Page 1 of 1

How to allow an URL for a specific port

Posted: Thu Jul 18, 2019 6:34 pm
by SoporteOP
Hi everyone!

First of all, sorry for my english. We have a Mikrotik RouterBoard RB2011Ui AS-RM with RouterOS v6.42.6

We want to open a port to only allow inbound traffic for a specific url. I think it could be possible with Mikrotik webproxy, but I'm not sure.

Is it possible? Could you help us?

Thanks in advance.

Re: How to allow an URL for a specific port

Posted: Tue Jul 23, 2019 5:42 pm
by SoporteOP
Good evening,

Any updates about it? Could you help us with this issue?

Thanks in advance.

Re: How to allow an URL for a specific port

Posted: Tue Jul 23, 2019 5:52 pm
by anav
Not quite sure what you mean. A diagram would help.
Did you want to port forward to a specific LANIP?

More info is required.

Re: How to allow an URL for a specific port

Posted: Tue Jul 23, 2019 7:11 pm
by sindy
When you open an url using a browser, the browser resolves the fqdn part of the url to an IP address, then initiates a TCP session to that address and port 80 (plaintext http) or 443 (tls-encrypted http - https). Before the TCP connection is established, the url doesn't appear in contents of any of the initial three packets (SYN>, <SYN+ACK, ACK>). Once the session establishes, the complete url is available in plaintext in the packets from the client, but for https, at best the fqdn alone is available in plaintext, the full url goes encrypted.

So the maximum you can do is to allow all TCP connections to the port but then forcifully break those which do not match the permitted url (if using plaintext) or permitted fqdn (if using https).

Re: How to allow an URL for a specific port

Posted: Tue Jul 23, 2019 9:45 pm
by Sob
If it's only for http (not https), then it might be possible using the poor man's reverse proxy (https://wiki.mikrotik.com/wiki/Multiple_Web_Servers). I've never used it, but the "path" parameter in access list seems to be for this. I don't like the whole thing too much, because it was clearly not made for this, but perhaps for some uses it could be enough.

Re: How to allow an URL for a specific port

Posted: Thu Jul 25, 2019 1:38 pm
by SoporteOP
Good morning,

First of all, thanks for your answers.

What we need is to open the 3000 port in our Mikrotik but not for all the inbound traffic or all the addresses. We need to open it only for a specific URL that we have for a voting platform.

Re: How to allow an URL for a specific port

Posted: Thu Jul 25, 2019 1:47 pm
by Jotne
You can open it for a specific IP, not DNS.
But you can make a script that looks at the DNS and if IP changes, update the rule.
Schedule it to run every 5 min.

Re: How to allow an URL for a specific port

Posted: Thu Jul 25, 2019 2:29 pm
by mkx
What we need is to open the 3000 port in our Mikrotik but not for all the inbound traffic or all the addresses. We need to open it only for a specific URL that we have for a voting platform.
Port 3000 is not standard port for any particular protocol. So what protocol is it (kids doing programming these days like to do anything over http)? Does it include some textual representation of resource requested in early stage (if protocol is e.g. http over TLS, then the likely answer is no)? If yes, then router might be able to break ongoing connection in case it's not allowed (the server behind the router will notice broken connections which might affect its performance) because the needed information doesn't appear early enough to filter new connection before it hits the actual server.