Hi everyone
I use RouterOS v3.24 and I have somewhat specific problem.
I have one static public IP and two servers on local network. Each server is responsible for one or more domains and is hosting web (http and https), mail and ftp servicess.
One server is production and other is for testing purposes (that is why I need two separate servers, no testing on production machine), later in the future there will be two production servers.

Now, way I'm going with this is reverse proxy. But I'm stuck now at the begining and I do not know how to start mooving.
I started reading this: http://wiki.mikrotik.com/wiki/Multiple_Web_Servers
But the problems are:
At the moment I start web proxy, sniffers start using it to access internet using my IP
After about 30 seconds I have had 3 connections on proxy (once before, fresh after start with mikrotik i forget to stop web proxy for few days and my IP is present on many open proxy lists even thou it is not open for more than one year)

I need to redirect HTTP, HTTPS, SMTP, POP3, IMAP and FTP requests, and that much is not explained on wiki. Perhaps I will find something else that needs to be redirected, but for now this is it.

Is there a solution other than two public interfaces?



PS Upgrading from 3.24 to 4.1, do I need to buy new licence?

Regards
kzendra

is there a reason for needing the testing server to be publicly accessible? if not, then simply keep it on your LAN only

if they must both be publicly accessible, then a simple way to do it is to assign your public to you MT, and nat (by dns name) to the private of the appropriate box

Well, my future employment might depend on that one, so i would like them both to be accessible.

Could you explain in detail how to do this:

if they must both be publicly accessible, then a simple way to do it is to assign your public to you MT, and nat (by dns name) to the private of the appropriate box

I did not spend much time with mikrotik...

example:

ether1 is you uplink to your ISP
ether2 is connected to your servers with switch

add public ip to ether1
create private network on ether2 (either static or dhcp)
each server will now have a private

in ip/firewall/nat, add a dst nat for www.server1.com, action=dst-nat, to private ip of server1
also add dst nat for www.server2.com, action=dst-nat, to private ip of server2

your dns should already be pointing to the public ip assigned to ether1

Well, the problem is that when I add NAT rule, there is no place where i can write www.domain1.com or www.domain2.com
I can enter dst. address ant that field expects IP..
There is no field in which I can enter domain name...

This field expects your public IP address, not your domain address. However, the link you provided only deal with web browsing, not mail and ftp services. What you are asking for is not possible with only one public IP address. You can of course use non standard ports for everything except SMTP, but that are not plausible.

RouterOS cannot act as a Reverse FTP Proxy Server, and cannot be used as an SMTP frontend for your domains. You need to add dst-nat in RouterOS to one of your servers that will handle SMTP and FTP requests. That means that only one server can respond to SMTP or FTP requests for your domains at the same time. You can of course setup one server to handle SMTP and the other to handle FTP, but you cannot setup both of your servers to respond to both services at the same time for their respective domains.

That was the answer I was afraid off.
In that case, I will need to replace routerOS with some OS that will support reverse proxy...

Regards
kzendra

No other operating system supports reverse proxy for SMTP, POP3, IMAP and FTP, only HTTP and HTTPS is supported.

Hmmm, that is not good


Two public IP's are out of the question. I'll think of something else.

TNX

You can take a look at Nginx HTTP server, maybe it has some of the features you are looking for.

http://wiki.nginx.org/Main

Can u get a dynamic ip?

if so, setup a Dynamic DNS with one the these scripts: http://wiki.mikrotik.com/wiki/Scripts

and portforward the required protocols from this IP to your testing box...( will need to modify the scripts slightly to add the new IP to an address list which u can then use in the NAT rules)

Use the Public IP for the production box and the dynamic IP for the testing

It's impossible to get two public IP's at this location...

Can you got public ip's from somewhere else? ie your office?

You could then create 2x pptp tunnels from your office to the remote location and just port forward all the traffic down these two pptp tunnels?

EDIT: latency will go throught the roof but it should still work

We have HTTP(S), SMTP, POP3, FTP, ie everything in my office
Mah, never mind, if it gets that much important, i'll rent a server somewhere...

What I'd do is:

Connect ether1 to internet. Here you'll have your public IP.

Connect ProdServer to ether2 and make sure it is full available to internet, as it was your only server.

Make sure everything is working for ProdServer.


Add TestServer, to ether3, or ether2 with a switch, or whatever. (I'd prefer connecting to ether3).

Set up your test server and make sure it can connect to internet if you need your server accessing internet.

Now: set up your Mikrotik as a PPTP or OpenVPN server using your TestServer IP range as pool for PPTP clients.
Bridge the PPTP interface with the TestServer Ethernet and... et voilà!

You can access your test server, your production server, and also, your testserver is protected from the internet dangers.


PPTP Guide: http://wiki.mikrotik.com/wiki/PPTPServer
OpenVPN: http://wiki.mikrotik.com/wiki/OpenVPN