MikroTik

Community discussions
https://forum.mikrotik.com/

MT Web-Proxy and dst-nat

https://forum.mikrotik.com/viewtopic.php?t=12598

Page 1 of 1

MT Web-Proxy and dst-nat

Posted: Thu Dec 07, 2006 11:21 am
by rileonar
How can I change dst address of some TCP sessions originated by MT web-proxy?

The web-proxy is configured as transparent (w/parent proxy), and some sessions (but not all) to parent should be changed as dst-ip.

I tried to create a new output chain using jump action:

> chain=output dst-address=<old-ip-addr> protocol=tcp dst-port=80 action=jump jump-target=testchain

Then dst-nat the traffic put into that chain:

> chain=testchain action=dst-nat to-addresses=<new-ip-addr> to-ports=0-65535

Unfortunately that doesn't work: the NAT rule doesn't catch any traffic (0 bits/packets), so the dst-address is not changed.

Where am I wrong?

Riccardo

Posted: Thu Dec 07, 2006 3:31 pm
by sergejs
NAT does not have chain=output, there are 'dstnat' and 'srcnat' chains.
SRC-NAT replaces SRC-address (usually performed on packets that are originated from natted network).
DST-NAT replaces DST-address (usually performed on packets that are destined to the natted network).
As far as I know, user public address will be proxy address, when 'proxy' is enabled.

Posted: Thu Dec 07, 2006 8:22 pm
by rileonar
NAT does not have chain=output, there are 'dstnat' and 'srcnat' chains.
True, but I can create a new chain, and once created it appears together with SRC-NAT and DST-NAT
SRC-NAT replaces SRC-address (usually performed on packets that are originated from natted network).
DST-NAT replaces DST-address (usually performed on packets that are destined to the natted network).
As far as I know, user public address will be proxy address, when 'proxy' is enabled.
Correct again, but I don't need to change SRC address: proxy address is good.
What I need to do is to ask my "parent proxy" for a DST address different from the original one asked by the internal user connecting to MT proxy.

I'd try to better explain the scenario:

- there is a remote "parent proxy", caching a webserver with virtual hosts on it
- the webserver is reachable BOTH behind a NAT (public address) and through a direct access via DMZ routing (172.x.x.x)
- the parent proxy is only reachable via DMZ routing
- the parent proxy is the main resource to access external websites (the whole internet) and the DMZ webserver via its private address.

So when I need to access a virtualhost on that webserver, the DNS correctly resolves the URL with a public address, but if the MT proxy uses it communicating to the parent proxy, it answers "Zero sized reply" because it "knows" the local webserver with local address only.

Then my first raw idea to solve this problem was to change the address into the request that MT proxy send to parent proxy....

Another chance could be to avoid request to DMZ webserver to be feed to MT proxy; these one should be "DST-NATted" and directly routed to the webserver, bypassing both MT and parent proxy.

What do you think about both these strategies?

TIA in advance.
Riccardo

Posted: Fri Dec 08, 2006 11:05 am
by sergejs
1) yes, you can create another chain, but traffic will not reach these chain until action=jump is not placed to the default chains (dstnat, srcnat).

2) In case when parent-proxy is used, you can use direct list and specify, which pages to resolve using parent-proxy and which to resolve directly,
http://www.mikrotik.com/testdocs/ros/2. ... php#7.53.4
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/