Community discussions

MikroTik App
  4. RouterOS
  5. General

URL based DST NAT?

Post Reply
 
cramerit
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Thu Mar 17, 2005 6:23 am

URL based DST NAT?

Tue Dec 19, 2006 6:15 am

do you know if RouterOS affords the ability to filter / direct traffic based on the incoming URL of the traffic?

For instance
http://www.yourdomain.com DST NAT --> 10.0.0.1
http://www.yourdomain2.com DST NAT --> 10.0.0.2

Any help is greatly appreciated.
Top
 
User avatar
raivis-v
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Thu Jul 14, 2005 10:21 am
Location: Latvia, Riga

Re: URL based DST NAT?

Tue Dec 19, 2006 8:05 am

Nope, there is no such a feature. You can try to use src and dst address list in advanced tab. First you have to make scheduler that will periodically resolve ip address of your domain (use :resolve command) and put it in address list. But that is not the best way to do this. Better use static entry of IP address.
Top
 
cramerit
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Thu Mar 17, 2005 6:23 am

Close...

Wed Dec 20, 2006 9:07 pm

Maybe I could rephrase my question. Is there a way to mark a packet by the URL address in the HTTP header?

For instance: with http traffic coming in on port 80 to ptr.domainname.tld, can I mangle mark the packet with "packet mark"?
Top
 
yancho
Member Candidate
Member Candidate
Posts: 207
Joined: Tue Jun 01, 2004 3:04 pm
Location: LV

Wed Dec 20, 2006 11:31 pm

Maybe: http://wiki.mikrotik.com/wiki/Multiple_Web_Servers
Top
 
nielsbos
just joined
Posts: 10
Joined: Thu Dec 15, 2011 9:45 pm

Re: URL based DST NAT?

Thu Dec 15, 2011 10:42 pm

Subject was a long time ago, but I just managed to fix this, so perhaps it will help anyone out. I did this on a RouterOS 5.9 L4 system, running on x86.

I first was able to create a Layer-7 mangle, but for some reason, the NAT did not see these packet markings, probably because we already have the connection and try to re-nat:
Code: Select all
add comment="http://www.myfirstsite.com/" name=http_myfirstsite_com \
    regexp="http/(0\\.9|1\\.0|1\\.1).*host: www\\.myfirstsite\\.com"
add comment="http://www.mysecondsite.com/" name=http_mysecondsite_com \
    regexp="http/(0\\.9|1\\.0|1\\.1).*host: www\\.mysecondsite\\.com"
So that did not work!

After trying endlessly, I finally switched to the Web Proxy in reverse. This works very well, but there is a little trick to it.
Situation:
* 2 web servers in our LAN: 192.168.0.10, 192.168.0.20
* 1 WAN IP: 159.148.147.196
* Internet DNS http://www.myfirstsite.com and http://www.mysecondsite.com are set to 159.148.147.196.
* http://www.myfirstsite.com should arrive at tcp:80 of 192.168.0.10
* http://www.mysecondsite.com shoudl arrive at tcp:80 of 192.168.0.20
Code: Select all
# First create the proxy, direct on port 80 (=transparent, no nat needed)
# We use the 5000 connections maximum (unfortunately, but will discuss solution later)
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=\
    5000 max-fresh-time=3d max-server-connections=5000 parent-proxy=0.0.0.0 \
    parent-proxy-port=0 port=80 serialize-connections=no src-address=0.0.0.0

# We then add Access entries, with dst-host set to the host in the internet url:
# In this example: www.myfirstsite.com and www.mysecondsite.com, both
# on the same WAN IP.
/ip proxy access
add action=allow disabled=no dst-host=www.myfirstsite.com dst-port=80 \
    src-address=0.0.0.0/0
add action=allow disabled=no dst-host=www.mysecondsite.com dst-port=80 \
    src-address=0.0.0.0/0
add action=deny comment="Default deny" disabled=no redirect-to=\
    "www.vandale.nl/opzoeken\?pattern=verboden&lang=nn"

# The trick is with dst-host above. The router will resolve these to find the correct IP's.
# But on the internet, both point to my single WAN IP 159.148.147.196, so that won't
# go to our internal web servers.
# Also, we cannot use the internal IP's for dst-host, or the entries would not be matched
# to any requests by the Web Proxy. 
# The solution is to make sure the router DNS-resolves www.myfirstsite.com and 
# www.mysecond.com to the internal IP's, not the WAN IP. Well, that is easy enough:
/ip dns static
add address=192.168.0.10 disabled=no name=www.myfirstsite.com ttl=1d
add address=192.168.0.20 disabled=no name=www.mysecondsite.com ttl=1d
One note: Chaning the DNS entries later requires a flushing of the DNS cache on the router.

Please not that we have no NAT setup for tcp:80 here! The WebProxy will receive the http request from the internet (WAN) and mediate to the internal IP's all by itself.

We are still testing, so let me know if you run into any problems; perhaps we already have a fix then. If you have any other comments or opinions, feel free to e-mail me at niels.bos@live.com ; I love to hear feedback and always appreciate a chance to learn from your experiences:)

Final thoughts:
About the 5000 connection maximum... if you need even more concurrent connections, you would need multiple RouterOS installations and set up some kind of connection load-balancing to have each router handle part of the connections. By that approach, 2 RouterOS installations would allow 10K connections, 3 15K and so on.
If you need such volumes, have a look at running RouterOS x86 on the a free baremetal VMWare ESXi hypervisor. This allows you to add as many new RouterOS Virtual Machines as required (hardware permitting).
We run our server VM's on this hypervisor as well. With the virtual switches and virtual ethernet adapters in ESXi and the RouterOS to route everything between them. You can have complex multiple virtual networks inside the server with all routing managed by RouterOS. Try it out... you'll love it!

Cheers,
Niels
Top
Post Reply

Who is online

Users browsing this forum: Techsystem, wrkq and 32 guests
  4. RouterOS
  5. General