rule I notice that the counter never increased
and stay on 0 but while I change dscp value to 48 it’s began to count (that’s mean marking packets) I know that 30
in hex its equal to 48 in decimal (tos) and dscp its quarter of tos value 12

so please I need your help me to make this situation work for me

TIA
SaFi

Comment by SaFi — December 10, 2011 @ 5:53 PM

Reply
Q1# Make sure your squid is marking TOS for cache hit packets. You can check it via TCPDUMP
What is the result of following command at Proxy server?
__________________________________________________________
# tcpdump -vni eth0 | grep ‘tos 0×30′
(eht0 = LAN connected interface)

Can you see somethign like

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

20:25:07.961722 IP (tos 0×30, Nl 64, id 45167, offset 0, flags [DF], proto TCP (6), length 409)
20:25:07.962059 IP (tos 0×30, Nl 64, id 45168, offset 0, flags [DF], proto TCP (6), length 1480)
192 packets captured
195 packets received by filter
0 packets dropped by kernel

8 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

__________________________________________________________

Q2# What is your mikrotik version?

Q3# What is your SQUID Version?

Suggestion: Use Ubuntu instead, as it is being Labeled ‘Linux for human being’ Label is self explanatory.

Comment by Pinochio~:) — December 10, 2011 @ 8:30 PM

Reply
Thank you Syed for your quick reply

Answer #1: I run this command tcpdump -nnvvi rl0 | grep ‘tos 0x’ and I get lines like this
21:02:33.760598 IP (tos 0×0, Nl 50, id 39136, offset 0, flags [DF], proto TCP (6), length 52)
it’ seem that the marking doesn’t work …right?

Answer #2 : MikroTik ver 5.5

Answer #3 : My cache server is a package called “lusca-cache” from pfsense packages and it’s such version
of squid 2.7.9 customized by chudy.fernandez :hNp://code.google.com/p/pfsense-cacheboy
/wiki/Pfsense_Lusca

salam

Comment by SaFi — December 10, 2011 @ 11:22 PM

8. # Version 2.7.STABLE6 is the default in ubuntu base installation and have builtin support for ZPH

# If squid isn’t marking TOS packets, then mikrotik can’t recognize the packets. First diagnose it. I guess the
syntax for ZPH in your squid.conf isn’t right. Correct it. Read my article @
hNp://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unlimited-speed-for-cache-content-traffic/

# to get working squid.conf , you can view my blog at hNp://aacable.wordpress.com/2011/06/01/working-squid-

conf-example-fil/

# Try Ubuntu, In past I have used many flavors of linux, But the most suited version I found is Ubuntu (10.4
Desktop Version, as you will get nice GUI for management, It can also act as a server base) , Try it on a test box. I
have made very simple guides for ubuntu squid + zph + mikrotik rules. Its always succeed

Comment by Pinochio~:) — December 11, 2011 @ 10:18 AM

Reply
9. asalam o alikum
sir
i have facing in some problems
i had configure your articals but cache is to running perfectly and also flv for you tube isn,t run
tell me some ideas how can i do please sir help me

Comment by mr yaseen ansari — January 20, 2012 @ 11:51 PM

Reply
Youtube is dynamic content and not supported by normal proxy.
For youtube caching, follow the below article.
hNp://aacable.wordpress.com/2012/01/19/youtube-caching-with-squid-2-7-using-storeurl-pl/

Comment by Syed Jahanzaib / Pinochio~:) — January 21, 2012 @ 11:47 AM

Reply
10. zaib bhai can we do cache youtube video’s on mikrotik without squid proxy??? how can we do this if possible?

Comment by waqas hussain — February 26, 2012 @ 11:01 AM

Reply
You can’t cache youtube videos using mikrotik web proxy.

9 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

You have to use external proxy server like SQUID/LUSCA with some modified config as showed in the
examples.

Comment by Syed Jahanzaib / Pinochio~:) — February 27, 2012 @ 8:53 AM

Reply
11. Syed

I follow yours instruction and boom squid working prefect bypassing the queue limit’s.
I have liNle problem with hotspot mirkotik.
When I redirect traffic via ubuntu server the login page won’t come up.
My connection is client’s——–mikrotik hotpot—–ubuntu server—– intenret.
In ubutu I use NAT and REDIRECT rules without Hotpot work prefect as soon as I turn on hotspot on interfaces
the users won’t be able to surf on the internet.
Any idea.
Thanks Miles
What else I can say to you, God bless you ..

Comment by Miles — March 11, 2012 @ 12:32 AM

Reply
12. a/salam sir ma hotspot use kar rha hn ek probelm a rhe ha cache full speed ma nai deliver ho rhen wo as a
bradwith use ho rhe hn. queue ma global in ma mention ho rhen hn global out ma nai deliver ho rhn plz help me
out

Comment by waqar hameed — March 15, 2012 @ 10:23 PM

Reply
are you using squid cache server ?
Make sure squid is marking ZPH packets , you confirm it via using tcpdump.

Comment by Syed Jahanzaib / Pinochio~:) — March 16, 2012 @ 2:09 PM

Reply
i’m Using yours which is mention in this tutorial ” hNp://aacable.wordpress.com/2012/01/11/howto-cache-
youtube-with-squid-lusca-and-bypass-cached-videos-from-mikrotik-queue/ ”
well it is working fine for me but in prerouting where tos 12 is used is marked as packet but in queue tree it
shows its working in global in beside global out i don’t know where is problem is. please help me out

Comment by waqar hameed — March 16, 2012 @ 5:32 PM

13. aoa brother

I need to ask something if you are kind enough to answer, In my university there is squid 2.7 stable 21
wirelessproxy is installed on every router. Now I can not download anything using utorrent. Could you please
help me out in this situation? Thanks

Comment by Hasan — April 4, 2012 @ 4:22 PM

Reply
14. very useful information.
i have to try this one….

thanks pak syed

Comment by Maʹel — June 1, 2012 @ 7:15 PM

Reply
15. oops…im forgot to ask

where should i put these command in squid.conf

or i can put anywhere?

#==============
#ZPH Syed Jahanzaib aacable@hotmail.com

10 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

#=======================
tcp_outgoing_tos 0×30 lanuser
zph_mode tos
zph_local 0×30
zph_parent 0
zph_option 136
#[lanuser is ACL for local network]

Comment by Maʹel — June 1, 2012 @ 7:23 PM

Reply
You can put in anywhere after ACL Sections. Means acl ‘lanuser’ must be above these zph rules.

Comment by Syed Jahanzaib / Pinochio~:) — June 4, 2012 @ 9:59 AM

Reply
16. hey guys thanks for you all and any one can tell me how can i limit the output bandwidth to users they got now
full band from the cache i need to limit that band coz im using wireless link and i don’t want to get it full capacity
when users downloading some file from cache and i already limit the real internet band

Comment by karemm — June 25, 2012 @ 6:43 PM

Reply
You can create separate Queue for the cached marked contents and limit it.

Comment by Syed Jahanzaib / Pinochio~:) — June 27, 2012 @ 9:03 AM

Reply
17. when i try to test with tcpdump-VNI eth0 | grep ‘tos 0 × 30′
grep: 0 * 30: ni Such file or directory
tcp_outgoing_tos 0 × 30 lanuser
zph_mode tos
zph_local 0 × 30
zph_parent 0
zph_option 136

Comment by achmad — June 25, 2012 @ 11:08 PM

Reply
there is no space between 0×30
use as below

tcp_outgoing_tos 0×30 lanuser

Comment by Syed Jahanzaib / Pinochio~:) — June 27, 2012 @ 9:01 AM

Reply
this my zph mode in squid.conf
#============================================================
# ZPH , To enable cache content to be delivered at full lan speed,
# To bypass the queue at MT.
#============================================================
tcp_outgoing_tos 0×30 all
zph_mode tos
zph_local 0×30
zph_parent 0
zph_option 136

i used hNp://aacable.wordpress.com/2012/01/11/howto-cache-youtube-with-squid-lusca-and-bypass-
cached-videos-from-mikrotik-queue/ for my ubuntu 11.10 64 bit
thanks before

Comment by achmad fadly — June 27, 2012 @ 4:02 PM

11 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

18. thanks for this great tutorial..

is it possible if we marking packet by tcp_outgoing_tos that contains .exe packets and catch it by dscp mikrotik?

i’ve tried but i failed.

thanks in advanced…

Comment by Azma Yogi — July 14, 2012 @ 11:36 AM

Reply
19. Asslam-o-alaikum bhai ! it is possible given bellow and how to

3 DSL —-> Mt 5.18 —-> Squid 2.7 —–> Hotspot Mt 5.18——> clients

Comment by smn4all — August 2, 2012 @ 3:14 AM

Reply
Yes, its possible.

Comment by Syed Jahanzaib / Pinochio~:) — August 3, 2012 @ 7:26 AM

Reply
20. i got error in freebsd+squid “kernel: negative sbsize uid = o”
at that moment browsing geNing slower.

please help me out

Comment by muhammad azam — August 23, 2012 @ 3:23 PM

Reply
Please post more details where you are geNing this error?
I have no experience in FREEBSD. Please post your query at FreeBSD forums or mailing list.

Comment by Syed Jahanzaib / Pinochio~:) — August 23, 2012 @ 4:07 PM

Reply
21. Hi,
PreNy good doc!
I’m almost there… but my pppoe users and queue are on another router, my network is routed(ospf) How to pass
dscp to that router??
Thanks!
Patrick

Comment by Patrick — September 1, 2012 @ 5:51 AM

Reply
22. hello,
Is it possible to use the internal mikrotik web cache and configure as parent a squid proxy, if an object is found
from the squid cache and marked with th correct dscp value, how to passe this object at the lan speed with out
limitation
Regards

Comment by adda — October 5, 2012 @ 7:33 PM

Reply
23. HI, can somebody help me with mikrotik config, i have an external cache device which is Appliansys
Cachebox220, i want to connect it via the Mikrotik router, please give me the Mikrotik side configurations. thanks

Comment by Clive — February 26, 2013 @ 2:04 PM

Reply
24. Dear Sir
Is it differ if i put Squid between Mikrotik and Internet Modem , or it must be connected like the topology you

12 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

figure above
because i try to cache youtube videos but i fail

Comment by Ahmed Adel — March 5, 2013 @ 1:45 AM

Reply
You can put it in between Mikrotik and modem.
Also you can configure you squid as BRIDGE, and then it can intercept HTTP traffic and act accordingly.
There are lot of interesting things you can do with it be creative

Comment by Syed Jahanzaib / Pinochio~:) — March 5, 2013 @ 4:29 PM

Reply
25. Dear Sir

i configure squid as your articles but it cannot save youtube videos , any suggestion please ?

Comment by Ahmed Adel — March 6, 2013 @ 7:07 PM

Reply
Use NGINX method, people have reported its still working. search in Google “aacable nginx”

Comment by Syed Jahanzaib / Pinochio~:) — March 6, 2013 @ 7:49 PM

Reply
26. /ip firewall mangle add action=mark-packet chain=prerouting disabled=no dscp=12 new-packet-mark=proxy-hit
passthrough=no comment=”Mark Cache Hit Packets / aacable@hotmail.com”

/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=pmark
packet-mark=proxy-hit parent=global-out priority=8 queue=default
——————————————-
Hi Syed,
I found difficulty creating the above second rule. Since i am using the Mikrotik CCR-1036, which is the high end
router. But i didn’t find the option “global-out” in the queue tree.
Please do suggest me.

Comment by Vijay — April 1, 2013 @ 10:38 AM

Reply
27. Hi,
i currently run a network on RB1100 and would like to know if the following is possible.
I am currently trying out the above but would like to know the following

I inherited a network and i have to allocate bandwidth pools for the clients and i tried using usermanager to
allocate to each client a certain amount of bandwidth but i was not successful.

What i discovered is that you have to allocate either to the up or downstream a certain amount, what i am looking
for is a way to apportion to each client a certain amount of data bandwidth.

I would like to be able to for instance allocate to a client for instance 3Gb worth of data and whether the client
uploads or downloads i would like for it to be deducted from the 3gb data and also if the 3gb is not all consumed
within 30days then the account should expire.

Basically what i want to do here is to do data-capping.

I would appreciate all the help i can get.

Comment by Oluseyi — May 21, 2013 @ 2:06 PM

Reply
You can implement only QUOTA base service using usermanager.
For advance billing, use 3rd party radius server like DMASOFTLAB Radius Manager
dmasoftlab.com

13 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

Comment by Syed Jahanzaib / Pinochio~:) — May 21, 2013 @ 4:08 PM

Reply
28. Hi,
Please in making this ubuntu proxy work do i enable webproxy in mikrotik or not?
And also how what ipseNings should i use for the ubuntu?
Thank you mightly

Comment by Oluseyi — May 22, 2013 @ 12:44 PM

Reply
29. hi,

please let me explain me own network scenario to you.

I have 2 sets of mikrotik the main one I use is a X86 and the backup is a RB1100, now the X86 has
only 2 sets of network cards and can’t take any more than that. What do I do here?

Should I use a cross cable and connect the X86 to the Ubuntu and then issue that nic on the Ubuntu 172.16.10.3 as I
already have on the x86 and also on the rb1100 one other the ether being 172.16.10.2 as my gateway which is
another machine is 172.16.10.1.

I would really appreciate your step by step explanation here.

Thanks
My network is as follows:

Gateway>>Mikrotik(X86 or RB1100)>> Switch>> Users

Comment by Oluseyi — May 22, 2013 @ 1:41 PM

Reply
30. I tried this, and can see the mangle traffic matching, however this does not affect user download as users were still
downloading HIT files within their respective bandwidth restriction. Is there anything i may be doing wrong?

Thanks

Comment by OJ — May 24, 2013 @ 8:55 PM

Reply
31. hello sir
you have not answered my last two questions

Comment by Oluseyi — May 26, 2013 @ 4:41 AM

Reply
32. Hi,
please what have i done wrong as you don’t want to answer me?
please i really do need your help as i have just inherited a network as part of a new job and part of the conditions
is to increase the speed of the network.
I will appreciate all help possible.
Thank you

Comment by Oluseyi — May 29, 2013 @ 3:39 AM

Reply
33. amin wa’alaikum salam
Good day, I have just been employed in a company and I don’t know much about Mikrotik. Now I have an issue
which invariably is a test as they have said that I have to ensure that I build a cache outside the Mikrotik and that
if that improves the speed of browsing tremendously that means I have the job.
Let me describe the network to you:
Modem>Gateway(x86 PC)> Mikrotik (Rb1100 or x86)> switch>antennae

I would like to incorporate both the cache option to do both web-pages and also videos, I would like to do both on

14 of 15 11/20/2013 10:09 PM
MIKROTIK with SQUID/ZPH: how to bypass Squid Cache HIT objec... http://aacable.wordpress.com/2011/07/21/mikrotik-with-squidzph-unli...

the same machine. Also I would appreciate it if you could please give me detailed steps on what to do on each;
both on the Linux package and the Mikrotik package. The mikrotik version is 5.22 and the Ubuntu version is 13.04
64 bits.

Comment by Ahmed Bello — May 30, 2013 @ 1:32 AM

Reply
34. hi syed can u sent to me ur yahoo or ur phone pls i want ur help

Comment by faesal.net78@yahoo.com — August 24, 2013 @ 2:20 AM

Reply
35. bro tcpdump -vni eth0 | grep ‘tos 0×30′ showing nothing.matching. i have checked, my squid 2.7 is not marking
cache hits to tos 0×30. all packets are by default tos 0×0. plz guide

Comment by Quality DSL — September 21, 2013 @ 11:49 PM

Reply
If you have compiled squid from source, make sure you do it with enable zph configure option.

Comment by Syed Jahanzaib / Pinochio~:) — September 23, 2013 @ 8:34 AM

Reply

RSS (Really Simple Syndication) feed for comments on this post. TrackBack URI (Uniform Resource Identifier)

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Follow “Syed Jahanzaib Personnel Blog to Share Knowledge !”

Powered by WordPress.com

15 of 15 11/20/2013 10:09 PM