Hi All,

I wish to achieve some functionality.

I got the domain (example domain.eu) then on registrar I created A record to point *.domain.eu at my external static IP which for argument sake is 195.0.0.1.
The local network is 172.16.0.0/22 and router IP is 172.16.0.1. Then I also have a separate web server; 172.16.0.2 (apache, debian)

I wish to create the following functionality:
If I type:
- domain.eu in the browser it would reach 195.0.0.1:80 displaying device web admin console (external access)
- web.domain.eu then the connection will be redirected to the webserver 172.16.0.2 displaying a website

So far I tried
1. Enabled WebProxy
2. Added NAT Rule to redirect port 80 to 8080 from Internet interface (ether1)
3. Added Accept rule for port 8080
4. Inside WebProxy I created Access rule to deny if web.domain.eu and redirect to web.domain.eu:8000
5. Added NAT rule to redirect 8000 to 80 on 172.16.0.2

Which kind of works... the issue I have is that when I go to http://web.domain.eu on my browser I get http://web.domain.eu:8000/index.php
I know this is totally expected and I understand why this is working that way I am only wondering if there is a different way to achieve my goal.

I want http://domain.eu to display external WebOS page and http://web.domain.eu to display website hosted on my webserver.

MikroTik can't do what you want. The only way I see you getting what you want is by implementing a product capable of inspect HTTP host headers. You can probably do it in Apache with virtual hosts but I think Nginx would be a better fit. First things first. Don't use HTTP. Just don't. Get a Let's Encrypt certificate with both names domain.eu and web.domain.eu. Then setup Nginx to listen on 443 of a server (or Raspberry Pi if that's your thing). Have it use that certificate and use it's load balancer features to establish a session with the local router or the local Apache server. For both of those you should turn on SSL but you could get away with a long term self signed cert to avoid needing to update the let's Encrypt certificates a bunch.

In the firewall you would NAT 80 and 443 to the Nginx box and have both domains resolve to your single public IP. Make sure to have Nginx redirect all HTTP sessions to HTTPS.

An alternative to load balancing is use IPv6 from your ISP then you don't need NAT just allow the ports through the firewall.

Also the WebProxy is probably just kicking this up. I think thats just for local caching.

I though RouterOS would not have such thing. At the moment I have this done using WebProxy and it works for what I need, however thank you for your post it has lots of valuable information and I think you are absolutelly right that WebProxy is not really the best solution here. I will check "Let's Encrypt" and NGINX and let know in here how it went.

Sounds good, very intriguing that you got it to work with the WebProxy module but not overly surprising, the deny and redirect-to is the key I suppose. Either way an HTTPS aware proxy is probably the best answer. You really don't want to be logging into WebFig over HTTP.

Let us know if you end up sticking with WebProxy and NAT or if you switch to Nginx load balancing and HTTPS.