How to forward all WiFi traffic to WEB server?

marko1303 · Tue Mar 18, 2014 3:48 pm

I need redirect all traffic from WiFi to WEB server. What is the best way to do that?
User IP range is from 192.168.3.100-192.168.3.150.

If some user try to open e.g. http://www.google.hr it must be redirected to http://192.168.3.40

Rudios · Tue Mar 18, 2014 5:49 pm

Try creating a dstnat rule.

ros code

/ip firewall nat
add chain=dstnat action=dst-nat protocol=TCP dst-port=80,443 to-address=192.168.3.40

SurferTim · Tue Mar 18, 2014 7:09 pm

Rudios way will redirect to that ip, but will not translate the page. If the page requested is not on the server, you will get a 404 error. The proxy is the best way. It can redirect any site/page to any page on the server.

marko1303 · Tue Mar 18, 2014 9:45 pm

What I need to set in proxy?

SurferTim · Wed Mar 19, 2014 4:22 am

This should cover it.
http://forum.mikrotik.com/viewtopic.php ... 93#p409593

marko1303 · Wed Mar 19, 2014 10:04 am

It is not working, here is my config.

[admin@MikroTik] > ip proxy expo
# mar/19/2014 07:46:18 by RouterOS [code]6.10

# software id = F6R9-UR4F
#
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny dst-port=80 redirect-to=192.168.1.75 src-address=\
192.168.1.0/24
[/code]

[admin@MikroTik] > ip pr acc ex
# mar/19/2014 07:48:53 by RouterOS 6.10
# software id = F6R9-UR4F
#
/ip proxy access
add action=deny dst-port=80 redirect-to=192.168.1.75 src-address=\
    192.168.1.0/24

/ip firewall nat
add action=masquerade chain=srcnat out-bridge-port=ether2 src-address=\
    192.168.1.0/24
add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address=\
    192.168.1.0/24 to-ports=3128

[admin@MikroTik] > int bridge expo
# mar/19/2014 08:00:03 by RouterOS 6.10
# software id = F6R9-UR4F
#
/interface bridge
add l2mtu=1598 name=bridge1
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether2

/ip address
add address=192.168.1.251/24 interface=bridge1 network=\
    192.168.1.0

Rudios · Wed Mar 19, 2014 10:59 am

I think you do not need the proxy access rule.
And if it is needed I suppose the action should be allow rather than deny.

And in the ip firewall nat rule with the action redirect, you also need to redirect to a different IP address. (the IP of the router running proxy)

SurferTim · Wed Mar 19, 2014 12:25 pm

Without the proxy access deny rule, it won't redirect the source ip address request to the new server/page.

I have not tried redirecting a request in a hairpin nat. I use an external server. If the client ip is 192.168.1.75, then this will redirect any http request from that client to xx.xx.xx.xx/payme.html.

/ip proxy access
add action=deny dst-port=80 redirect-to=xx.xx.xx.xx/payme.html src-address=192.168.1.75/32

marko1303 · Wed Mar 19, 2014 4:41 pm

It's work now for http, but not for https. If i try to open http://www.google.com router redirect me to http://192.168.1.75, but if itry to open https://www.google.com browser returns error.

[admin@MikroTik] > ip fir nat ex
# mar/19/2014 14:24:53 by RouterOS 6.10
# software id = F6R9-UR4F
#
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80,443,8080 protocol=tcp \
    src-address=192.168.1.0/24 to-addresses=192.168.1.251 to-ports=3128

# mar/19/2014 14:26:46 by RouterOS 6.10
# software id = F6R9-UR4F
#
/ip proxy access
add action=deny dst-port=80,443,8080 redirect-to=192.168.1.75:80 src-address
    192.168.1.0/24

SurferTim · Thu Mar 20, 2014 12:16 am

Proxies don't work well with port 443. It's a security thing. Don't redirect port 443. I mean you can, but it won't go to the same port 80 page. You will get an error instead, but it keeps the client from accessing the internet.