Hello everyone!

I Have RB4011iGS+ with RouterOS 7.11.2

I currently have two physical servers and just one internet connection with 1 IP. On one of the servers, I'm hosting a web application accessible through the domain www.sistema1.com, and on the other, an application accessible via www.sistema2.com.

Right now, I have a NAT rule set up that directs all traffic arriving on port 80 to one of the servers. However, now that I have two web applications, I'm looking for a way to route the traffic dynamically based on the domain the client is trying to access.

In essence, when a client accesses www.sistema1.com, I want the traffic to be directed to server 1. And when a client accesses www.sistema2.com, the traffic should go to server 2, even though both are using port 80.

How can I set up conditional NAT to route traffic correctly based on the domain accessed by the client?

Maybe Layer 7 ?

Thank you in advance for your assistance!

Direct the single dstnat to a reverse proxy that in turn uses the Host header to direct the traffic to the correct internal server.

You can do this with Apache, nginx, and doubtless a few dozen other ways.

What I would do is slightly differen, proxy or reverse anything sounds to complex for me and I am a rower LOL. I would not let tangent lead you astray to some tangent solution jajajaja..., and would direct all your domain name centric users 9 sistema1 ) to port 11080.
Thus no conflict on entering the router.
The dstnat rule would look like
add chain=dstnat action=dst-nat dst-port=11080 protocol=tcp? in-interface-list-=WAN (or dst-address=WANIP depending if dynamic or static) \
to-address=local_Server_IP to-ports=80

It's not all that complicated. The Apache config looks something like this:


There are many possible refinements to the name-based virtual hosting part on the outside of this config and the reverse proxying inside, but it's about as elementary as it gets.

It isn't even necessary to spin up a third host for the reverse proxy. You could set it up as a sidecar service on either "sistema1" or "systema2" with the reverse proxy URL being something like "http://localhost:10080". I'd put it on the higher-traffic server to keep latencies low in the main case, since a 2-server setup directs all of the second server's traffic through the first's NIC and doubles it besides. (One copy to pull from sistema2, the other to go out to the Internet host that requested it.)

As I said, essentially the same thing can be done with nginx, though with different syntax. I expect you could do also it with IIS, Traefik, Caddy, and whatever else the cool kids are using these days for container proxying, load balancing, and suchlike.

As to discriminating the NAT based on external port number, that would work, but my read of the OP's question is that he would not want to give out nonstandard port numbers to achieve this.

little astray ... but you could even setup the nginx/apache rproxy in a container on your mikrotik ;=)

As to discriminating the NAT based on external port number, that would work, but my read of the OP's question is that he would not want to give out nonstandard port numbers to achieve this.

Hogwash. Why would the OP not want to give out a port that works for a simple way to complete the requirement he stated. NGINX proxy blah blah blah sounds like a bad kung fu movie. Its knowitallconfigsnobbery plain and simple.

To the OP, if you can is add something to both your dstnat rules and that is a source address list of allowed users for each server.
add chain=dstnat action=dst-nat dst-port=11080 protocol=tcp? in-interface-list-=WAN \
to-address=local_Server_IP to-ports=80 src-address-list=ServerX

THis is better security for your server and your users should either have a static IP they can give you or they can acquire free dyndns names (many available) and pass those to you. (MT router resolves domain names). That way only those authorized should be accessing your server.

Why would the OP not want to give out a port that works for a simple way to complete the requirement he stated.

The stated requirement is "…to route the traffic dynamically based on the domain the client is trying to access." Domain name, not port number.

You're welcome to to second-guess the OP. I'll be the first to agree that people often ask for Thing A and should in fact be asking for Thing B. Even so, I choose to answer the question given in this instance. Who knows, he may choose your option. I'm not telling you you're wrong to offer an alternative, but should we not give the OP enough information to choose from the options, one of which is what he said he wanted?

NGINX proxy blah blah blah sounds like a bad kung fu movie. Its knowitallconfigsnobbery plain and simple.

I assure you, there are a lot of real-life nginx ninjas out there, managing what must be millions of instances. This is not esoteric knowledge. You simply don't know how to do it yet.

NGINX proxy blah blah blah sounds like a bad kung fu movie. Its knowitallconfigsnobbery plain and simple.

I assure you, there are a lot of real-life nginx ninjas out there, managing what must be millions of instances. This is not esoteric knowledge. You simply don't know how to do it yet.

and exactly that kind of simple requirement in perspective to a reverse proxy - the nginx/apache rproxy config is really not that much of a deal

RB4011iGS+ with RouterOS 7.11.2
[...] just one internet connection with 1 IP.
[...]
How can I set up conditional NAT to route traffic correctly based on the domain accessed by the client?
[...]
Maybe Layer 7 ?

The general solution for one public IP, but many HTTP servers is reverse proxy server. The 4011 can run containers so if you ask me that's the best option. In addition to the traditional reverse proxies of Apache & NGNIX, there are more nouveau container-friendly options like https://caddyserver.com and Traefik too (viewtopic.php?t=195259&hilit=traefik#p995495)

If you're willing change the port for your 2nd server, that can work too – just all users would need to use the port in the URL.

Perhaps there is firewall solution with Layer7 if HTTP, or perhaps tls-host= if HTTPS+certs... but not 100% and almost certainly that add more load on than any simple reverse proxy container. And involve a few rules to even have a shot of working. While something like caddyserver.com container can deal with both site in standard way, and likely add ACME-based certs to secure it.

I assure you, there are a lot of real-life nginx ninjas out there, managing what must be millions of instances. This is not esoteric knowledge. You simply don't know how to do it yet.

While that's true, NGNIX is a bit trickier in a container. I do have instructions for NGNIX here: viewtopic.php?p=973226&hilit=ngnix#p973226 – was designed for slightly more complex reverse proxy that dealt with CORS+REST-API, but steps are same.