Since there is no more IP4:s in the world, is it possible to dst-nat based on a dns name?
What i want to do is this:
external ip: 195.67.199.39
www.foo1.com = 195.167.199.39 ==> dst-nat to: 192.168.1.1
www.foo2.com = 195.167.199.39 ==> dst-nat to: 192.168.1.2
www.foo3.com = 195.167.199.39 ==> dst-nat to: 192.168.1.3
Is this possible? How?
/Hannes
maybe using layer 7 on firewall
Cool idea, but usually you would use a http proxy to do that.
A Reverse Proxy as barkas said, provided those webservers aren’t serving HTTPS.
Proxy is not the solution, i want it to forward any traffic aimed at the specified dns name.
Just like using regexp and layer 7 for outgoing traffic. I just dont know if it is possible.
/HW
No, it’s not possible like you’re asking, and when you think about it you’ll see why:
DNS only resolves a hostname to an IP. The IP header only has source/destination IP address fields in the header, nothing about host names at all. Same for TCP and UDP… so there’s nothing to match on in the lower layers, as has been stated.
Now layer 7 - the first time a hostname is mentioned again is in the host headers of the HTTP message - but these cannot even be sent before the TCP 3-way handshake completes. You have to have an established socket before the host header can even be sent, let alone caught by the regex filter in the firewall filter… way too late to do any NAT redirection.
You either need to use a specific IP to a host (or group of hosts if load balancing) dedicated to web traffic, and this host (group) will use host headers to serve the correct page. A reverse proxy can also do this (as earlier suggested).
Finally, a reverse proxy which does SSL offloading can allow similar behavior for HTTPS. It will accept the SSL connection, and proxy it via standard HTTP behind your firewall, so different hosts for different dns names are possible (usually, it requires that you have 1 IP per domain name, with a wildcard cert for that domain, so *.example.com can use a single IP address, *.example.org use another IP, etc…
For specific protocols it would be possible, but not generically.
You would need a tailored regex for each l7 protocol.
I really don’t think L7 filter is useful for nat. How can you change what host the packets are being NATed to after the socket is open and data has begun flowing?
The router can’t say: "Oh wait - you said ‘host: facebook.com’ so I’m going to send you to this other IP… "
It’s too late. The SYN/ACK sequence has already completed. You could have a special host that doesn’t need to do the handshake to send TCP segments to the other host, but the TCP sequence numbers are going to make it nearly impossible to jump in the middle with a proxy and send data like this… (that’s intentional - this behavior is a man-in-the-middle attack)…
You could use L7 matches to change NAT behavior more effectively with UDP since it is connectionless, but web is TCP-based.
OP needs to dedicate an IP address to being “the web server (farm)” and then use name-virtual-host (in Apache terminology) to decide which page to show the caller. The IP can be utilized even more efficiently by using the same IP address, but mapping the ports for email to a different internal server (group). DNS can be mapped to yet another server, etc. So one single IP can map all of the useful services to completely different internal addresses. But it’s at the protocol/port level, so it’s unable to map (using NAT alone) to different servers based on website URL. It takes a proxy to do that.
but
/ip firewall nat add chain=dstnat action=dst-nat in-interface=WAN-INTERFACE src-address-list=BUNCH_OF_IPs
is possible and BUNCH_OF_IPs can be updated doing https://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules
In http://forum.mikrotik.com/t/allow-access-based-on-f-q-d-n-instead-ip/111614/1 it is said
/ip firewall address-list add address=wiki.mikrotik.com comment=wiki.mikrotik.com list=host_mikrotik
will work but I cannot find anything about how domains are resolved to IPs in the docs but http://forum.mikrotik.com/t/firewall-address-list-domains-resolution-frequency/155414/1 and http://forum.mikrotik.com/t/access-list-resolving-time-dns-names/135027/1
That’s not what the original question was about, it wanted to use firewall rules instead of reverse proxy, but that’s not possible. Your incomplete dstnat rule would work, if you’d add missing parts, and if you really meant to have dstnat based on source addresses identified by hostnames. But that’s something competely different.
thx a lot of the quick answer 
missing parts are included, reduced the rule to actual question
.
.
I overlooked
=
is not the same as
==>
so I was in
/ip firewall nat add chain=dstnat action=dst-nat in-interface=WAN-INTERFACE src-address-list=LIST.foo1.com to-address=192.168.1.1
/ip firewall nat add chain=dstnat action=dst-nat in-interface=WAN-INTERFACE src-address-list=LIST.foo2.com to-address=192.168.1.2
/ip firewall nat add chain=dstnat action=dst-nat in-interface=WAN-INTERFACE src-address-list=LIST.foo3.com to-address=192.168.1.3
src-address-list?
A list of all external user that use the service?
Based on external user, see different site?
please read this to understand why is not feasible
(Who was the message for? 
)
initially, I read
www.foo1.com ==> 195.167.199.39 ==> dst-nat to: 192.168.1.1
traffic from foo1.com to Route, shall be forwarded to 192.168.1.1, what was wrong as simply as that