Hi,
I use Mikrotik Router and need to forward to WEB sites on more servers over FQDN as in example:
PC1.test.com → 192.168.55.201
PC2.test.com → 192.168.22.202
all sites work on the same ports.
Please impossible to help me and tell me how can you do it the best way?
Thanks.
hello,
which direction do you want to redirect?
and,
It is not possible to do this with a MikroTik router directly. You need to setup a reverse proxy on your local network, forward port 80 and 443 from external to that reverse proxy, and let the reverse proxy forward the traffic to PC1, PC2 etc.
There is no reverse proxy function in RouterOS so that has to be done on another device.
(except when you have one of the few MikroTik routers where it is possible to run a “container”, then you could have this reverse proxy as a container)
Hi,
the requests should go from internet (FQDN) to local servers (IP or FQDN). I have local DNS server which resolve also some other local FQDN’s.
And is possible the reverse proxy set on the Mikrotik router, while I have only local DNS server on Synolofy and I don’t know that can do the Proxy server.
Thanks.
@ alfista
the requests should go from internet (FQDN) to local servers (IP or FQDN). I have local DNS server which resolve also some other local FQDN’s.
does your router have a public ip?
did you really host an internet dns locally already?
Sorry but I do not fully understand what you are writing.
To repeat: there is NO reverse proxy in RouterOS, you will have to put it on another system.
It is NOT possible to do what you want without reverse proxy.
However, it is possible to have e.g. reverse proxy as a function on PC1 and send all outside traffic to PC1 which will forward the traffic for PC1.test.com to 192.168.22.202
You can usually configure reverse proxy as part of a webserver, but of course it depends on the webserver software you are running.
Don’t let you distract by questions from wiseroute, it is clear what you want.
Hi,
yes I have an public static IP address from my provider.
I don’t use proxy for now. I use only DNS server where are set the FQDN’s (also in public DNS Server are set) and I have there also the PTR records.
The web sites, that I need to access are management sites from systems that I run on the servers and I doesn’t manage the web servers. They are fix given by software vendor (VMware).
@ pe1chl
Don’t let you distract by questions from wiseroute, it is clear what you want.
ok. i am just trying to draw @ op topology and knowing what he wants – i don’t like crystal ball 
ok. feel free to take over this topic
Ok when you run VMware, add another VM and install some Linux distribution in it and configure a reverse proxy (e.g. in Apache 2).
Then you can forward web requests depending on the hostname in the http(s) request.
Hi,
OK, if I understand correctly, I should install reverse proxy where I should then forward all requests depending the web sites access which will then forward it to the correct site?
What is by this needed to configure in Mikrotik?
And this is only one possible solution for correct and secure forwarding? I have somewhere read that some people use it over NAT (port forwarding). Is this was OK or not?
Thanks.
You need to setup a separate system that runs reverse proxy software.
The configuration of the reverse proxy software will have items for each “virtual host” running on the same IP, distinquished by FQDN.
For each such entry you configure the address of an internal system to which the request is forwarded.
Of course for secure access you will need the certificate of each of the FQDN to be installed on the reverse proxy server.
Easiest is to have a single certificate valid for all of the names. When the names are indeed all subdomains of the same higher domain, you can get a wildcard certificate for e.g. *.test.com and use that.
In addition you need to add a dstnat rule on the MikroTik to forward incoming port 80 and 443 traffic to the IP address of the reverse proxy server.
(port forwarding)
Of course another possibility is to use IPv6. Then you can assign a different external address to each of your internal servers and it will work without reverse proxy and dstnat. But it requires that your ISP and your users have IPv6.
Hi All,
thanks for all answers and helps.
When I read your posts then I it looks from it then is needed to install reverse proxy on separate system. Even better will be when this feature will have the Mikrotik router 
.
I have last two questions:
Thanks.
have last two questions:
- I will know if I will not install a next OS with the reverse proxy is there a good option to use the dsnat function for each FQDN to forward it to the correct server?
- What is better - install a linux system with reverse proxy or use the Win Server?
if you have an equal amount of public ips that will cover the number of your internal server (with the same target/service port ie. both servers using the same port 80, 443, 53 etc) - you can use dst nat function.
the benefits are obvious: any service port your server has - they can be live available to the internet.
or
note that reverse proxy are limited by what service port you will use.
+++ edit
actually you can use ip firewall content matchers for this setup - but i don’t know whether this function will degrade your router performance.
or, maybe you have some spare budget to afford another ccr??
hope this helps. good luck 
No, it can’t be done using IP firewall matchers. Those are only good to break the connection (because breaking connection is effective if it happens any time before actualy data is transferred), but not for DST_NAT, where every single packet has to reach correct destination … but L7 content match in TCP connection can only happen from 4th packet onward (initial 3 packets are for TCP connection handshake and don’t carry any payload). And for TLS 1.3 even content matchers don’t help as SNI can be encryped as well.
It really has to be a reverse proxy if there’s more than one FQDN used for any given public IP addess.
BTW, apache can also be used as reverse proxy, so it can be used as hybrid solution (content server and reverse proxy).
Re Linux vs. Windows: I’d suggest to use Linux, servers tend to work better and administration is normally not hindered by GUI 
If you decide for one of beefier routers (e.g. RB5009 or some CCR2xxx model), then you could run a RP in a container on router itself, making this solution almost what you wanted (ROS supporting RP).
It is the same thing that I already wrote several times above, but Alfista and wiseroute seem to prefer running around in circles…
I have only one Public IP address and many FQDN (about 10 for now).
For now I use dsnat so that I have added to each FQDN an extra port and this a forward to the correct server, but I’m not sure if it’s a really good and secure way.
From all your suggestions I see that only a good way for my solution even they are more is to use the reverse proxy server.
Thanks.
Hi, thanks work great. I have set the reverse proxy on my Synology NAS.
That is a very messy way of doing it apache and nginx servers can do all that without getting the router involved it’s called “Virtual Hosting”.
You are re-inventing the wheel in a complicated and horrible way.
Read more carefully. He did it outside of the router, in this case in a Synology NAS. That is exactly what you (and I) recommend, not a messy way.