I’m looking into a router solution for my home network and before I decide whether to purchase a license for RouterOS, I was wondering if you could tell me if the following scenario is feasible:
Internet → pfSense appliance with port 443 open → RouterOS → Apache serving content over HTTPS for multiple domains
Internet → pfSense appliance with port 443 open → RouterOS → Microsoft Server serving SSTP VPN
I tried using both IIS and Apache as reverse proxies in order to maintain both SSTP + HTTPS on 443 but I can’t seem to figure it out.
Also my intranet setup is as follows:
Wired clients → RRAS → Intranet/Extranet
Wireless clients → Dedicated WAP → RRAS → Intranet/Extranet
Hoping that RouterOS can also replace the RRAS dependency.
Thank you for your time. Any thoughts are welcome as to how I can accomplish the above.
I’m affraid not, there’s no specialized reverse proxy, higher level load balancing, or anything like that in RouterOS. It’s an interesting topic, so I did a quick mini-research and options seem to be limited. Apache doesn’t seem to have it at all. Microsoft supposedly does support some kind of https + sstp sharing, but I’m not sure if it also works with another machine. Other than that, newer Nginx as reverse proxy should be able to send https to one server and sstp to another. There’s also program sslh with support for even more services. Possibly others. But you can’t install any additional software to RouterOS (except in MetaROUTER with OpenWRT, which I’m not sure is the best idea).
I can’t comment on RRAS, I don’t know much about that.
The reverse proxy, possibly Nginx would be best, should inspect the traffic for the HTTP method and location.
Method: SSTP_DUPLEX_POST
URI /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
^^ for SSTP
Then you setup SNI virtual hosts on the reverse proxy that proxy_passes (i’m thinking this is the best method) to the actual web-app server(s). You can encrypt it back with self-signed certificates or the real certificate back to the web server if you want to keep end to end encryption (no HTTP!!!).
You will definitely want to use the same certificate to re-encrypt the traffic that you point to the SSTP server.
Alternatively you could deploy IPv6 to your SSTP server. Then you could use IPv4 SNI to service multiple web-sites on a single IP and the VPN service over IPv6. You can pass IPv4 over an IPv6, not 100% sure if this is the same for MS SSTP but I imagine it is. This of course limits your VPN clients to IPv6 only. Thankfully IPv6 is widely deployed in the mobile field and is picking up speed on the ISP side especially here in the US. I personally have been doing a lot more VPNs over IPv6 to avoid NAT and address conservation issues.
Thank you very much for your answers. I tried sslh and it couldn’t work properly with sstp (it only does openvpn). Will definitely try nginx, thank you!!