Domain redirect

Ripper · December 10, 2011, 12:08pm

If there any way to do redirect or jump on internal ip …
for ex. in domain (domain.com) in protocol upd int port 999 do jump to internal ip 10.10.10.100 with same port and protocol ??

Is there any solution ?

alhinai21 · December 15, 2011, 4:17pm

+1

Feklar · December 15, 2011, 6:50pm

You could force people to use the MikroTik router as their DNS server with a NAT rule and have a static domain set up for that URL.

nielsbos · December 15, 2011, 10:04pm

I’m not entirely clear which part your problem is and I’m missing some information to give a detailed answer… So if my reply below is a bit generic or off, I apologize:)

There are two parts to your question. Part 1 is about NAT-ing (routing) and the second part is to only activate this NAT for computers of a certain domain.

For part 1, we are missing some information. What we need to know is the IP the domain will contact for the service and the IP the actual service is available on. If 10.10.10.100 is the IP of the actual service, and the router can reach it(!), we need to create/choose the IP on the network of domain that they will contact and this IP should be created on the router. Suppose they will contact 192.168.0.254/24 on the router on interface ether2:

/ip address add address="192.168.0.254" broadcast="192.168.0.255" disabled="no" \
    interface="ether2" netmask="255.255.255.0" network="192.168.0.0"
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=192.168.0.254 \
    dst-port=999 protocol=udp to-addresses=10.10.10.100 to-ports=999
add action=src-nat chain=srcnat disabled=no protocol=udp src-address=\
    10.10.10.100 src-port=999 to-addresses=192.168.0.254 to-ports=999

This code will route back-and-forth.

Now, we only want this routing to work for connections in your domain. It is unclear how we can identify your domain, so I’ll assume they are in an IP subnet, let’s say 192.168.0.0/24 (=subnet 255.255.255.0). What we could do is mark any packets from and to this range:

/ip firewall mangle
add action=mark-packet chain=prerouting  disabled=no src-address=192.168.0.0/24 \
    new-packet-mark=myMark passthrough=yes
add action=mark-packet chain=prerouting  disabled=no dst-address=192.168.0.0/24 \
    new-packet-mark=myMark passthrough=yes

Finally, we should change our earlier NAT settings to only work with packets that bear this mark:

add action=dst-nat chain=dstnat disabled=no dst-address=192.168.0.254 \
    dst-port=999 packet-mark=myMark protocol=udp to-addresses=\
    10.10.10.100 to-ports=999
add action=src-nat chain=srcnat disabled=no packet-mark=myMark \
    protocol=udp src-address=192.168.0.254 src-port=999 to-addresses=\
    10.10.10.100 to-ports=999

Hope this helps. Mail me on niels.bos@live.com for any questions or comments.

Cheers,
Niels

Ripper · December 17, 2011, 11:22pm

Let me clear …

I have some domains and only one ip …
Have different protocols and ports.

I need to do firewall redirect to internal ip if domain
my1.domain.com http port 80-> jump to 10.10.10.251 http port 80
my2.domain.com udp port 27015-> jump to 10.10.10.250 udp port 27015
my3.domain.com udp port 27015-> jump to 10.10.10.250 udp port 27016
my4.domain.com udp port 27015-> jump to 10.10.10.252 udp port 27015

and so on …

for do so i think i need to find way to mark some ports with incoming domain and after it do firewall redirect with mark match