Web Server behind Mikrotik Server

Pepo · September 16, 2008, 2:54pm

Hi all, i’m using mikrotik server to provide internet services to my clients by Hotspot and PPPOE servers that are built-in on my mikrotik server.
But, now i want to add a web server to my network and take some benefits of my mikrotik server to act as a firewall to my new web server.
So i want to add the required rules in my firewall and put the basic configuration to let my web server more secured.
So the graph of my network will be:
internet======>>Mikrotik=======>>Customers on interface local & Web server on other new interface.

NickOlsen · September 16, 2008, 7:53pm

what version of routeros?

Pepo · September 17, 2008, 12:22am

ROS is on Ver 2.9.51

chvdr · September 17, 2008, 1:12am

regarding the picture, i suppose your webserver shuld be “web server” [192.168.1.101] on it, not “server” [192.168.0.17].
if yes, go ahead, use your mt device as a firewall, use documentation as helper. it’s easy.

Pepo · September 17, 2008, 2:16am

Thanks for all,
but i want to tell you that i’m using one static ip for my mikrotik server and i want to host multiple web site on my web server, so i want also to use natting to redirect requests to the correct website.
i hope that my idea is delivered to you.

NickOlsen · September 17, 2008, 5:06am

You can only forward port 80 to one computer. period
you can setup a host based web server. Such has Apache virtual hosts.
Google it.

normis · September 17, 2008, 6:09am

yes, this is not possible in the router. you need to set up apache “virtual hosts”

thomaspc · September 17, 2008, 8:01pm

This can be done using a proxy, see the example;
http://wiki.mikrotik.com/wiki/Multiple_Web_Servers
Also if using IIS you can use “host headers” [similar to Apache]

Pepo · September 18, 2008, 2:44am

ok, thanks for all,
But i want to ask how can i tell my mikrotik to redirect that port 80 request to that web server ???

Also i want to say that i want to access my new web site from the internet, not from my network only, i mean that i want to let you to surf it.

NickOlsen · September 18, 2008, 4:40am

add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=80 in-interface=wan0 protocol=tcp
to-addresses=INTERNAL_IP_HERE to-ports=80

janisk · September 18, 2008, 11:14am

aslo, i would like to note, that dns addresses on dns server will point to your external ip address and customers from your local network would not be able to access webserver using dns name (external ip address) while on local they will able to do that using server internal ip address.

digus · September 26, 2008, 11:39pm

And what firewall rules are required to get around that local client access to external IP (hosted internally) limitation? I’ve seen really cheap nat routers that do it automatically (dlink’s?), so I know it’s possible. I just can’t seem to figure it out. Any ideas?

Thanks!

NickOlsen · September 27, 2008, 8:18am

I found the same problem.
My fix was to have 2 DNS servers.
1 internal were www pointed to the servers internal 172 address.
1 external where www points to my external ip. And only people from the outside see this.

Chupaka · September 27, 2008, 12:59pm

it is called ‘split DNS’ and can be configured with 1 dns server =)

pekr · September 27, 2008, 3:10pm

Webserver on internal network problem can be adressed in several ways:

add static DNS entry for it. But beware, I still claim, that MT DNS is unreliable for that, and hence …
you have to source-nat packets which go to your webserver (chain=srcnat dst-address=webserver-ip action=masquarade out-interface=local

NickOlsen · September 27, 2008, 10:13pm

Yeah, I know, i just wanted to give the general idea.