If your company has at least one MikroTik router, you already have a built-in tool for traffic control, blocking unwanted websites, and protecting the corporate network. Most system administrators do not utilize even half of its capabilities. In this guide, we will explore how to set up a proxy directly on MikroTik — without additional servers and unnecessary costs.
What is Web Proxy in MikroTik and why is it needed for business
MikroTik RouterOS is a full-fledged operating system for networking equipment that includes a built-in HTTP/HTTPS proxy server. It is called Web Proxy and is available from basic licenses. Essentially, it is an intermediary node between the users of your network and the internet: all traffic passes through it, and you gain complete control over what happens in the network.
How is this different from a regular firewall? A firewall operates at the level of IP addresses and ports — it does not "understand" the content of requests. A proxy operates at the application level: it sees specific URLs, domains, and content types. This provides a fundamentally different level of control.
The built-in Web Proxy in MikroTik can:
- Cache web content — reducing internet channel load by 30–40% in offices with active browsing
- Block access to specific websites, domains, URL patterns
- Restrict access by user IP addresses or subnets
- Log all HTTP requests — who accessed what and when
- Operate in transparent mode — users do not notice its presence
- Redirect traffic to an external proxy server (parent proxy)
It is important to understand the limitation: the built-in Web Proxy in MikroTik works only with HTTP traffic in native mode. It can intercept HTTPS traffic only in transparent mode with certain limitations, or through the parent proxy configuration. For full HTTPS inspection, additional solutions are required — we will discuss this in the section on external proxies.
💡 Useful to know
The Web Proxy in MikroTik works on RouterOS version 2.9 and above. You can check the firmware version in the System → RouterBoard menu or by using the command :put [/system routerboard get current-firmware] in the terminal.
Use Cases: Who needs this setup and why
Before diving into the technical details, let's explore specific business tasks that a proxy on MikroTik addresses. This will help you understand what settings you need.
Office with Employees
The most common scenario. Tasks: block social media during work hours, prohibit torrent downloads, limit access to streaming services that "consume" bandwidth. The transparent proxy on MikroTik solves all this without installing agents on employees' computers. Employees do not even know that their traffic is being filtered — everything works automatically.
Internet Cafes, Coworking Spaces, Hotels
Here, the proxy is needed for two things: caching (popular content loads faster and does not consume traffic repeatedly) and basic filtering of illegal content. Caching is especially relevant with limited or expensive internet channels.
Marketing Agencies and Digital Teams
A specific scenario: teams working with multiple advertising accounts on Facebook Ads, TikTok Ads, Instagram often use corporate MikroTik as a gateway to route traffic through external proxies. Different employees or workstations access the internet through different IP addresses — this is critical for managing multiple accounts on one platform.
Providers and ISPs
Small providers use the caching proxy in MikroTik to reduce the load on the backbone channel. With a large number of subscribers watching the same news or YouTube videos, caching provides significant traffic savings.
| Scenario | Main Task | Required Functions |
|---|---|---|
| Office | Access Control | URL Filtering, Logs |
| Café / Coworking | Traffic Savings | Caching, Basic Filtering |
| Digital Agency | Different IPs for Accounts | Parent Proxy, Routing |
| Provider | Reducing Channel Load | Caching, Statistics |
What is needed before starting the setup
Before you start configuring, make sure you have everything necessary. Skipping this step is the reason for 80% of problems during setup.
Access to the Router: You will need access to the MikroTik web interface (Winbox or WebFig) with administrator rights. Winbox is the preferred option as it provides full access to all settings. You can download it for free from the official MikroTik website.
RouterOS Version: For stable operation of Web Proxy, RouterOS 6.x or 7.x is recommended. Check the version through System → Packages. If the version is outdated — update it via System → Packages → Check for Updates.
Free Disk Space: The proxy cache is stored on the router's disk. At least 50–100 MB of free space is required for caching. Check this through Files in Winbox. On routers with small flash memory (8 MB or less), it is better to disable caching.
Network Diagram: Write down or draw what subnets you have, which interface connects to the internet (WAN), and which one connects to the internal network (LAN). Without this understanding, you will not be able to configure NAT rules for the transparent proxy.
⚠️ Important: Make a backup of the configuration!
Before making any changes, create a backup: Files → Backup or via the terminal with the command /system backup save name=backup-before-proxy. This will save you from losing access to the router due to a mistake in the firewall rules.
Step 1: Enabling Web Proxy on MikroTik
Enabling the Web Proxy is the simplest step. It can be done through the Winbox graphical interface in a few minutes.
Via Winbox (recommended):
- Open Winbox and connect to the router
- In the left menu, select IP → Web Proxy
- In the opened window, check the box Enabled
- Set the port — by default 8080, you can leave it or change it
- In the Max Cache Size field, specify the cache size (for example, 100 MB) or select unlimited if space allows
- Click Apply, then OK
Via Terminal (for those who prefer command line):
/ip proxy set enabled=yes port=8080 max-cache-size=100000KiB
After enabling, check that the proxy has started. In the terminal, execute:
/ip proxy print
The output should show enabled: yes. If you see enabled: no — something went wrong, repeat the steps.
At this stage, the proxy is enabled but does not yet automatically intercept traffic. Users need to manually enter it in their browser settings (router IP, port 8080). To do this automatically for the entire network — a transparent mode is needed, which we will discuss in the next step.
Also, pay attention to the Cache Path parameter — it indicates where the cache is stored. By default, this is the router's built-in memory. If you have a USB drive or memory card, it is better to move the cache there — this will increase the volume and reduce wear on the built-in memory.
Step 2: Configuring Transparent Proxy via Firewall NAT
A transparent proxy is a mode in which all HTTP traffic from the local network is automatically redirected through the proxy server. Users do not need to configure anything in their browsers. From the employee's perspective, everything works as usual, but in reality, each request passes through the proxy.
This is implemented through a NAT rule in the MikroTik firewall. The rule intercepts all outgoing TCP traffic on port 80 (HTTP) and redirects it to the proxy port (8080).
Via Winbox:
- Go to IP → Firewall → NAT
- Click the + button (add rule)
- On the General tab, set:
- Chain: dstnat
- Protocol: tcp
- Dst. Port: 80
- In. Interface: your LAN interface (for example, ether2 or bridge-local)
- On the Action tab, set:
- Action: redirect
- To Ports: 8080
- Click OK
Via Terminal:
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 in-interface=ether2 \
action=redirect to-ports=8080
Replace ether2 with the name of your LAN interface. If you have multiple LAN interfaces combined in a bridge, specify the name of the bridge interface.
📌 The order of rules matters!
MikroTik applies NAT rules in order from top to bottom. Ensure that the rule for the transparent proxy is placed before the masquerade rule (if it exists). You can change the order by dragging in Winbox or using the command /ip firewall nat move [find] destination=0.
After adding the rule, check its operation: open any HTTP website from a computer in the local network. If the proxy is working correctly — the page will open, and a record will appear in the proxy logs (IP → Web Proxy → Access). If the page does not open — check the interface name and the proxy port.
Step 3: Filtering Rules — Blocking Websites and Categories
This is a key section for those who want to control employee access to the internet. The Web Proxy in MikroTik allows you to create flexible rules: block specific domains, URL patterns, or conversely — allow only certain resources.
Access rules are configured in IP → Web Proxy → Access. Each rule has conditions (what to check) and an action (what to do: allow or deny).
Blocking a specific domain (for example, vk.com):
/ip proxy access add dst-host=vk.com action=deny comment="Block VK" add dst-host=*.vk.com action=deny comment="Block VK subdomains"
Blocking by URL mask (for example, all YouTube pages):
/ip proxy access add dst-host=*.youtube.com action=deny comment="Block YouTube" add dst-host=youtube.com action=deny comment="Block YouTube main"
Allow access only for a specific subnet (for example, only the IT department can access GitHub):
/ip proxy access add src-address=192.168.1.10/32 dst-host=github.com action=allow add dst-host=github.com action=deny
Blocking by file extension (prohibiting downloads of .exe, .torrent):
/ip proxy access add path=*.exe action=deny comment="Block EXE downloads" add path=*.torrent action=deny comment="Block Torrent files" add path=*.zip action=deny comment="Block ZIP downloads"
Pay attention to the order of rules: MikroTik checks them from top to bottom and stops at the first match. allow rules for specific IPs should be placed above deny rules for the same domains.
In Winbox, rules are added in IP → Web Proxy → Access tab → + button. The interface is intuitive: you select a condition (Source Address, Destination Host, Path, Method) and an action (Allow/Deny).
⚠️ Limitation: HTTPS is not filtered directly
Web Proxy rules only work with HTTP traffic. To block HTTPS sites (which are now the majority), additionally use rules in IP → Firewall → Layer 7 Protocols or block by IP addresses through the regular firewall. Full HTTPS filtering requires a separate solution — for example, an external proxy with SSL inspection.
Step 4: Caching Traffic to Save Bandwidth
Caching is one of the main reasons why proxies are enabled on MikroTik in small offices and educational institutions. The principle is simple: if 20 employees open the same news page, without caching, the router downloads it 20 times. With caching — once, and the other 19 get the data from the router's local memory instantly.
Cache settings are located in IP → Web Proxy. The main parameters are:
| Parameter | Description | Recommendation |
|---|---|---|
| max-cache-size | Maximum cache size | 50–500 MB depending on memory |
| max-cache-object-size | Max size of a single object in cache | 2048–4096 KB |
| cache-path | Path for storing cache | USB drive if available |
| max-fresh-time | Time to keep an object in cache | 3 days (259200 seconds) |
Configuration via Terminal:
/ip proxy
set max-cache-size=102400KiB \
max-cache-object-size=4096KiB \
max-fresh-time=3d
To check the effectiveness of the cache, use the command:
/ip proxy monitor
Pay attention to the hits and misses metrics. A good indicator is when hits account for 20–40% of the total number of requests. If hits are close to zero — either most of the traffic is HTTPS (which is not cached), or the cache is too small.
An important nuance: modern websites increasingly use Cache-Control: no-store or no-cache headers, which prohibit caching. Therefore, in practice, the effectiveness of caching in 2024 is lower than it was 5–10 years ago. Nevertheless, for static resources (images, CSS, JS files), caching still works well.
Step 5: Connecting an External Proxy Server via MikroTik
This is the most interesting scenario for those who want not just to filter traffic but to fully control the IP address from which the corporate network or individual devices access the internet. MikroTik supports the Parent Proxy function — when all requests from the local proxy are forwarded to a higher-level external proxy server.
Why is this needed in practice:
- IP Change for the Entire Network — all office traffic goes out through the external proxy's IP, not through your real provider's IP
- Bypassing Regional Restrictions — access to resources blocked in your region
- Different IPs for Different Devices — through routing, different workstations use different external proxies
- Protecting the Company's Real IP — external services see the proxy's IP, not your corporate address
Configuring Parent Proxy via Winbox:
- Go to IP → Web Proxy
- Find the Parent Proxy section
- Enter the Parent Proxy Address — the IP address of the external proxy server
- Specify the Parent Proxy Port — the proxy port (usually 8080, 3128, or another)
- Click Apply
Via Terminal:
/ip proxy set parent-proxy=203.0.113.10 parent-proxy-port=8080
Replace 203.0.113.10 and 8080 with the actual data of your proxy server.
For corporate tasks where stability and anonymity are important, residential proxies are used as parent proxies — they have IP addresses of real home users, making the traffic indistinguishable from regular user traffic. This is especially important when working with platforms that analyze behavior and connection type.
If your team needs to simulate mobile traffic — for example, for testing advertising campaigns on Facebook Ads or Instagram from mobile devices — mobile proxies are suitable as parent proxies. They operate through real SIM cards from mobile operators and provide IPs from 3G/4G/5G mobile networks.
📌 Important: Parent Proxy works only for HTTP
The built-in Web Proxy in MikroTik only forwards HTTP traffic through the parent proxy. To route all traffic (including HTTPS) through an external proxy, a different approach is needed — Policy Based Routing setup or SOCKS proxy combined with iptables rules on a separate Linux server in the network.
Monitoring and Logging Requests
One of the main arguments for using a proxy in a corporate environment is the ability to see what users are doing on the internet. MikroTik Web Proxy can log all HTTP requests: who (IP address), where (URL), when, what request method, and response status.
Enabling Logging:
/ip proxy set log-connect=yes
After enabling, logs will appear in Log (menu in Winbox). For convenient viewing, filter by the topic web-proxy.
For long-term storage of logs and convenient analysis, set up sending to an external Syslog server:
/system logging action add name=remote-syslog target=remote remote=192.168.1.100 remote-port=514 /system logging add action=remote-syslog topics=web-proxy
Replace 192.168.1.100 with the IP of your syslog server. You can use Graylog, Splunk, or a simple rsyslog on Linux as a syslog server.
A command for viewing proxy statistics in real-time is also useful:
/ip proxy monitor
Here you will see: the number of active connections, the total number of requests, cache hits, and the volume of data transmitted. This data helps assess the load on the router and the effectiveness of caching.
Important Note on GDPR and Labor Legislation: If you are logging employee traffic, ensure that this is stipulated in the employment contract or corporate security policy. In some countries, monitoring internet activity of employees without their notification is a violation of the law.
Common Errors and How to Fix Them
We have compiled the most common problems encountered when setting up Web Proxy on MikroTik and ways to resolve them.
Error 1: Internet stopped working after configuring transparent proxy
Cause: The LAN interface in the NAT rule is incorrectly specified, or the rule is not in the right position.
Solution: Check the interface name with the command /interface print. Ensure you are specifying the interface to which users are connected. If you used a bridge — specify the bridge, not the physical port.
Error 2: HTTPS sites are not blocked by Web Proxy rules
Cause: The Web Proxy in MikroTik does not intercept HTTPS traffic. Rules in IP → Web Proxy → Access only work for HTTP.
Solution: To block HTTPS sites, use Layer 7 Protocols or Address Lists in the firewall. For example, add the IP addresses of the desired site to a list and block it through IP → Firewall → Filter Rules.
Error 3: Proxy works, but cache is not filling up
Cause: Most modern websites use HTTPS and headers that prohibit caching. Cache only works for HTTP.
Solution: This is normal behavior for the modern web. The cache will fill with static resources (images, files) from HTTP sites. If caching is critical — consider specialized solutions like Squid on a separate server with SSL-bump.
Error 4: Router became slow after enabling proxy
Cause: The router's weak processor cannot handle the load from the proxy with a large number of users.
Solution: Check CPU load with the command /system resource print. If CPU usage is constantly above 80% — reduce the cache size or move the proxy to a separate server (Squid on Ubuntu/Debian). In this case, MikroTik is used only as a gateway, redirecting traffic to the external proxy.
Error 5: Parent Proxy is not working — sites open through the real IP
Cause: The Parent Proxy in MikroTik is applied only to traffic that actually passes through the Web Proxy. HTTPS requests and traffic not intercepted by the NAT rule go directly.
Solution: Ensure that the transparent proxy rule (redirect to port 8080) is active and in the correct position. For complete redirection of all traffic through the external proxy, a more complex setup using Policy Based Routing will be required.
| Problem | Quick Diagnosis | Solution |
|---|---|---|
| No internet | /interface print | Check the name of the LAN interface |
| HTTPS not blocked | Check the site's protocol | Use Layer 7 or IP blocking |
| Router is slow | /system resource print | Reduce cache or move proxy |
| Parent proxy not working | Check NAT redirect rule | Ensure traffic is going through the proxy |
Conclusion
Setting up Web Proxy on MikroTik is a practical solution for controlling corporate traffic without additional servers and licenses. In just a few steps, you gain: filtering of unwanted websites, caching to save bandwidth, logging of user activity, and the ability to route traffic through external proxy servers.
The main thing to remember: the built-in MikroTik proxy handles HTTP traffic well, but for comprehensive protection of a modern corporate network, where 95% of traffic is HTTPS, its capabilities are insufficient. In such cases, MikroTik is used as a gateway and router, while filtering and traffic inspection functions are handed over to specialized solutions.
If your task is to route the entire corporate network's traffic through a reliable external proxy with a fixed IP or a pool of addresses, consider datacenter proxies — they provide high speed and stable connection, which is critical when used as a parent proxy for an entire office. For tasks where maximum anonymity is important and traffic should not be distinguishable from regular user traffic, residential or mobile proxies may be a better fit.