-
-
Tiagoggsouza
just joined
- Posts: 7
- Joined:
redirect subdomain(NAT)
I would like to redirect(NAT) some port's udp through subdomain, for example: All conection to subdomain.example.com go to internal IP 192.168.88.50 and another all connections to subdomain2.example.com.br go to internal IP 192.168.88.51, it's is possible? I Just find examples with proxy web service for http protocol.
-
-
vecernik87
Forum Veteran
- Posts: 891
- Joined:
Re: redirect subdomain(NAT)
Not possible on router due to the way how TCP connection works:
When the TCP connection is being established, there is not a single mention of domain/subdomain. So during that, router can't decide, whether it should redirect it or not.
Once TCP connection is up and running, client sends HTTP request which contain the requested URL. That is the first time any router/server can figure out, what client wants to see. However, at that time it is too late to do NAT, because connection is already established. You obviously can't redirect existing TCP connection.
You could do the workaround with HTTP proxy server (as you already mentioned) but that would require other HW than just Mikrotik Router.
When the TCP connection is being established, there is not a single mention of domain/subdomain. So during that, router can't decide, whether it should redirect it or not.
Once TCP connection is up and running, client sends HTTP request which contain the requested URL. That is the first time any router/server can figure out, what client wants to see. However, at that time it is too late to do NAT, because connection is already established. You obviously can't redirect existing TCP connection.
You could do the workaround with HTTP proxy server (as you already mentioned) but that would require other HW than just Mikrotik Router.
Re: redirect subdomain(NAT)
It it's for udp, unless it's some special service that supports name-based virtual hosting (you could at least use external proxy server for that), then the only solution is own public IP address for each server. But they may be hard to get these days. It's what IPv6 was supposed to solve years ago, but we all know how it's going.
Re: redirect subdomain(NAT) [SOLVED]
You should try to use content or Layer7 matcher to distinguish those packets in NAT rules.
-
-
vecernik87
Forum Veteran
- Posts: 891
- Joined:
Re: redirect subdomain(NAT)
@sob: good point. I automatically expected he talks about HTTP because the domain is completely irrelevant in ICMP and most other protocols.
@vklpt: Nope. Layer7 communication starts AFTER the L4 is established. And NAT has to occur on first packet of connection. Even the definition of L7 matcher disqualify your suggestion:
Content matcher could possibly work if the particular protocol sends a domain within first packet, but that is not the case of any usual protocol known to me...
I guess it really depends on particular protocol, which @Tiagoggsouza wants to redirect
@vklpt: Nope. Layer7 communication starts AFTER the L4 is established. And NAT has to occur on first packet of connection. Even the definition of L7 matcher disqualify your suggestion:
NAT decision occurs only on first packet of the connection. Any subsequent packet will not go through NAT decision and it will just follow rule assigned to that connection.L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data.
Content matcher could possibly work if the particular protocol sends a domain within first packet, but that is not the case of any usual protocol known to me...
I guess it really depends on particular protocol, which @Tiagoggsouza wants to redirect
Re: redirect subdomain(NAT)
Bla-bla-bla. It works:@sob: good point. I automatically expected he talks about HTTP because the domain is completely irrelevant in ICMP and most other protocols.
@vklpt: Nope. Layer7 communication starts AFTER the L4 is established. And NAT has to occur on first packet of connection. Even the definition of L7 matcher disqualify your suggestion:NAT decision occurs only on first packet of the connection. Any subsequent packet will not go through NAT decision and it will just follow rule assigned to that connection.L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data.
Code: Select all
ip firewall layer7-protocol print detail where name=TEST_DNS
0 name="TEST_DNS" regexp="vikilpet"
ip fire mangle print detail where comment=###_TEST_DNS
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ###_TEST_DNS
chain=prerouting action=accept layer7-protocol=TEST_DNS protocol=udp in-interface=BRIDGE dst-port=53 log=yes log-prefix="###_TEST_DNS"
log print
12:28:05 firewall,info ###_TEST_DNS prerouting: in:BRIDGE out:(unknown 0), src-mac 4c:1b:8d:e0:0a:1e, proto UDP, 10.
12:28:06 firewall,info ###_TEST_DNS prerouting: in:BRIDGE out:(unknown 0), src-mac 4c:1b:8d:e0:0a:1e, proto UDP, 10.
-
-
Tiagoggsouza
just joined
- Posts: 7
- Joined:
Re: redirect subdomain(NAT)
@vklpt - I will try to do it, thanks for help me, I want to do it for voip connection.
Re: redirect subdomain(NAT)
@vklpt: You know that udp dns is special case, right? The whole request is single packet, so that packet is also the first packet of "connection" and sure, you can use L7 on those. But with any more complex protocol where hostname is not contained in first packet, it won't work.
-
-
Tiagoggsouza
just joined
- Posts: 7
- Joined:
Re: redirect subdomain(NAT)
Thanks a lot guys in special @vklpt.. I got in udp protocol , I don't know why but with tcp protocol isn't possible, I will try to use proxy web service for that.
Re: redirect subdomain(NAT)
viewtopic.php?p=716187#p715967..., I don't know why but with tcp protocol isn't possible, ...
-
-
Tiagoggsouza
just joined
- Posts: 7
- Joined:
Re: redirect subdomain(NAT)
thank's a lot, I got the perfect result with layer7 and web proxy for http.
Re: redirect subdomain(NAT)
The big V 1, the magic unicorn 0 