Hi all, i'm using mikrotik server to provide internet services to my clients by Hotspot and PPPOE servers that are built-in on my mikrotik server.
But, now i want to add a web server to my network and take some benefits of my mikrotik server to act as a firewall to my new web server.
So i want to add the required rules in my firewall and put the basic configuration to let my web server more secured.
So the graph of my network will be:
internet======>>Mikrotik=======>>Customers on interface local & Web server on other new interface.

what version of routeros?

ROS is on Ver 2.9.51

regarding the picture, i suppose your webserver shuld be "web server" [192.168.1.101] on it, not "server" [192.168.0.17].
if yes, go ahead, use your mt device as a firewall, use documentation as helper. it's easy.

Thanks for all,
but i want to tell you that i'm using one static ip for my mikrotik server and i want to host multiple web site on my web server, so i want also to use natting to redirect requests to the correct website.
i hope that my idea is delivered to you.

You can only forward port 80 to one computer. period
you can setup a host based web server. Such has Apache virtual hosts.
Google it.

yes, this is not possible in the router. you need to set up apache "virtual hosts"

This can be done using a proxy, see the example;
http://wiki.mikrotik.com/wiki/Multiple_Web_Servers
Also if using IIS you can use "host headers" [similar to Apache]

ok, thanks for all,
But i want to ask how can i tell my mikrotik to redirect that port 80 request to that web server ???

Also i want to say that i want to access my new web site from the internet, not from my network only, i mean that i want to let you to surf it.

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 in-interface=wan0 protocol=tcp \
to-addresses=INTERNAL_IP_HERE to-ports=80

aslo, i would like to note, that dns addresses on dns server will point to your external ip address and customers from your local network would not be able to access webserver using dns name (external ip address) while on local they will able to do that using server internal ip address.

And what firewall rules are required to get around that local client access to external IP (hosted internally) limitation? I've seen really cheap nat routers that do it automatically (dlink's?), so I know it's possible. I just can't seem to figure it out. Any ideas?

Thanks!

I found the same problem.
My fix was to have 2 DNS servers.
1 internal were www pointed to the servers internal 172 address.
1 external where www points to my external ip. And only people from the outside see this.

I found the same problem.
My fix was to have 2 DNS servers.
1 internal were www pointed to the servers internal 172 address.
1 external where www points to my external ip. And only people from the outside see this.

it is called 'split DNS' and can be configured with 1 dns server =)

Webserver on internal network problem can be adressed in several ways:

- add static DNS entry for it. But beware, I still claim, that MT DNS is unreliable for that, and hence ...

- you have to source-nat packets which go to your webserver (chain=srcnat dst-address=webserver-ip action=masquarade out-interface=local

I found the same problem.
My fix was to have 2 DNS servers.
1 internal were www pointed to the servers internal 172 address.
1 external where www points to my external ip. And only people from the outside see this.

it is called 'split DNS' and can be configured with 1 dns server =)

Yeah, I know, i just wanted to give the general idea.