Community discussions

MikroTik App
 
mikrowell
just joined
Topic Author
Posts: 13
Joined: Tue Jun 22, 2021 2:21 pm

ROS6: Transparent forward/rewrite/nat HTTP(S) towards [ISP-proxy.example.tld:8080] possible?

Wed Jan 12, 2022 6:36 pm

My (much slower) WAN2 acts as a backup solution when WAN1 goes down.

The WAN2 ISP only accepts HTTP(S) traffic on their proxy addresses
port 8080.

Without (re)configuring the client web-browsers, traffic will then
off-course not flow on WAN2.

Can I transparent forward the HTTP(S) traffic in ROS6 towards ISP-proxy.example.tld on
port 8080 for WAN2, so the workstations don't need to reconfigure there
web-browsers?

Hardware: CCR1036-8G-2S+
firmware: 6.48.4

I already have in place:
 0 A S  ;;; WAN ISP - (primary for 0.0.0.0/0 - check-gateway=ping 1.1.1.1 distance 1)  dst-address=0.0.0.0/0 pref-src=WANIP gateway=1.1.1.1 
gateway-status=1.1.1.1 recursive via WANIP-GW ether2 check-gateway=ping distance=1 scope=30 target-scope=10

 1   S  ;;; WAN ISP - (primary for 0.0.0.0/0 - check-gateway=ping 8.8.8.8 distance 2)   dst-address=0.0.0.0/0 pref-src=WANIP gateway=8.8.8.8 
gateway-status=8.8.8.8 recursive via WANIP-GW ether2 check-gateway=ping distance=2 scope=30 target-scope=10

 2   S  ;;; WAN2 ISP - (secondary for 0.0.0.0/0 - 'NO check-gateway=ping' distance 10) dst-address=0.0.0.0/0 pref-src=10.11.12.1 gateway=10.11.12.13 gateway-status=10.11.12.13 reachable via  ether3 distance=10 scope=30 target-scope=10

 3 A S  dst-address=1.1.1.1/32 pref-src=WANIP gateway=WANIP-GW gateway-status=WANIP-GW reachable via  ether2 distance=1 scope=10 target-scope=10                     

 4 A S  dst-address=8.8.8.8/32 pref-src=WANIP gateway=WANIP-GW gateway-status=WANIP-GW reachable via  ether2 distance=1 scope=10 target-scope=10 
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: ROS6: Transparent forward/rewrite/nat HTTP(S) towards [ISP-proxy.example.tld:8080] possible?

Thu Jan 13, 2022 3:50 am

Maybe, but I wouldn't count on it. The critical part is whether the proxy supports to be used as transparent for https. It's technically possible, it can take target hostname from SNI, to know where to connect. Just test it, use dstnat to redirect traffic there and you'll see. If it works, another part is how to configure router. Dstnat is in prerouting, but at that point you don't yet know what outgoing interface will be used. You'd probably need some script to enable or disable redirection based on state of WAN1.
 
mikrowell
just joined
Topic Author
Posts: 13
Joined: Tue Jun 22, 2021 2:21 pm

Re: ROS6: Transparent forward/rewrite/nat HTTP(S) towards [ISP-proxy.example.tld:8080] possible?

Thu Jan 13, 2022 4:15 pm

Would the following rule be sufficient as test (can activate/test it right now, but I would like to prepare the configuration):
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=proxy-ipadres/31 to-ports=8080 protocol=tcp out-interface-list=WAN2 dst-port=80,443
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: ROS6: Transparent forward/rewrite/nat HTTP(S) towards [ISP-proxy.example.tld:8080] possible?

Thu Jan 13, 2022 4:30 pm

No, you can't use out-interface-list in dstnat chain. Quick test, if you don't want to break other things, is to do it for one website, e.g. forum.mikrotik.com (159.148.147.239, check that it resolves to same address for you):
/ip firewall nat
add chain=dstnat dst-address=159.148.147.239 protocol=tcp dst-port=80,443 action=dst-nat to-addresses=<proxy server> to-ports=8080

Who is online

Users browsing this forum: Bing [Bot], esj, rarlup and 48 guests