Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

tls-host doesn't work in dstnat chain?

Sat Aug 25, 2018 10:01 pm

I tried to kind of replicate nginx functionality using dstnat to different machines basing on tls-host (mostly to split openvpn on port 443 from https) however to my surprise this feature doesn't seem to work in dstnat chain. It works in prerouting chain though and according to:

https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

prerouting occurs before dstnat. Unfortunately it doesn't seem to be true because even when I use mark-packet or mark-connection action in prerouting chain it doesn't seem to be noticed by dstnat chain. Is it normal behavior?

Furthermore tls-host option is not mentioned in NAT documentation: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT so I'm a bit confused.
MTCNA, MTCRE, MTCINE
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: tls-host doesn't work in dstnat chain?  [SOLVED]

Sat Aug 25, 2018 10:33 pm

Okay it's pretty obvious. NAT decision is taken before 3-way handshake is finished as handshake is typically preformed by actual host and tls-host, layer-7-protocol, content and many other matchers can only be determined after handshake is finished because they base on connection packets content. So it's probably impossible to perform NAT basing on connection data as it'd require router to behave like full proxy.
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: No registered users and 92 guests