Community discussions

MikroTik App
 
farzin
just joined
Topic Author
Posts: 16
Joined: Wed Feb 29, 2012 4:12 pm

mikrotik redirect based on domain to internal ip

Fri Jun 18, 2021 5:48 pm

hi, I have a mikrotik as gateway/router for 2 windows VMs. and there is IIS in each windows.
the setup is like this:
valid ip v4 on mikrotik ether1 : x.y.z.171
local IP: on Mikrotik ether2: 192.168.61.1

local ip on windows VM1: 192.168.61.2 domain: site1.domain.com
local IP on windows VM2: 192.168.61.3 domain:site2.domain.com

both these 2 subdomains point to the main IP valid: x.y.z.171
so ping on the internet of site1.domain.com and site2.domain.com returns this main valid ip.

inside Mikrotik I have set static DNS so Mikrotik return ping for the subdomains return the local IPs : 192.168.61.2 and 192.168.61.3

I have forwarded the x.y.z.171:80 to 192.168.61.2:80 and its working fine and IIS on the first VM is returning the pages.
now I want to have a redirect that when the domain is site2.domain.com , mikrotik sends port 80 to second VM 192.168.61.3:80

I have set a layer7 regEXP : site2
then I have Mangle to mark connection and packets based on this layer7. and they are seeing requests fine (counters are working correctly)

chain=prerouting action=mark-connection new-connection-mark=site2
passthrough=yes layer7-protocol=site2
connection-mark=no-mark log=no log-prefix="site2"

1 chain=prerouting action=mark-packet new-packet-mark=site2_packet
passthrough=yes connection-mark=site2 log=no log-prefix="site2"

up to this point, everything is working. now I want to redirect request with this site2 mark to 192.168.61.3 which is not working.

here is the firewall nat part:
chain=srcnat action=src-nat to-addresses=x.y.z.171
src-address=192.168.61.0/24 src-address-list="" out-interface=ether1
log=no log-prefix=""

(here I want to route connections with site2 mark or packet-marks to 61.3) which are not working :|
chain=dstnat action=dst-nat to-addresses=192.168.61.3
connection-mark=site2 log=no log-prefix=""

chain=dstnat action=dst-nat to-addresses=192.168.61.3
packet-mark=site2_packet log=yes log-prefix="site2"

chain=dstnat action=dst-nat to-addresses=192.168.61.2 to-ports=80
protocol=tcp dst-address=x.y.z.171 connection-mark=!site2
dst-port=80 log=no log-prefix=""
Last edited by farzin on Fri Jun 18, 2021 6:14 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mikrotik redirect based on domain to internal ip

Fri Jun 18, 2021 6:08 pm

In mangle you can create lines that distribute traffic with the same destination address. Marking the connection (new-connection) will allow NAT to distribute based on the connection-mark.

You can't determine up front from the external IP which VM you will answer you unless you use a different external address or different port.
 
farzin
just joined
Topic Author
Posts: 16
Joined: Wed Feb 29, 2012 4:12 pm

Re: mikrotik redirect based on domain to internal ip

Fri Jun 18, 2021 6:21 pm

In mangle you can create lines that distribute traffic with the same destination address. Marking the connection (new-connection) will allow NAT to distribute based on the connection-mark.

You can't determine up front from the external IP which VM you will answer you unless you use a different external address or different port.
I have updated the first post with my mangle rules for connection marks ( which are working fine - seeing site2.domain.com request based on that layer7 regEXP. ) counters are working on mangle.
but my Nat is not redirecting the connections that has that mark site2 to the IP 192.168.61.3..
port80 is always forwarding to 192.168.61.2:80
I am wondering why.

when I activate this connection-Mark !=site2 ... in the nat, counters start working. so the issue is that on that moment of dst-nat the connection has not got the mangle connection or packet marks yet.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: mikrotik redirect based on domain to internal ip  [SOLVED]

Fri Jun 18, 2021 7:25 pm

You need reverse proxy for this.

Simple firewall redirection can't work because the domain is not mentioned in the first packet of the HTTP connection. The client first establishes a TCP connection to the server and only after that sends the HTTP request which contains URL. But that is too late to redirect the connection (already established).
That's why reverse proxy is needed - the TCP connection from the client will go only to the proxy and that will create new separate connection to the correct server, once it see what URL client requested.

That can't be done on mikrotik but for example simple RaspberryPi can handle it. Personally I use NGINX proxy manager in docker container running on raspi, which has nice and simple GUI and makes this task as a breeze. It can even automatically request TLS certificates from Letsencrypt and force your domain to HTTPS so it does not go in plaintext through the Internet.
On my mikrotik, I have a single redirection rule for the 80 and 443 port going to the NGINX.

Alternatively, any http/tcp/sni proxy will do - there are heaps of them.
 
farzin
just joined
Topic Author
Posts: 16
Joined: Wed Feb 29, 2012 4:12 pm

Re: mikrotik redirect based on domain to internal ip

Fri Jun 18, 2021 8:22 pm

You need reverse proxy for this.

Simple firewall redirection can't work because the domain is not mentioned in the first packet of the HTTP connection. The client first establishes a TCP connection to the server and only after that sends the HTTP request which contains URL. But that is too late to redirect the connection (already established).
That's why reverse proxy is needed - the TCP connection from the client will go only to the proxy and that will create new separate connection to the correct server, once it see what URL client requested.

That can't be done on mikrotik but for example simple RaspberryPi can handle it. Personally I use NGINX proxy manager in docker container running on raspi, which has nice and simple GUI and makes this task as a breeze. It can even automatically request TLS certificates from Letsencrypt and force your domain to HTTPS so it does not go in plaintext through the Internet.
On my mikrotik, I have a single redirection rule for the 80 and 443 port going to the NGINX.

Alternatively, any http/tcp/sni proxy will do - there are heaps of them.
thanks for the info. I thought as it's not https and is simple port 80 without SSL then mikrotik can handle. but it seems I should use reverse proxy and the included reverse proxy of mikrotik cannot do this :( thanks I will try the mentioned solution.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: mikrotik redirect based on domain to internal ip

Fri Jun 18, 2021 11:32 pm

but it seems I should use reverse proxy and the included reverse proxy of mikrotik cannot do this

That's because ROS includes normal proxy, not reverse proxy. While they might both seem similar they operate differently.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: mikrotik redirect based on domain to internal ip

Sat Jun 19, 2021 1:46 am

I thought as it's not https and is simple port 80 without SSL then mikrotik can handle.
I see. Yes, it can handle identifying it. (actually, some https connections can be also identified using TLS host (SNI) ). However, even though the connection is identified, not every action can be performed:

- Blocking it? Sure, go for it. It won't block first few packets but who cares, no useful data will pass anyway.
- Queue for making it faster/slower? Absolutely. It also affects only packets after the rule is triggered but thats fine.
- redirect/NAT? nah... Thats because after the action, new destination/server will be missing first few packets of the connection with the TCP handshake and will be confused:
Image

Who is online

Users browsing this forum: Bing [Bot], Kanzler, miks and 75 guests