Skip to content
MikroTik RouterOS Docs

Web Proxy

Web Proxy

Section titled “Web Proxy”

Overview

Section titled “Overview”

RouterOS includes an integrated HTTP proxy server that can intercept, filter, and cache web traffic. It operates in two modes:

  • Explicit proxy — clients are manually configured to send requests through the proxy
  • Transparent proxy — the router silently redirects HTTP traffic without client configuration

Use cases include centralized web access control (allow/deny by domain, URL, or source), bandwidth reduction through caching, and chaining to an upstream corporate proxy.

Note: The RouterOS web proxy handles HTTP (port 80) only. HTTPS (port 443) traffic cannot be transparently intercepted because TLS encryption prevents the proxy from reading request headers. For HTTPS filtering, use DNS-based blocking or firewall layer-7 rules.

Prerequisites

Section titled “Prerequisites”
  • RouterOS any version (v6 or v7)
  • Package: web-proxy (included in standard builds)
  • LAN interface or bridge configured with client hosts

Configuration

Section titled “Configuration”

Explicit Proxy

Section titled “Explicit Proxy”

In explicit mode, clients must configure their browser or OS proxy settings to point to the router.

Step 1: Enable the proxy

/ip proxy set enabled=yes port=8080

Step 2: Configure clients

Set the browser or OS HTTP proxy to:

  • Proxy host: router’s LAN IP (e.g. 192.168.88.1)
  • Port: 8080

Step 3: Verify

/ip proxy print

Transparent Proxy

Section titled “Transparent Proxy”

In transparent mode, the router intercepts HTTP traffic silently — no client configuration needed. Transparent interception is handled entirely by the firewall — enable the proxy and add a NAT redirect rule.

Step 1: Enable the proxy

/ip proxy set enabled=yes port=8080

Step 2: Add a firewall NAT redirect rule

Redirect TCP port 80 traffic from LAN clients to the local proxy:

/ip firewall nat add \
    chain=dstnat \
    in-interface-list=LAN \
    protocol=tcp \
    dst-port=80 \
    action=redirect \
    to-ports=8080 \
    comment="Transparent HTTP proxy"

Replace in-interface-list=LAN with your actual LAN interface or interface list. Scoping to the LAN prevents the rule from accidentally intercepting traffic from other sources.

Step 3: Verify interception

/ip firewall nat print where action=redirect
/ip proxy print

Transparent Proxy with Bypass List

Section titled “Transparent Proxy with Bypass List”

Some hosts or servers should bypass the proxy (e.g. the router itself, known servers). Use an address list:

/ip firewall address-list
add list=proxy-bypass address=192.168.88.1 comment="router itself"


/ip firewall nat add \
    chain=dstnat \
    in-interface-list=LAN \
    protocol=tcp \
    dst-port=80 \
    dst-address-list=!proxy-bypass \
    action=redirect \
    to-ports=8080 \
    comment="Transparent HTTP proxy (with bypass)"

Access Control Lists

Section titled “Access Control Lists”

Access rules are evaluated top-down; the first match wins. Place specific rules before catch-all rules.

Allow a subnet, deny everything else:

/ip proxy access add src-address=192.168.88.0/24 action=allow
/ip proxy access add action=deny

Block specific domains:

/ip proxy access add dst-host=ads.example.com action=deny
/ip proxy access add dst-host=*.doubleclick.net action=deny comment="wildcard match"

Block a URL path pattern:

/ip proxy access add path=*.exe action=deny comment="block executable downloads"

Allow only specific HTTP methods:

/ip proxy access add method=connect action=deny comment="block CONNECT tunneling"

View current rules:

/ip proxy access print detail

Parent Proxy (Upstream Chaining)

Section titled “Parent Proxy (Upstream Chaining)”

To forward all proxy requests to an upstream proxy server:

/ip proxy set \
    enabled=yes \
    parent-proxy=203.0.113.10 \
    parent-proxy-port=3128

Cache Configuration

Section titled “Cache Configuration”

The proxy caches HTTP responses in RAM by default. Disk caching requires an external storage device.

RAM-only cache:

/ip proxy set max-cache-size=unlimited

Disk cache (RouterOS v7, requires external storage):

/ip proxy set \
    cache-on-disk=yes \
    cache-path=usb1/proxy-cache \
    max-cache-size=512000

The cache-path must point to a directory on an external drive. Internal storage is not supported for disk caching in RouterOS v7.

Disable caching entirely:

/ip proxy set max-cache-size=none

View cached objects:

/ip proxy cache print

Properties

Section titled “Properties”

/ip proxy

Section titled “/ip proxy”
PropertyDefaultDescription
enablednoEnable or disable the proxy service
port8080TCP port the proxy listens on
anonymousnoAllow requests without authentication
parent-proxyUpstream proxy IP address
parent-proxy-port8080Upstream proxy port
max-cache-sizeunlimitedMaximum cache size in KiB; none disables caching
max-ram-cache-sizeMaximum RAM used for caching
cache-on-disknoStore cached objects on disk instead of RAM
cache-pathweb-proxy1Directory path for disk cache (must be on external drive in v7)
cache-hit-dscp4DSCP mark applied to cache-hit response packets
cache-administratorAdmin email shown on block pages

/ip proxy access

Section titled “/ip proxy access”
PropertyDescription
src-addressMatch by client source IP/subnet
dst-addressMatch by destination IP/subnet
dst-hostMatch by destination hostname; wildcard patterns such as *.example.com are supported
dst-portMatch by destination TCP port
urlMatch by full URL; wildcard patterns are supported
pathMatch by URL path; wildcard patterns such as *.exe are supported
methodMatch by HTTP method (get, post, connect, etc.)
actionallow or deny
redirect-toRedirect matched requests to this URL
denied-messageCustom message displayed on deny

Examples

Section titled “Examples”

Basic Proxy Server

Section titled “Basic Proxy Server”

Configure a basic proxy for authenticated clients:

/ip proxy set enabled=yes port=8080 anonymous=yes

Transparent HTTP Proxy

Section titled “Transparent HTTP Proxy”

Redirect HTTP traffic to the proxy without client configuration:

/ip proxy set enabled=yes
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

Block Specific Domains

Section titled “Block Specific Domains”

Use the access list to block certain domains:

/ip proxy access add dst-host=*ad.com action=deny
/ip proxy access add dst-host=ads.* action=deny

HTTPS Limitations

Section titled “HTTPS Limitations”

The RouterOS web proxy handles HTTP only. HTTPS traffic cannot be transparently intercepted because the TLS handshake encrypts all request headers — the proxy cannot read the destination hostname or URL from the packet stream.

What this means in practice:

  • Transparent mode — HTTPS connections (port 443) pass through the proxy NAT rule untouched. You cannot cache or filter HTTPS content at the proxy layer.
  • Explicit mode — Clients send a CONNECT tunnel request to establish an encrypted tunnel through the proxy. The proxy forwards the tunnel blindly; it cannot inspect or cache the content inside.
  • Access lists — Rules using dst-host, url, or path do not match HTTPS traffic in transparent mode because those fields are inside the encrypted session.

Alternatives for HTTPS filtering:

TechniqueWhat it controls
DNS blockingBlock by domain name (affects all protocols)
Firewall address-listBlock by destination IP
Layer-7 patterns (/ip firewall layer7-protocol)Pattern matching on raw packets (limited, high CPU)

To block HTTPS access to specific sites by IP:

/ip firewall address-list add list=blocked-sites address=93.184.216.34 comment="example.com"
/ip firewall filter add chain=forward dst-address-list=blocked-sites action=drop

Troubleshooting

Section titled “Troubleshooting”

Proxy not intercepting traffic

Section titled “Proxy not intercepting traffic”
# Confirm proxy is running
/ip proxy print


# Confirm NAT redirect rule exists and is active (transparent mode)
/ip firewall nat print where action=redirect


# Check that the redirect rule matches LAN traffic
/ip firewall connection print where dst-port=8080

Clients cannot connect

Section titled “Clients cannot connect”
# Check proxy settings
/ip proxy print detail


# Check access rules — a catch-all deny blocks everything if placed first
/ip proxy access print


# Check firewall — ensure port 8080 is not dropped by a forward/input rule
/ip firewall filter print where dst-port=8080

Cache not growing

Section titled “Cache not growing”

The proxy uses RAM by default. If max-cache-size is none or very small, little caching occurs. Some responses include Cache-Control: no-store headers that prevent caching regardless of settings.

/ip proxy print
# Check max-cache-size and cache-drive values

Enable debug logging

Section titled “Enable debug logging”
/system logging add topics=web-proxy,debug action=memory
/log print where topics~"web-proxy"

Monitor active proxy connections

Section titled “Monitor active proxy connections”
/tool torch interface=<LAN-IF> port=8080
/ip firewall connection print where dst-port=8080

See Also

Section titled “See Also”