how to redirect

RouterOS Beginner Basics
1

Hi friends
Sorry for my bad English


i have big problem

I recently bought hap litte and
i want redirect all user in my network to my local website

i have 2 net
net 1= ether2=192.168.88.0/24= dhcp server =on
net 2= ether3=192.168.110.0/24= dhcp server =on
my local web site ip = 192.168.88.250
i not use internet

and i add nat =

firewall
nat
add chain=dstnat
src-address=0.0.0.0/0 or 192.168.110.0/24 or 192.168.88.0/24
protocol=tcp
dst-port=80,443
action=dstnat
to-address=192.168.88.250
to-ports=80

not work and not work
i enable accept redirects from --ip–setting

please help me
thanx

2

firstly - the enable redirects is not what you’re thinking - that’s referring to whether the router should send ICMP redirect messages when applicable, but this has to do with routing and choice of default GW vs more specific gateway… not what you’re doing.

The rules you’ve set should work just fine - except that your web server must now accept ANY web site name and then redirect to your own website.

Consider this:

  1. I type http://www.example.com/examples/basic.html into my browser.
  2. My computer finds the IP address of the host http://www.example.com in DNS to be 192.0.2.101
  3. My computer sends request to open a TCP socket to 192.0.2.101 on port 80.
  4. The Mikrotik does dstnat and re-writes the destination IP address on the packet to be 192.168.88.250 and then forwards the packet to your web server
  5. The web server accepts the connection and TCP is established (nat happens on each packet in this process, so I won’t mention it anymore)
  6. My computer will then ask the HTTP daemon on your server to please serve the file /examples/basic.html from host http://www.example.com

This is where things go off the rails…

If your server is configured to always “just be itself” regardless of the host name specified by clients, then that’s fine - but it will then look for the file my browser requested - it will look in the HTML folder for a sub-folder called “examples” and in that folder, it wants a file called “basic.html” - chances are almost certain that you don’t have this file on your server, so the server is going to say “Sorry, buddy - I don’t have that file. Error code 404”

OR - if your server DOES know what hostnames are, it will connect the session to the default website regardless of name, where the above problem happens… OR - if the server will ONLY respond to requests for its specific host name - then who knows what error it’s going to give, but it’s going to fail in some way…

So the solution is to tell your web server that it should use a custom 404 (file not found) error page - and you make a custom 404 page that has a redirect header instructing the browser to go instead to http://192.168.88.250/mywebsite.html (or if you have DNS inside your network, you could use http://your-website-name-here/)

One more problem with your dstnat rule is that you specify tcp ports 80,443 to match, but specify to-ports=80
This means that connection attempts to reach port 443 on the web will be redirected to your server on port 80.
SSL won’t work on port 80, so I suggest that you remove the to-ports=80 (leave that unspecified, and the port won’t get modified)
Of course now you have another problem - that being you need an SSL certificate for your server so that it can operate on port 443 as well, and unfortunately, this is going to give users a warning message “WARNING: the certificate doesn’t match the site you requested” - but there’s not really any easy way around this for SSL, but it’s probably better to have this happen so that at least the users will know that the connection is doing something. If you just drop port 443 (or map it to port 80) then the connection is just going to sit there until the browser gives up, giving the illusion that they’re having a problem with their connection.

Realize that these days, many people’s browsers’ default pages are going to be SSL-enabled websites, so you’d rather give the SSL warning than just let the browser open up and not do anything. You could perhaps just reject port 443 (reject with tcp-reset) so that browsers will tell the user “connection refused” immediately, and then they’ll try typing in something different - almost certainly without putting https:// at the beginning - and then you’ll have them on your website.

3

firstly - the enable redirects is not what you’re thinking

Thanks for replay mr ZeroByte

*My local web site work correctly (main page and subfolder) – no problem
*And Ssl protocoal Issue for next

but about local network and dns:
can i run dns localy in my window or mikrotik and set all address to my local web site
for example:

http://www.bing.com 192.168.88.250
http://www.website.org 192.168.88.250

or

*.com 192.168.88.250
. 192.168.88.250

if your answer yes how it ?And by what tools ?

==============================================================================
i see hotspot work and redirect with out internet
so i redirect too by nat or ..?
thanks and again excuse me for my bad english

4

Ok - test this by editing the hosts file on a test client - (c:\windows\system32\drivers\etc\hosts) and set www.google.com as 192.168.88.250
Then close all open browser windows, and open a new one, and try to go to www.google.com

If you see your website, then try opening:
http://www.google.com/invalidPage/test.html

See what that gets you - if you still see the website, then the server is set up right.

The the redirect rules in the dstnat of the Mikrotik is all you need.

As for DNS, I don’t think Mikrotik’s DNS proxy lets you define wildcards - but probably dnsmasq on an openWRT image running in MetaRouter would do the trick.