Community discussions

MikroTik App
 
prisoner267
just joined
Topic Author
Posts: 5
Joined: Sat Jul 24, 2021 8:57 pm

layer 7 port forwarding

Sat Jul 24, 2021 9:01 pm

How can i redirect sub-domain like "MyNAS.XYZ.com" to my lan NAS "IP:port" and "MyBlog.XYZ.com" to another machine "IP:Port" in mikrotik using GUI. I tried googling but only got for terminal commands for layer 7 forwarding.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: layer 7 port forwarding

Sat Jul 24, 2021 10:56 pm

You need a so called HTTP reverse proxy to do this kind of redirect properly. RouterOS does not have that, so "L7 hack" is your only option in case you absolutely have to do that on Mikrotik itself.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: layer 7 port forwarding

Sat Jul 24, 2021 10:57 pm

Put your domain in an address list. Then, make the NAT rule so it matches based on that domain address list.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: layer 7 port forwarding

Sat Jul 24, 2021 11:01 pm

@Cablenut9, I am 99% confident that in OP's case both MyNAS.XYZ.com and MyBlog.XYZ.com point to the same IP address. That's kinda obvious...
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: layer 7 port forwarding

Sat Jul 24, 2021 11:18 pm

I had a similar problem, and the fixes are:
1. Use port knocking to manually choose which thing you connect to.
2. Use source address filters to exclude a certain address from the blog and then connect to the NAS, maybe use IP Cloud DDNS to do this? Or, you can use something like Cloudflare instead.
3. Use source ports to filter with. This could be tricky to do, but is a solid solution.
 
Emil66
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Aug 28, 2018 2:09 am

Re: layer 7 port forwarding

Sat Jul 24, 2021 11:24 pm

You can match for the SNI host in the firewall by setting the "tls-host" parameter. You can use that to dst-nat towards different backends. Note that this doesn't work for fragmented packets, the QUIC protocol or ESNI. A reverse proxy would be the preferred solution.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: layer 7 port forwarding

Sat Jul 24, 2021 11:39 pm

@Cablenut9, all your options suggest that you needed this for yourself only. In that case setting up some kind of a VPN would have been a much easier, cleaner and more flexible solution...

@prisoner267, I suspect you already have some web server on you NAS, your other machine, or both. So one thing you can do is to redirect all incoming HTTP/HTTPS connections to one of those boxes, then make that box serve one domain locally and proxy another domain to the other box.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: layer 7 port forwarding

Sat Jul 24, 2021 11:44 pm

In that case setting up some kind of a VPN would have been a much easier, cleaner and more flexible solution...
This is hilarious, because all my solutions were originally made for me to differentiate between HTTPS and a Wireguard/SSTP VPN tunnel.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: layer 7 port forwarding

Sat Jul 24, 2021 11:49 pm

Well, for SSTP that kinda makes sense. But not so much for WireGuard since it only uses UDP as a transport...
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: layer 7 port forwarding

Sat Jul 24, 2021 11:51 pm

But not so much for WireGuard since it only uses UDP as a transport...
QUIC traffic also uses UDP
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: layer 7 port forwarding

Sat Jul 24, 2021 11:59 pm

And so what? Ports are different. And while for SSTP there are good reasons to keep it running on 443/tcp, are there any equally good reasons to run WireGuard on, say, 443/udp?
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: layer 7 port forwarding

Sun Jul 25, 2021 12:00 am

If you have a restrictive firewall that blocks most traffic, UDP WG on 443 has a higher chance of getting through.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: layer 7 port forwarding

Sun Jul 25, 2021 7:47 pm

Cablenut you have the worst ISP in history or you are working from the prison library. ;-)
@andriys, you have to understand as in extreme sports, Cablenut is an extreme MT configurator due to necessity!!
If he says it works its because it works! (I think he rewrote the book on port knocking LOL).
 
prisoner267
just joined
Topic Author
Posts: 5
Joined: Sat Jul 24, 2021 8:57 pm

Re: layer 7 port forwarding

Mon Jul 26, 2021 1:21 pm

You need a so called HTTP reverse proxy to do this kind of redirect properly. RouterOS does not have that, so "L7 hack" is your only option in case you absolutely have to do that on Mikrotik itself.
Thanks for you reply I am new at networking I was just testing for my home network. Anyways can you give me a blog link how to do that? I tried googling on " how to do reverse proxy in mikrotik " but I am getting many different ways and I am confused which way I should go for my situation.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: layer 7 port forwarding

Mon Jul 26, 2021 1:26 pm

Just save yourself some nerves and don't think of doing it on mikrotik. As @andrys already explained, it's a hack and as with all hacks, it might not work very well. If, OTOH, you go for proper solution[*], you'll have it done in no time and live happily ever after.

[*] There are tons of proper reverse proxies, some are included in mainstream web servers (such as apache or nginx) or stand-alone (such as HAproxy) or geared towards containerized environments (such as traefik). Some of them are light-weight enough to be run on a raspberry pi.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: layer 7 port forwarding

Mon Jul 26, 2021 4:46 pm

"how to do reverse proxy in mikrotik"
You can NOT do that on Mikrotik itself, there is simply NO reverse HTTP proxy on RouterOS. The L7 hack is NOT a proxy.

Also, a few posts back I wrote the following, I think this may be the best solution in your situation:
I suspect you already have some web server on you NAS, your other machine, or both. So one thing you can do is to redirect all incoming HTTP/HTTPS connections to one of those boxes, then make that box serve one domain locally and proxy another domain to the other box.
 
prisoner267
just joined
Topic Author
Posts: 5
Joined: Sat Jul 24, 2021 8:57 pm

Re: layer 7 port forwarding

Wed Jul 28, 2021 9:46 pm

Just save yourself some nerves and don't think of doing it on mikrotik. As @andrys already explained, it's a hack and as with all hacks, it might not work very well. If, OTOH, you go for proper solution[*], you'll have it done in no time and live happily ever after.

[*] There are tons of proper reverse proxies, some are included in mainstream web servers (such as apache or nginx) or stand-alone (such as HAproxy) or geared towards containerized environments (such as traefik). Some of them are light-weight enough to be run on a raspberry pi.
Thanks for you suggestion I install both nginx reverse proxy manager and traefik as I have old raspberry pi 2b nginx didnt worked but luckily traefik worked. I googled how can I reverse proxy to another machine by treafik and got some complex solution which didnt matched my traefik docker container config file So, I am giving my traefik config files if you could help me that would be awesome. :)


here is my docker-compose.yml
version: "3.3"
services:
traefik:
image: traefik:v2.0
restart: always
container_name: traefik
ports:
- "80:80" # <== http
- "8080:8080" # <== :8080 is where the dashboard runs on
- "443:443" # <== https
command:
- --api.insecure=true # <== Enabling insecure api, NOT RECOMMENDED FOR PRODUCTION
- --api.dashboard=true # <== Enabling the dashboard to view services, middlewares, routers, etc...
- --api.debug=true # <== Enabling additional endpoints for debugging and profiling
- --log.level=DEBUG # <== Setting the level of the logs from traefik
- --providers.docker=true # <== Enabling docker as the provider for traefik
- --providers.docker.exposedbydefault=false # <== Don't expose every container to traefik, only expose enabled ones
- --providers.file.filename=/dynamic.yaml # <== Referring to a dynamic configuration file
- --providers.docker.network=web # <== Operate on the docker network named web
- --entrypoints.web.address=:80 # <== Defining an entrypoint for port :80 named web
volumes:
- /var/run/docker.sock:/var/run/docker.sock # <== Volume for docker admin
- ./dynamic.yaml:/dynamic.yaml # <== Volume for dynamic conf file, **ref: line 27
networks:
- web # <== Placing traefik on the network named web, to access containers on this network
labels:
- "traefik.enable=true" # <== Enable traefik on itself to view dashboard and assign subdomain to view it
- "traefik.http.routers.api.rule=Host(`Domain`)" # <== Setting the domain for the dashboard
- "traefik.http.routers.api.service=api@internal" # <== Enabling the api to be a service to access
networks:
web:
external: true
this is my dynamic.yaml
## Setting up the middleware for redirect to https ##
http:
middlewares:
redirect:
redirectScheme:
scheme: https
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: layer 7 port forwarding

Wed Jul 28, 2021 10:55 pm

I'm sorry, never did manual configuration of traefik. It's used at my employers in a Kubernetes installation where Kubernetes itself makes basic configuration of traefik (or perhaps Kubernetes admin did it once), while forwarding to backend containers is done automatically when starting those backend containers (it's a kind of magic ;-) ).

IMO the simplest configuration for "simple" reverse proxy is for HAproxy. I'm mostly using debian linux and default configuration only needs minor additions like this:
# create a HTTP frontend, listening on port 80. It has to capture headers to get the Host header
frontend http_frontend
	bind *:80
	http-request capture req.hdr(Host) len 100

# ACLs which define which backends should be used
	acl acl_myNAS req.hdr(Host) MyNAS.XYZ.com
	acl acl_myBLOG req.hdr(Host) MyBlog.XYZ.com
	
# so which backends are used?
	use_backend backend_myNAS if acl_myNAS
	use_backend backend_myBLOG if acl_myBLOG
	
# define default backend to be used if none of ACLs catch the call
	default_backend backend_myBLOG
	
# Backend definitions. servers can be either defined using name, FQDN or IP address
# HAproxy can be load-balancer as well, to use this functionality define multiple servers
#     and set "balance roundrobin" (or any other balance strategy)
backend backend_myNAS
	server myNAS mynas.local.lan:80 check maxconn 10

backend backend_myBLOG
	server myBLOG myblog.local.lan:8080 check maxconn 100

If you'd be terminating SSL on HAproxy, you'd define another frontend, this time bound to *:443, with same ACLs and additional settings to instruct HAproxy which server certificate to use. It would use same backends, so myBLOG and myNAS would always serve contents over plain http to HAproxy (that is hidden from remote user). Or you could configure backends to be used via https (but IMO that's waste of resources as long as backend servers are in network which you trust or control).
ACLs used to classify requests to select correct backend are very flexible. This example makes distinction based on host name included in HTTP requests. It is possible to make distinction also based on the rest of URL requested etc. It is also possible to alter URL requested if document hierarchy on the backend server is not the same as presented through frontend server. Example would be: www.domain.com/department1/ is served by backend server department1.domain.com/ and www.domain.com/department2/ is serverd by backend server department.domain.com/ ...

A note: backend servers will of course see frontend as their (direct) client. However most (if not all) reverse proxies insert additional HTTP header "X-Forwarded-For" and it's a matter of minor configuration tweak on backend servers to add this info to log files.

Who is online

Users browsing this forum: miks and 48 guests