On RouterOS, how will transparent proxying (with DNAT) affect reporting of netflows?

Posted by Tim on Server Fault See other posts from Server Fault or by Tim
Published on 2010-11-26T08:48:25Z Indexed on 2012/11/25 11:08 UTC
Read the original article Hit count: 291

Filed under:
|
|

I have a box running Mikrotik RouterOS, which is set up to do transparent web proxying, as described here.

In short, this means that I have a firewall rule for destination NAT causing any port 80 traffic to get redirected to port 8080 on the router, which is received by the Mikrotik local web proxy. The local web proxy then makes the web request on the client's behalf, in this case to a parent web proxy server (which in turn does the real web request).

My question is, how will this two-part process get reported in the logging of traffic flow information (netflows)?

Looking at the logged information, what I seem to be seeing is this:

  • One flow recorded from client machine (private IP) to remote proxy (8080)
  • Another flow recorded from router to remote proxy (8080)

The original request that the client made to port 80 isn't recorded.

I want to write code to analyse traffic usage, so I want to be sure I'm not losing information if I discard the latter of these.

© Server Fault or respective owner

Related posts about mikrotik

Related posts about netflows