MikroTik

hello!

We have RB450 which is sitting between I-net and local network and doing traffic shaping, firewalling, port forwarding and some more functions.
We have many units inside our network who has http-access to give the possibility of control.
To give the http-access to these units from outside (I-net) I configured the RB this way:
222.11.123.4 -- public IP of RB
192.168.11.227 -- local IP of a unit

/ip firewall nat>
add action=dst-nat chain=dstnat dst-address=222.11.123.4 dst-port=34227 \
protocol=tcp to-addresses=192.168.11.227 to-ports=80

so when a client hits http://222.11.123.4:34227 in it's browser, it to be asked login/pw then gets access to 192.168.11.227:80 -- the problem is solved. BUT, recently we've updated the firmware of that unit and discovered that from now after successful login the unit trying to redirect the client to https (port 443) !, but, as you can guess, it doesn't work. I tried to add similar NAT rule for port 443, like:

/ip firewall nat>
add action=dst-nat chain=dstnat dst-address=222.11.123.4 dst-port=54227 \
protocol=tcp to-addresses=192.168.11.227 to-ports=443

so when I hit https://222.11.123.4:54227 in my browser it asks for login/password, but after that the browser shows white blank screen and you can wait forever...
Please help me to bypass this obstacle.

Thank you in advance.

is it trying to redirect you to a hostname (instead of ip) or something similiar? Or possibly redirecting you to another port.

is it trying to redirect you to a hostname (instead of ip) or something similiar? Or possibly redirecting you to another port.

I believe it's redirecting to another port.
But anyway, I think the problem is not 80 -> 443 redirection itself.
Inside the local network it is possible to go directly to 443 (https) like:
https://192.168.11.227 and it works. But when I try from outside either
http://222.11.123.4:34227
or
https://222.11.123.4:54227
-- it asks for login/pw and once it entered, the browser shows blank page and then waits forever.

The usual problem in this applications is that those don't take in consideration the possibility of serving their requests in an IP not attached to their interfaces.

Maybe you have some kind of activex inside... maybe it is just the html redirection, anyway, double-check the code of the website which logs you in to find how is it redirecting, and where. Maybe it will be possible to rewrite that html code and serve it elsewhere with the modified 'redirections'.

try running fiddler from MS to see if you can tell what the browser is requesting, maybe its an alternate port you can't see because its an inline control or something.

thanks for reply.

I'm afraid I can't change something like site code, etc, because it is Ubuquity Power Station's firmware, who serves that web-interface to setup and control the unit. In the last version of firmware upgrade they coded that damned redirection.

The usual problem in this applications is that those don't take in consideration the possibility of serving their requests in an IP not attached to their interfaces.

Maybe you have some kind of activex inside... maybe it is just the html redirection, anyway, double-check the code of the website which logs you in to find how is it redirecting, and where. Maybe it will be possible to rewrite that html code and serve it elsewhere with the modified 'redirections'.

I didn't know about such a tool. Will try near days, thanks.

try running fiddler from MS to see if you can tell what the browser is requesting, maybe its an alternate port you can't see because its an inline control or something.