How can I change dst address of some TCP sessions originated by MT web-proxy?
The web-proxy is configured as transparent (w/parent proxy), and some sessions (but not all) to parent should be changed as dst-ip.
I tried to create a new output chain using jump action:
> chain=output dst-address=<old-ip-addr> protocol=tcp dst-port=80 action=jump jump-target=testchain
Then dst-nat the traffic put into that chain:
> chain=testchain action=dst-nat to-addresses=<new-ip-addr> to-ports=0-65535
Unfortunately that doesn't work: the NAT rule doesn't catch any traffic (0 bits/packets), so the dst-address is not changed.
Where am I wrong?
Riccardo
NAT does not have chain=output, there are 'dstnat' and 'srcnat' chains.
SRC-NAT replaces SRC-address (usually performed on packets that are originated from natted network).
DST-NAT replaces DST-address (usually performed on packets that are destined to the natted network).
As far as I know, user public address will be proxy address, when 'proxy' is enabled.
SRC-NAT replaces SRC-address (usually performed on packets that are originated from natted network).
DST-NAT replaces DST-address (usually performed on packets that are destined to the natted network).
As far as I know, user public address will be proxy address, when 'proxy' is enabled.
True, but I can create a new chain, and once created it appears together with SRC-NAT and DST-NATNAT does not have chain=output, there are 'dstnat' and 'srcnat' chains.
Correct again, but I don't need to change SRC address: proxy address is good.SRC-NAT replaces SRC-address (usually performed on packets that are originated from natted network).
DST-NAT replaces DST-address (usually performed on packets that are destined to the natted network).
As far as I know, user public address will be proxy address, when 'proxy' is enabled.
What I need to do is to ask my "parent proxy" for a DST address different from the original one asked by the internal user connecting to MT proxy.
I'd try to better explain the scenario:
- there is a remote "parent proxy", caching a webserver with virtual hosts on it
- the webserver is reachable BOTH behind a NAT (public address) and through a direct access via DMZ routing (172.x.x.x)
- the parent proxy is only reachable via DMZ routing
- the parent proxy is the main resource to access external websites (the whole internet) and the DMZ webserver via its private address.
So when I need to access a virtualhost on that webserver, the DNS correctly resolves the URL with a public address, but if the MT proxy uses it communicating to the parent proxy, it answers "Zero sized reply" because it "knows" the local webserver with local address only.
Then my first raw idea to solve this problem was to change the address into the request that MT proxy send to parent proxy....
Another chance could be to avoid request to DMZ webserver to be feed to MT proxy; these one should be "DST-NATted" and directly routed to the webserver, bypassing both MT and parent proxy.
What do you think about both these strategies?
TIA in advance.
Riccardo
1) yes, you can create another chain, but traffic will not reach these chain until action=jump is not placed to the default chains (dstnat, srcnat).
2) In case when parent-proxy is used, you can use direct list and specify, which pages to resolve using parent-proxy and which to resolve directly,
http://www.mikrotik.com/testdocs/ros/2. ... php#7.53.4
2) In case when parent-proxy is used, you can use direct list and specify, which pages to resolve using parent-proxy and which to resolve directly,
http://www.mikrotik.com/testdocs/ros/2. ... php#7.53.4