Web Proxy

Web Proxy

Version Info

RouterOS 7.16 | Min: v6.0+ | ⏱️ 15 minutes | 🟡 Intermediate

Tested on: 7.16 7.14

Version-specific notes

• v7.0: Command syntax changed from /ip proxy to /ip/proxy
• v6.44: Cache path auto-creates directories

TL;DR (Quick Start)

For the impatient: enable basic HTTP proxy.

# Enable proxy
/ip/proxy/set enabled=yes port=8080

# Block a website
/ip/proxy/access/add dst-host=*.facebook.com action=deny

For transparent proxy (no client configuration):

/ip/firewall/nat/add chain=dstnat protocol=tcp src-address=192.168.1.0/24 \
    dst-port=80 action=redirect to-ports=8080

Verify with:

/ip/proxy/monitor

Overview

What this does: The Web Proxy caches HTTP content locally, reducing bandwidth usage and improving response times. It also enables content filtering by blocking websites, file types, or specific URLs.

When to use this:

• Reducing bandwidth usage through HTTP caching
• Blocking access to specific websites or content types
• Implementing basic content filtering for a network
• Relaying requests through an upstream (parent) proxy

Prerequisites:

• Firewall rules to prevent open proxy abuse
• For transparent proxy: NAT rules to redirect traffic
• For disk caching: Formatted and mounted storage

HTTP Only

The MikroTik Web Proxy only handles HTTP traffic (port 80). HTTPS traffic cannot be transparently proxied. For HTTPS filtering, clients must explicitly configure the proxy in their browser settings.

Configuration Steps

Step 1: Enable the Proxy

Enable the proxy service:

/ip/proxy/set enabled=yes port=8080

Step 2: Secure the Proxy (Critical)

Before anything else, prevent your proxy from being abused as an open proxy:

/ip/firewall/filter/add chain=input protocol=tcp dst-port=8080 \
    src-address=192.168.1.0/24 action=accept comment="Allow LAN to proxy"
/ip/firewall/filter/add chain=input protocol=tcp dst-port=8080 \
    action=drop comment="Block external proxy access"

Step 3: Configure Clients (Regular Proxy)

For regular proxy mode, configure client browsers to use:

• Proxy Address: Router IP (e.g., 192.168.1.1)
• Port: 8080

Step 4: Verify Operation

Check proxy status:

/ip/proxy/monitor

Expected output:

                status: running
                uptime: 1h30m
              requests: 1542
                   hits: 312
             cache-used: 45.2MiB
         total-ram-used: 52.1MiB
     client-connections: 5
     server-connections: 3

Common Scenarios

Scenario: Transparent Proxy (No Client Config)

Redirect all HTTP traffic through the proxy automatically:

# Enable proxy
/ip/proxy/set enabled=yes port=8080

# Redirect HTTP traffic to proxy
/ip/firewall/nat/add chain=dstnat protocol=tcp \
    src-address=192.168.1.0/24 dst-port=80 \
    action=redirect to-ports=8080 comment="Transparent proxy"

Transparent proxy only works for HTTP (port 80). HTTPS traffic will bypass the proxy.

Scenario: Block Websites by Domain

Block access to specific websites:

/ip/proxy/access/add dst-host=*.facebook.com action=deny
/ip/proxy/access/add dst-host=*.youtube.com action=deny
/ip/proxy/access/add dst-host=*.tiktok.com action=deny

Wildcard patterns:

• * matches any characters
• ? matches a single character
• *.example.com matches all subdomains

Scenario: Block File Types

Prevent downloading specific file types:

/ip/proxy/access/add path=*.exe action=deny comment="Block executables"
/ip/proxy/access/add path=*.mp3 action=deny comment="Block MP3s"
/ip/proxy/access/add path=*.torrent action=deny comment="Block torrents"
/ip/proxy/access/add path=*.zip action=deny comment="Block ZIP files"

Scenario: Whitelist Mode (Block Everything Except)

Allow only specific sites:

/ip/proxy/access/add dst-host=*.company.com action=allow
/ip/proxy/access/add dst-host=*.microsoft.com action=allow
/ip/proxy/access/add dst-host=*.google.com action=allow
/ip/proxy/access/add action=deny comment="Block everything else"

Order matters: Rules are processed top-to-bottom; first match wins.

Scenario: Enable Disk-Based Caching

Store cache on disk instead of RAM:

# Check available disks
/disk/print

# Enable disk caching
/ip/proxy/set cache-on-disk=yes \
    cache-path=/usb1/proxy-cache \
    max-cache-size=1000000 \
    max-cache-object-size=10240

• max-cache-size: Total cache size in KiB (1000000 = ~1GB)
• max-cache-object-size: Maximum single file size to cache in KiB

Scenario: Parent Proxy (Upstream Relay)

Route all requests through an upstream proxy:

/ip/proxy/set parent-proxy=10.0.0.1 parent-proxy-port=3128

Scenario: Bypass Parent for Local Sites

Access local resources directly, not through parent proxy:

/ip/proxy/direct/add dst-address=192.168.0.0/16 action=allow
/ip/proxy/direct/add dst-address=10.0.0.0/8 action=allow
/ip/proxy/direct/add dst-host=*.local action=allow

Scenario: Block by Source Address

Restrict specific clients:

# Block guest network from proxy
/ip/proxy/access/add src-address=192.168.2.0/24 action=deny

# Allow main network
/ip/proxy/access/add src-address=192.168.1.0/24 action=allow

Scenario: Anonymous Proxy

Hide client IP addresses from destination servers:

/ip/proxy/set anonymous=yes

This suppresses the X-Forwarded-For header.

Scenario: Don’t Cache Dynamic Content

Prevent caching of dynamic/frequently-changing content:

/ip/proxy/cache/add dst-host=*.php action=deny
/ip/proxy/cache/add path=*cgi-bin* action=deny
/ip/proxy/cache/add path=*?* action=deny comment="Don't cache URLs with query strings"

Scenario: View Active Connections

Monitor current proxy connections:

/ip/proxy/connections/print

Shows source, destination, state, and bytes transferred.

Scenario: View Cached Content

List objects in cache:

/ip/proxy/cache-contents/print

Clear the cache:

/ip/proxy/cache-contents/remove [find]

Verification

Confirm the Web Proxy is working correctly:

Check 1: Verify Proxy Status

/ip/proxy/print

Expected: enabled: yes with configured settings.

Check 2: Monitor Real-Time Statistics

/ip/proxy/monitor

Expected: status: running, increasing requests count.

Check 3: Verify Access Rules

/ip/proxy/access/print

Expected: Rules listed in correct order.

Check 4: Check Cache Hits

/ip/proxy/monitor

Expected: hits count increasing (indicates caching is working).

Check 5: View Active Connections

/ip/proxy/connections/print

Expected: Active client/server connections during browsing.

Troubleshooting

Symptom	Cause	Solution
Proxy accessible from Internet	No firewall rules	Add firewall rules to restrict access to LAN only
HTTPS sites not filtered	HTTPS bypasses transparent proxy	Use explicit proxy config on clients; transparent only works for HTTP
No cache hits	Cache-Control headers or small object limit	Increase max-cache-object-size; try always-from-cache=yes
Disk cache not working	Invalid path or unmounted disk	Verify disk with /disk/print; check path exists
Access rules not working	Rule order incorrect	First match wins; put specific rules before general rules
Some websites broken	Site detects/blocks proxy	Add to direct access list or use explicit proxy mode
High memory usage	RAM-based caching	Enable cache-on-disk=yes with external storage
Clients can’t connect	Firewall blocking proxy port	Add accept rule for proxy port from LAN

Debug: Check Proxy Logs

/log/print where topics~"proxy"

Debug: Test Access Rules

Use a specific client and check if rules match:

/ip/proxy/access/print stats

Shows hit counts per rule.

Debug: Verify NAT Rule (Transparent)

/ip/firewall/nat/print where action=redirect

Ensure the redirect rule is active and matching traffic.

Common Mistakes

• Open proxy vulnerability - Always add firewall rules before enabling the proxy. An open proxy will be abused for spam and attacks.
• Expecting HTTPS filtering - Transparent proxy only works for HTTP port 80. HTTPS requires explicit client configuration.
• Wrong rule order - Access rules are processed top-to-bottom. Put specific rules before catch-all rules.
• RAM exhaustion - Default RAM-based caching can exhaust memory. Use disk caching for large deployments.
• Caching dynamic content - Don’t cache URLs with query strings or dynamic pages; create cache deny rules.

Community Tips

Test Before Production: Enable the proxy without transparent redirect first. Configure one test client manually to verify functionality.

Cache Efficiency: Monitor the hits vs requests ratio in /ip/proxy/monitor. Low hit rates may indicate caching rules need adjustment.

Logging: Enable proxy logging for troubleshooting:

/system/logging/add topics=web-proxy action=memory

HTTPS Alternatives: For HTTPS filtering, consider DNS-based blocking (/ip/dns/static) or Layer 7 firewall rules instead of the web proxy.

Performance: On busy networks, increase max-client-connections and max-server-connections if you see connection limits being reached.

Access List Matching

Access rules support various matching criteria:

Property	Matches	Example
src-address	Client IP/subnet	192.168.1.0/24
dst-address	Server IP/subnet	10.0.0.0/8
dst-host	Hostname pattern	*.facebook.com
dst-port	Destination port	80 or 80-443
path	URL path pattern	*.exe, */downloads/*
method	HTTP method	GET, POST, CONNECT

Wildcard Patterns

Pattern	Matches
*	Any characters
?	Single character
*.example.com	All subdomains of example.com
*facebook*	Any URL containing “facebook”
:regex	Regular expression (prefix with colon)

Related Topics

Prerequisites

• NAT Masquerade - required for transparent proxy redirect
• Firewall Basics - securing proxy access

Alternative Solutions

• DNS Server - alternative for domain blocking
• Firewall Address Lists - IP-based blocking

Storage

• Files - disk management for caching
• Resources - monitor cache disk usage

Network

• DHCP Server - distribute proxy settings
• IP Addresses - proxy interface addressing

Reference

• MikroTik Proxy Documentation

Key Commands Reference

Command	Description
/ip/proxy/set	Configure proxy settings
/ip/proxy/print	View configuration
/ip/proxy/monitor	Real-time statistics
/ip/proxy/access/add	Create access rule
/ip/proxy/access/print	View access rules
/ip/proxy/direct/add	Create direct access rule
/ip/proxy/cache/add	Create cache control rule
/ip/proxy/connections/print	View active connections
/ip/proxy/cache-contents/print	View cached objects

Core Properties

Property	Type	Default	Description
enabled	yes/no	no	Enable proxy service
port	integer	8080	Listening port
src-address	IP	0.0.0.0	Source address for outbound
anonymous	yes/no	no	Hide client IP
cache-administrator	string	webmaster	Admin email for error pages

Cache Properties

Property	Type	Default	Description
cache-on-disk	yes/no	no	Store cache on disk
cache-path	string	web-proxy	Disk cache directory
max-cache-size	KiB	unlimited	Maximum total cache size
max-cache-object-size	KiB	2048	Maximum single object size
max-fresh-time	time	3d	Maximum cache retention
always-from-cache	yes/no	no	Serve expired cache if unavailable

Parent Proxy Properties

Property	Type	Default	Description
parent-proxy	IP	0.0.0.0	Upstream proxy address
parent-proxy-port	integer	0	Upstream proxy port

Connection Properties

Property	Type	Default	Description
max-client-connections	integer	600	Max client connections
max-server-connections	integer	600	Max server connections

Monitor Output Fields

Field	Description
status	Service status (running/stopped)
uptime	Time since proxy started
requests	Total requests received
hits	Requests served from cache
cache-used	Current cache size
total-ram-used	RAM consumption
client-connections	Active client connections
server-connections	Active server connections