Community discussions

MikroTik App
 
Nova
newbie
Topic Author
Posts: 25
Joined: Mon Aug 04, 2014 3:44 pm
Location: Spain // Germany

Port forwarding question

Wed Oct 08, 2014 3:35 pm

Hello,

I would like to know, if this scenario is possible:

Server 1 runs a web application in Port 443. Let's say OWA
Server 2 runs another web applicaciont also in port 443. Let's say RDweb or something else.

Now we want to access both with only one public IP.

Can we set rules in the router like this?

https://www.url1.de:443 -> Forward to Server1:443
https://www.url1.de:444 -> Forward to Server2:443

Is it possible? If not I would like to know why not.

Thanks
My first language is not english, sorry for any mistakes.
 
User avatar
Deantwo
Member
Member
Posts: 313
Joined: Tue Sep 30, 2014 4:07 pm

Re: Port forwarding question

Wed Oct 08, 2014 3:58 pm

I haven't tried it, and I don't know if port numbers work like that in an URL.
But reading this: http://wiki.mikrotik.com/wiki/Forwardin ... nternal_IP

This should work:
{
    :local WanIp x.x.x.x
    :local Server1Ip x.x.x.x
    :local Server1Port 443
    :local Server2Ip x.x.x.x
    :local Server2Port 444
    :local AppPort 443
    /ip firewall nat add chain=dstnat dst-address=$WanIp protocol=tcp dst-port=$Server1Port \
        action=dst-nat to-addresses=$Server1Ip to-ports=$AppPort
    /ip firewall nat add chain=dstnat dst-address=$WanIp protocol=tcp dst-port=$Server2Port \
        action=dst-nat to-addresses=$Server2Ip to-ports=$AppPort
}
Last edited by Deantwo on Wed Jun 29, 2016 3:19 am, edited 1 time in total.
I wish my FTP was FTL.
 
Rudios
Forum Veteran
Forum Veteran
Posts: 966
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: Port forwarding question

Thu Oct 09, 2014 8:36 am

I haven't tried it, and I don't know if port numbers work like that in an URL.
But reading this: http://wiki.mikrotik.com/wiki/Forwardin ... nternal_IP

This should work:

ros code

{
    :local WanIp x.x.x.x
    :local Server1Ip x.x.x.x
    :local Server1Port 443
    :local Server2Ip x.x.x.x
    :local Server2Port 444
    :local AppPort 443
    /ip firewall nat add chain=dstnat dst-address=$WanIp protocol=tcp dst-port=$Server1Port \
        action=dst-nat to-addresses=$Server1Ip to-ports=$AppPort
    /ip firewall nat add chain=dstnat dst-address=$WanIp protocol=tcp dst-port=$Server2Port \
        action=dst-nat to-addresses=$Server2Ip to-ports=$AppPort
}
This should be your solution.
Forward the desired (unique) ports from you WAN interface to the designated ports of the inside servers (these can be the same).
Don't forget about firewall filter rules!
Testing setup with: 2 x RB750UP | 2 x RB750GL | 1 x RB951G-2HnD | 1 x RB2011UiAS-IN
 
Nova
newbie
Topic Author
Posts: 25
Joined: Mon Aug 04, 2014 3:44 pm
Location: Spain // Germany

Re: Port forwarding question

Thu Oct 09, 2014 10:05 am

Thank you very much for the answers. We will try it.

Still have some questions,
Would be possible to do forwarding based on the source URL?

https://www.url1.de/Path1 -> Forward to Server1:443
https://www.url1.de/Path2 -> Forward to Server2:443

Or if not, do forwarding based on the subdomain?

https://www.subdomain1.url1.de/Path1 -> Forward to Server1:443
https://www.subdomain2.url1.de/Path2 -> Forward to Server2:443

Thanks
My first language is not english, sorry for any mistakes.
 
User avatar
Deantwo
Member
Member
Posts: 313
Joined: Tue Sep 30, 2014 4:07 pm

Re: Port forwarding question

Thu Oct 09, 2014 10:19 am

It is not really my area, so I am not sure.

But according to this:
http://en.wikipedia.org/wiki/Uniform_re ... tor#Syntax

You can at least specify a port in the URL, I did not even know that.

And according to this:
http://support.simpledns.com/kb/a35/can ... other.aspx

You can't add a port number to a DNS entry.

So either you need two public IP addresses.
Or maybe have a web-server that simply redirect to the other two servers depending on the path in the URL. (I think?)
I wish my FTP was FTL.
 
User avatar
lcm
Trainer
Trainer
Posts: 57
Joined: Wed Apr 28, 2010 11:56 pm
Location: Brazil
Contact:

Re: Port forwarding question

Thu Oct 09, 2014 11:45 pm

Nova,

To do what you want, you need a layer7 aplication, firewall(filter,nat,mangle) work on layer3(OSI model), so on layer 3 you can play with source address, destination address, source port, destination port and others, something like this:

dstAddress:200.200.200.200 on port 443 redirect to 10.10.10.10 on port 443
dstAddress:200.200.200.200 on port 444 redirect to 10.10.10.11 on port 443

To deal with URL, you need a Layer7 APP like apache with mod_proxy to do what you want.

you can also play with mikrotik L7 rules on firewall, or even use the "content" option on mikrotik firewall rules, but, i think, it will not be the perfect solution.
Greets from Brazil.

Luiz Claudio Martins Maia
 
flipk12
newbie
Posts: 35
Joined: Mon Oct 06, 2014 5:49 pm
Location: Asturias/Spain

Re: Port forwarding question

Fri Oct 10, 2014 12:26 am

Thank you very much for the answers. We will try it.

Still have some questions,
Would be possible to do forwarding based on the source URL?

https://www.url1.de/Path1 -> Forward to Server1:443
https://www.url1.de/Path2 -> Forward to Server2:443

Or if not, do forwarding based on the subdomain?

https://www.subdomain1.url1.de/Path1 -> Forward to Server1:443
https://www.subdomain2.url1.de/Path2 -> Forward to Server2:443

Thanks
Yes, you can do it with a reverse proxy.
One ip, one port, all the servers that you want behind the proxy.
Look at this: http://wiki.mikrotik.com/wiki/Multiple_Web_Servers
 
Sob
Forum Guru
Forum Guru
Posts: 5461
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port forwarding question

Sun Oct 12, 2014 4:18 am

No, you can't. It works only for http, not https. Some other reverse proxy can support https, but not the one in RouterOS. It's not meant for this at all, even the fact that it works like reverse proxy is more just a lucky hack than planned feature.

If you really need it, you need another machine to run proxy (e.g. nginx), forward tcp/443 port to it from router and then you can configure it as you want, any condition is possible, domains, paths, ...
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: bartisimo, ihphar, passt and 54 guests