Multiple web servers V6.2 - reverse proxy

FaizalW · August 28, 2013, 7:30am

I’m not a specialist in networking, please can somebody help me with the setup steps for a reverse proxy ?
I found in the manual the instructions for this, but in version V6.2 the options described are not available.
(http://wiki.mikrotik.com/wiki/Multiple_Web_Servers)

RouterOs: V6.2
Hardware: RB2011L

Situation:
1 public IP Address (xxx.xxx.xxx.xxx)
Public DNS 3 A-records to xxx.xxx.xxx.xxx, www1.domain.nl , www2.domain.nl, www3.domain.nl
RouterOs: public adress xxx.xxx.xxx.xxx (WAN)
RouterOs: local adresses 192.168.88.x
Web server1: 192.168.88.11, www1.domain.nl
Web server2: 192.168.88.12, www2.domain.nl
Web server3: 192.168.88.13, www3.domain.nl
All webservers runs IIS on port 80

What I want is that from the internet from your browser you go to Web server1 with url www1.domain.nl, you go to Web server2 with url www2.domain.nl and you go to Web server3 with url www3.domain.nl.

Thanks,
Faizal

Rudios · August 28, 2013, 3:32pm

Do you have 3 different public IP addresses or only one?
If you have one, you have to redirect on one’s of them. If you have three, create appropriate NAT rules.

FaizalW · August 29, 2013, 9:53am

Hi,

I’ve only 1 public IP address.
3 DNS A records all pointed to the same public IP Address
Internal 3 servers with private IP adresses 192.168.88.11, 192.168.88.12 and 192.168.88.13)

See the link of Mikrotik manual page, that’'s what I need (multiple web servers)
The problem is that the options in the manual (transparant proxy etc.) are not in V6.2 or RouterOs

Faizal

Sob · August 29, 2013, 1:39pm

Simply try it without missing options. The following seems to work just fine (just a quick test that I get pages from two different servers). You should at least add access rules to /ip proxy access for real use, to not become an open proxy.
/ip proxy
set enabled=yes max-cache-size=none
/ip dns static
add address=192.168.80.3 name=www.123.comadd address=192.168.84.2 name=www.456.com/ip firewall nat
add action=redirect chain=dstnat dst-address=192.168.80.80 dst-port=80
protocol=tcp to-ports=8080

FaizalW · August 29, 2013, 5:23pm

Hi thanks, I tried but no success
I don´t have /ip proxy but /ip webproxy
in line 7 what´s dst-address=192.168.80.80 , I have there my public address 213.125.xxx.xxx

Please help.

Sob · August 30, 2013, 2:26pm

I have no explanation how I can have “/ip proxy” and you “/ip webproxy”, when we both should have same RouterOS 6.2. We should sort this out first. In fact, the whole wiki example seems a little strange. I have currently access to RouterOS 2.9.51, 3.30, 5.24 and 6.2 and in all of them it’s named “/ip proxy” and none of them has transparent-proxy option you were missing. So where exactly is that example from, I have no idea.

192.168.80.80 is just an address I tested it with. If you put your public address there (to which the hostnames resolve), it’s correct.

FaizalW · August 30, 2013, 2:45pm

Hi Thanks for your help, see attachment I really have V6.2 with web proxy

Sob · August 30, 2013, 5:09pm

So what exactly you did? Did you enable proxy? Did you add firewall rule? Did you add dns entries? Do required hostnames correctly resolve to your public address? What happens when you try to open the web in browser? You can also run /export command and post the output here, that should answer a lot of these questions.

FaizalW · August 30, 2013, 11:26pm

Hi, thanks for your reply, see below my /export
From my internal network I can reach my servers test.xxxx.com , from the internet not
In dns I have an a-record for test.xxx.com thats point to a public address
this public address is configured to port 1 of my RouterBoard
From the internet I can ping to test.xxx.com and it shows the IP address of port 1

\

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambigous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > /export

jan/06/1970 05:49:59 by RouterOS 6.2

software id = 2K30-L2JH

/interface bridge
add admin-mac=D4:CA:6D:A1:04:84 auto-mac=no l2mtu=1598 name=bridge-local
protocol-mode=rstp
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
set 10 name=sfp1-gateway
/ip neighbor discovery
set ether1-gateway discover=no
set sfp1-gateway discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.126
add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=bridge-local name=dhcp1
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=
bridge-local network=192.168.88.0
add address=213.125.82.157/28 comment=ziggo interface=ether1-gateway network=
213.125.82.144
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no
interface=sfp1-gateway
/ip dhcp-server network
add address=192.168.88.0/25 gateway=192.168.88.1
add address=192.168.88.0/24 comment="default configuration" dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=212.54.35.25,212.54.40.25
/ip dns static
add address=192.168.88.1 name=router
add address=192.168.88.225 name=test.itwarriors.nl
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=
sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=
ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=
invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway
add action=redirect chain=dstnat dst-address=213.125.82.157 dst-port=80
in-interface=ether1-gateway protocol=tcp to-ports=8080
/ip proxy
set enabled=yes parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=213.125.82.145
/lcd interface
set sfp1-gateway interface=sfp1-gateway
set ether1-gateway interface=ether1-gateway
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6-master-local interface=ether6-master-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-slave-local interface=ether10-slave-local
/system ntp client
set enabled=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
[admin@MikroTik] >
[admin@MikroTik] >

Sob · August 31, 2013, 12:07am

That’s because when LAN clients use your router as DNS server, they get 192.168.88.225 and connect there directly (that’s not a bad thing).

Your problem is firewall, you don’t allow anyone from internet to connect to proxy. Add this and move it before drop rule:
/ip firewall filter
add chain=input protocol=tcp dst-port=8080 action=acceptAlso don’t forget to set proxy access as indicated at the end of wiki article!

Btw, your firewall for forward chain is useless, because it accept just anything except invalid packets. You probably want to add something like this at the end:
/ip firewall filter
add chain=forward in-interface=bridge-local action=accept
add chain=forward action=drop

FaizalW · August 31, 2013, 12:21am

Thanks a lot for your help, I think it´s working now, the firewall settings was the thing.
Tomorrow I can test it from outside.

Again thanks a lot!