hi guys i facing some dst-nat configuration, we have multiple server behind nat and only one ip public we have so, we create dst-nat for that server the problem is this multiple server using same port like 80,443 when we create dst-nat its conflict each other like if we create dst-nat to web server using port 80,443 and another server uisng the same port for application login interface via web how i can achieve this to work properly so the server can access via one public ip properly
The only way is to get users to come in on different ports........ and then port translate in dst-nat rule....... LIKE ANY OTHER ROUTER I have ever used.
So you can have.
dyndnsname:80
dyndnsname:443
dyndnsname 800
dyndnsname: 4433
dyndnsname:8000
dyndnsname:44333
add chain=dstnat action=dst-nat dst-port=80 in-interface=WAN1 protocol=tcp to=addresses=Server1-IP
add chain=dstnat action=dst-nat dst-port=443 in-interface=WAN1 protocol=tcp to=addresses=Server1-IP
add chain=dstnat action=dst-nat dst-port=800 in-interface=WAN1 protocol=tcp to=addresses=Server2-IP to-ports=80
add chain=dstnat action=dst-nat dst-port=4433 in-interface=WAN1 protocol=tcp to=addresses=Server2-IP to-ports=443
add chain=dstnat action=dst-nat dst-port=8000 in-interface=WAN1 protocol=tcp to=addresses=Server3-IP to-ports=80
add chain=dstnat action=dst-nat dst-port=44333 in-interface=WAN1 protocol=tcp to=addresses=Server3-IP to-ports=443
so i access server 2 web app using port 800 ..? if other sever cannot using custom port for their web application by default must be use 80,443 port how about that any solution for that or only solution to have another public ip..?
cmiiw
thanks
Very similar discussion was going in this thread. Using properly configured reverse proxy (RP) it’s possible to point several different domain names to same IP address / physical server, RP then forwards queries towards different backend servers based on URL used by clients (can use both host name part as well as path part of URL).
hi mkx btw thanks let me check thread
from what i read this thread http://forum.mikrotik.com/t/hostname-forwarding/159740/1
its impossible to use one port to multiple server dst-nat mikrotik maybe quick solution is use another public ip for that.
thanks all for support
NAT usually works with layer 4 information (and layers below it), which means it can distinguish connections according to IP addresses (both src and dst), protocols (TCP, UDP, ICMP, …) and port numbers (for protocols that support them, e.g. TCP and UDP) or smilar (ICMP codes). Some protocols offer SNI (service name indicator) which is L7 feature and NAT servers usually don’t / can’t work with those.
In general there are 3 possible ways of running multiple servers behind a firewall:
- using multiple WAN IP addresses. DST-NAT then forwards connections to backend servers depending on originally used dst-address. dst-port number is possible extra property but not necessary in this case
- using single WAN IP address but using different dst-port numbers. DST-NAT then forwards connections to backend server depending on originally used dst-port numbers (the solution described by @anav above).
This solution is very feasible for services that don’t use well known port numbers (e.g. gaming servers, VPN servers, obfuscated SSH servers, etc.) but doesn’t play well for services where users expect to use standard ports (e.g. HTTPS or SMTP). - using single WAN IP address and single port number. In this case a reverse proxy is needed (solution described by me). DST-NAT then forwards all connections to single backend server which has to deal with connections.
This solution is feasible for services that use SNI or similar which makes RP aware of service that client wants to use. With decent RP frontend it also makes possible to use several backend servers serving same content, they are used in a high-availability / load sharing way. This solution is not feasible if services, hidden behind RP, don’t use SNI or similar, making RP impossible to distinct between connections requiring different backend servers. This solution also requires installation of another service (RP itself) which may or may not be feasible for particular use.
So it’s obvious that running several servers behind single WAN IP address is not exactly trivial thing. It is very much doable but in certain cases routers / NAT servers can’t do it and one has to implement some additional service(s).
noted with thanks mkx yes its difficult if some server cannot using custom port, so we have multiple public ip for it can work properly. because some our server not running for web server only some using appliance server this server using default port for http
thanks a lot
The numbers I used for ports were only example numbers.
Yes, if you have multiple IPs from a provider you can map or netmap one to one,
aka dedicated public IPs for servers.
I use Nginx Proxy Manager for that.
https://www.youtube.com/watch?v=P3imFC7GSr0
Plenty of similar videos about this topic on youtube anyway.
It is not a trivial task to set it up and make everything work properly, but it is not rocket science either.
nginx proxy manager its free…? hence, i install nginxproxymanager in our local network then do loadbalancer their can you explain detail please appreciated.
Thanks
That’s (quite) a bit outside the scope of this Mikrotik forum.
This should help you deploy it.
https://nginxproxymanager.com/guide/
On Mikrotik, then you only need to DNAT TCP/443 towards this NPM-host and that’s it. The rest of the config is done on NMP.
i see thanks btw
Yes, it is free. Nginx PM can do loadbalance as well, but it is not what we are talking about here. First of all, have you seen the video I linked above already?
Here is another one:
https://www.youtube.com/watch?v=cjJVmAI1Do4
Also, you need to decide if you want to deploy Nginx as a docker container (or on the system directly) in one of your linux machines, OR in one dedicated machine, on its own.
already watch the video and now installed via docker but i dont know how to install directly to host no idea for that maybe need more research btw thanks again.