Only a few protocols support redirects explicitly ... in the way that instructs client to create new connection to provided address or server name (one example is HTTP). Others don't suppirt it. However, it is possible to kind-of proxy connection and you can use NAT on router for that. You would need to perform both DST-NAT and SRC-NAT to make it work.
Let's say IP address is WAN IP address, actual server is behind NAT and having IP address 192.168.42.42. Currently you have DST-BAT configured on router, something like this:
/ip firewall nat
add chain=dstnat action=dst-nat dst-address=159.159.159.159 protocol=tcp dst-port=8787 to-addresses=192.168.42.42
But you want instead to send connections to new WAN address of 166.166.166.166 ... One thing is to change
to-addresses in the NAT rule to the new IP address. The other thing, equally important, is to add SRC-NAT rule simikar to this one:
add chain=srcnat action=src-nat dst-address=166.166.166.166 protocol=tcp dst-port=8787 to-addresses=159.159.159.159
The reason for needed src-nat hides in packet flow:
- client A.B.C.D starts connection towards 159.159.159.159:8787
- forward packet arrives at router which finds DST-NAT rule matching packet. Dst-address gets rewritten with 166.166.166.166, src-address remains A.B.C.D
- router looks at routing tables and finds egress interface (which is WAN interface) and sends it away
- forward packet arrives at router serving IP address 166.166.166.166. It does whatever necessary to deliver packet to app server, for simplicity sake let's say it simply routes it through
- app server receives forward packet, processes it and composes return packet. Return packet's dst-address is copied from forward packet's src-address (A.B.C.D) and src-address is set to its own IP address (166.166.166.166). Sends it to its gateway.
- router serving 166.166.166.166 receives packet. Looks at dst-address (A.B.C.D) and sends it towards destination
- client A.B.C.D receives packet. Looks at src-address (to match packet to connection), which is 166.166.166.166 ... and sees an unknown address - forward packet was sent to 159.159.159.159.
Due to that it discards packet and connection thus fails to establish.
Now, if router 159.159.159.159 performs src-nat as a part of step #2, then packet flow changes to:
- client A.B.C.D starts connection towards 159.159.159.159:8787
- forward packet arrives at router which finds DST-NAT rule matching packet. Dst-address gets rewritten with 166.166.166.166, src-address remains A.B.C.D.
Router also performs SRC-NAT, hence src-address is set to 159.159.159.159.
- router looks at routing tables and finds egress interface (which is WAN interface) and sends it away
- forward packet arrives at router serving IP address 166.166.166.166. It does whatever necessary to deliver packet to app server, for simplicity sake let's say it simply routes it through
- app server receives forward packet, processes it and composes return packet. Return packet's dst-address is copied from forward packet's src-address (159.159.159.159) and src-address is set to its own IP address (166.166.166.166). Sends it to its gateway.
- router serving 166.166.166.166 receives packet. Looks at dst-address (159.159.159.159) and sends it towards appropriate router
- router 159.159.159.159 receives packet, performs connection tracking magic and finds out that packet belongs to a SRC-NAT-ed connection. So router un-does SRC-NAT replacing dst-address with A.B.C.D.
Router re-evaluates connection tracking and finds out that packet belongs to DST-NATed connection, so it un-does DST-NAT by replacing src-address with 159.159.159.159.
- now router consults routing tables and sends packet to client at A.B.C.D
- client A.B.C.D receives packet. Looks at src-address (to match packet to connection), which is 159.159.159.159 ... and processes return packet as it belongs to a known ongoing connection.