Need help forwarding ports for proxy server

Discussion in 'Tomato Firmware' started by joe012594, Apr 4, 2014.

  1. joe012594

    joe012594 Reformed Router Member

    I am using T-Mobile USA's new Wideband LTE (150/75Mbps) as home internet and it works awesome. The only problem is that they sniff HTTP traffic on their end based on the user-agent which counts against your limited hotspot plan, even if you've reprogrammed your APN settings for hotspot/tethering services to use the unlimited plan's APN. To get around this, I setup a proxy server on my desktop which changes the user-agent/identity of all HTTP traffic on port 80. I wanted all HTTP (80) traffic on my router (ASUS RT-N66U) to go through this proxy, so I forwarded the required ports in Port Forwarding > Basic and also in Administration > Scripts > Firewall. This has worked flawlessly for all locally connected devices and my desktop now acts as the LAN's proxy. Now, I need to forward it outside of the LAN and for it to be accessible so a few of my friends can access it from their devices. Can anyone help me out with this? I'd greatly appreciate it. Thanks! :)

    Forwarded Ports


    Firewall Script

  2. joe012594

    joe012594 Reformed Router Member

  3. joe012594

    joe012594 Reformed Router Member

    Wow...what an unbelievably, unhelpful forum and a waste of my time. Thanks for the help. >.>
  4. krum09

    krum09 Networkin' Nut Member

  5. joe012594

    joe012594 Reformed Router Member

    Then how do I open up the router so outside connections can access the proxy server?
  6. Chris71Mach1

    Chris71Mach1 Network Guru Member

    Don't expect external hosts to be able to use an internal proxy server unless those external hosts are sending traffic into your network over a vpn tunnel. You're trying to use a proxy server in a way that it really shouldn't work. Proxy servers are for internal traffic.

    Sent from my SPH-L720 using Tapatalk
  7. joe012594

    joe012594 Reformed Router Member

    Then explain how people hosts proxies from home or from professionally operated LANs such as those on This IS possible to do. People with LAN based SQUID proxies are able to access it from outside of the LAN as well. This is what I'm trying to accomplish. I've already made it so everyone inside of the LAN can access it. Now I need it outside of the LAN.
  8. darkknight93

    darkknight93 Networkin' Nut Member

    He meant reverse Proxy/SOCKS or generic Proxy available from WAN, browsing back to wan... dont do that with tomato due this is SOHO...

    Try Sophos UTM (x86 based Firewall Software, free to use)
  9. joe012594

    joe012594 Reformed Router Member

    So, would this allow me to host my proxy server, both inside of the LAN, and outside of it on the WAN?
  10. neroanelli

    neroanelli Reformed Router Member

    I think this will be helpfull.
    iptables -t filter -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    iptables -t filter -A INPUT -p tcp -m udp --dport 80 -j ACCEPT
  11. koitsu

    koitsu Network Guru Member

    UDP port 80 has no relevancy here. Webservers do not use UDP port 80, only TCP. The OP's original use of "Both" for the protocol is incorrect (should be using TCP only). Furthermore the 2nd command is wrong anyway (-p tcp -m udp makes no sense).
  12. Netwet

    Netwet Reformed Router Member

    Are you sure you want to open the proxy port from wan side? It does only make sense to open it up if it needs some form of authentication, otherwise you will soon have visitors.
    I know that it is possible with dd-wrt to setup squid + freeradius authentication. Not sure if it can be done with tomato.
    If you only use it yourself you should probably not open it up from wan but use a ssh tunnel in order to send your clients http traffic through the tunnel to your routers squid.
  13. joe012594

    joe012594 Reformed Router Member

    Yes, I'm very sure. I'll worry about securing it after I've made sure I've got the proper settings set in the firewall script. Just need it for a few friends who were in the same position I was in when hotspot had failed and I was left with no internet access.

    So, just to make sure from what I've gathered from everyone so far, I should go back to port forwarding and change protocol from both to tcp, erase the entire block of script that's says udp port 80, and add what neroanelli suggested. So my firewall script should look like this:

    LAN_IP=`nvram get lan_ipaddr`
    LAN_NET=$LAN_IP/`nvram get lan_netmask`

    iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
    iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
    iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT

    iptables -t filter -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

    After that, everything should work and I should be able to access the proxy outside of the LAN, correct?
  14. joe012594

    joe012594 Reformed Router Member

    Yes? No? Anyone?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice