Community discussions

MikroTik App
 
klaparp
just joined
Topic Author
Posts: 20
Joined: Fri Feb 28, 2014 12:58 am

Url-based incoming NAT? Possible

Sat May 09, 2015 2:00 pm

Since there is no more IP4:s in the world, is it possible to dst-nat based on a dns name?

What i want to do is this:

external ip: 195.67.199.39

www.foo1.com = 195.167.199.39 ==> dst-nat to: 192.168.1.1
www.foo2.com = 195.167.199.39 ==> dst-nat to: 192.168.1.2
www.foo3.com = 195.167.199.39 ==> dst-nat to: 192.168.1.3

Is this possible? How?

/Hannes
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2551
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Url-based incoming NAT? Possible

Sun May 10, 2015 6:17 am

Since there is no more IP4:s in the world, is it possible to dst-nat based on a dns name?

What i want to do is this:

external ip: 195.67.199.39

http://www.foo1.com = 195.167.199.39 ==> dst-nat to: 192.168.1.1
http://www.foo2.com = 195.167.199.39 ==> dst-nat to: 192.168.1.2
http://www.foo3.com = 195.167.199.39 ==> dst-nat to: 192.168.1.3

Is this possible? How?

/Hannes
maybe using layer 7 on firewall
 
barkas
Member Candidate
Member Candidate
Posts: 259
Joined: Sun Sep 25, 2011 10:51 pm

Url-based incoming NAT? Possible

Sun May 10, 2015 11:02 am

Cool idea, but usually you would use a http proxy to do that.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Url-based incoming NAT? Possible

Sun May 10, 2015 12:31 pm

A Reverse Proxy as barkas said, provided those webservers aren't serving HTTPS.
 
klaparp
just joined
Topic Author
Posts: 20
Joined: Fri Feb 28, 2014 12:58 am

Re: Url-based incoming NAT? Possible

Sun May 10, 2015 1:28 pm

Proxy is not the solution, i want it to forward any traffic aimed at the specified dns name.
Just like using regexp and layer 7 for outgoing traffic. I just dont know if it is possible.

/HW
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Url-based incoming NAT? Possible

Sun May 10, 2015 3:52 pm

Proxy is not the solution, i want it to forward any traffic aimed at the specified dns name.
Just like using regexp and layer 7 for outgoing traffic. I just dont know if it is possible.

/HW
No, it's not possible like you're asking, and when you think about it you'll see why:

DNS only resolves a hostname to an IP. The IP header only has source/destination IP address fields in the header, nothing about host names at all. Same for TCP and UDP.... so there's nothing to match on in the lower layers, as has been stated.

Now layer 7 - the first time a hostname is mentioned again is in the host headers of the HTTP message - but these cannot even be sent before the TCP 3-way handshake completes. You have to have an established socket before the host header can even be sent, let alone caught by the regex filter in the firewall filter..... way too late to do any NAT redirection.

You either need to use a specific IP to a host (or group of hosts if load balancing) dedicated to web traffic, and this host (group) will use host headers to serve the correct page. A reverse proxy can also do this (as earlier suggested).

Finally, a reverse proxy which does SSL offloading can allow similar behavior for HTTPS. It will accept the SSL connection, and proxy it via standard HTTP behind your firewall, so different hosts for different dns names are possible (usually, it requires that you have 1 IP per domain name, with a wildcard cert for that domain, so *.example.com can use a single IP address, *.example.org use another IP, etc....
 
barkas
Member Candidate
Member Candidate
Posts: 259
Joined: Sun Sep 25, 2011 10:51 pm

Re: Url-based incoming NAT? Possible

Sun May 10, 2015 10:39 pm

Proxy is not the solution, i want it to forward any traffic aimed at the specified dns name.
Just like using regexp and layer 7 for outgoing traffic. I just dont know if it is possible.

/HW
No, it's not possible like you're asking, and when you think about it you'll see why:

DNS only resolves a hostname to an IP. The IP header only has source/destination IP address fields in the header, nothing about host names at all. Same for TCP and UDP.... so there's nothing to match on in the lower layers, as has been stated.

Now layer 7 - the first time a hostname is mentioned again is in the host headers of the HTTP message - but these cannot even be sent before the TCP 3-way handshake completes. You have to have an established socket before the host header can even be sent, let alone caught by the regex filter in the firewall filter..... way too late to do any NAT redirection.

You either need to use a specific IP to a host (or group of hosts if load balancing) dedicated to web traffic, and this host (group) will use host headers to serve the correct page. A reverse proxy can also do this (as earlier suggested).

Finally, a reverse proxy which does SSL offloading can allow similar behavior for HTTPS. It will accept the SSL connection, and proxy it via standard HTTP behind your firewall, so different hosts for different dns names are possible (usually, it requires that you have 1 IP per domain name, with a wildcard cert for that domain, so *.example.com can use a single IP address, *.example.org use another IP, etc....
For specific protocols it would be possible, but not generically.
You would need a tailored regex for each l7 protocol.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Url-based incoming NAT? Possible

Mon May 11, 2015 4:17 pm

For specific protocols it would be possible, but not generically.
You would need a tailored regex for each l7 protocol.
I really don't think L7 filter is useful for nat. How can you change what host the packets are being NATed to after the socket is open and data has begun flowing?
The router can't say: "Oh wait - you said 'host: facebook.com' so I'm going to send you to this other IP.... "

It's too late. The SYN/ACK sequence has already completed. You could have a special host that doesn't need to do the handshake to send TCP segments to the other host, but the TCP sequence numbers are going to make it nearly impossible to jump in the middle with a proxy and send data like this... (that's intentional - this behavior is a man-in-the-middle attack).....

You could use L7 matches to change NAT behavior more effectively with UDP since it is connectionless, but web is TCP-based.

OP needs to dedicate an IP address to being "the web server (farm)" and then use name-virtual-host (in Apache terminology) to decide which page to show the caller. The IP can be utilized even more efficiently by using the same IP address, but mapping the ports for email to a different internal server (group). DNS can be mapped to yet another server, etc. So one single IP can map all of the useful services to completely different internal addresses. But it's at the protocol/port level, so it's unable to map (using NAT alone) to different servers based on website URL. It takes a proxy to do that.
 
PackElend
Member Candidate
Member Candidate
Posts: 240
Joined: Tue Sep 29, 2020 6:05 pm

Re: Url-based incoming NAT? Possible

Thu Jul 07, 2022 5:45 pm

but
 /ip firewall nat add chain=dstnat action=dst-nat in-interface=WAN-INTERFACE src-address-list=BUNCH_OF_IPs
is possible and BUNCH_OF_IPs can be updated doing https://wiki.mikrotik.com/wiki/Use_host ... wall_rules

In viewtopic.php?t=124921 it is said
/ip firewall address-list add address=wiki.mikrotik.com comment=wiki.mikrotik.com list=host_mikrotik
will work but I cannot find anything about how domains are resolved to IPs in the docs but viewtopic.php?t=182755 and viewtopic.php?t=154294
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Url-based incoming NAT? Possible

Thu Jul 07, 2022 6:55 pm

That's not what the original question was about, it wanted to use firewall rules instead of reverse proxy, but that's not possible. Your incomplete dstnat rule would work, if you'd add missing parts, and if you really meant to have dstnat based on source addresses identified by hostnames. But that's something competely different.
 
PackElend
Member Candidate
Member Candidate
Posts: 240
Joined: Tue Sep 29, 2020 6:05 pm

Re: Url-based incoming NAT? Possible

Fri Jul 08, 2022 4:57 pm

thx a lot of the quick answer :)
Your incomplete dstnat rule would work, if you'd add missing parts, and if you really meant to have dstnat based on source addresses identified by hostnames.
missing parts are included, reduced the rule to actual question
.
.
That's not what the original question was about, it wanted to use firewall rules instead of reverse proxy, but that's not possible.
I overlooked
=
is not the same as
==> 
external ip: 195.67.199.39

www.foo1.com = 195.167.199.39 ==> dst-nat to: 192.168.1.1
www.foo2.com = 195.167.199.39 ==> dst-nat to: 192.168.1.2
www.foo3.com = 195.167.199.39 ==> dst-nat to: 192.168.1.3
so I was in
/ip firewall nat  add  chain=dstnat  action=dst-nat  in-interface=WAN-INTERFACE  src-address-list=LIST.foo1.com  to-address=192.168.1.1
/ip firewall nat  add  chain=dstnat  action=dst-nat  in-interface=WAN-INTERFACE  src-address-list=LIST.foo2.com  to-address=192.168.1.2
/ip firewall nat  add  chain=dstnat  action=dst-nat  in-interface=WAN-INTERFACE  src-address-list=LIST.foo3.com  to-address=192.168.1.3
:shock:
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 9568
Joined: Tue Feb 25, 2014 12:49 pm
Location: 🇮🇹, my 💔 is in 🇺🇦

Re: Url-based incoming NAT? Possible

Fri Jul 08, 2022 5:47 pm

src-address-list?
A list of all external user that use the service?
Based on external user, see different site?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2551
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Url-based incoming NAT? Possible

Fri Jul 08, 2022 6:34 pm

For specific protocols it would be possible, but not generically.
You would need a tailored regex for each l7 protocol.
I really don't think L7 filter is useful for nat. How can you change what host the packets are being NATed to after the socket is open and data has begun flowing?
The router can't say: "Oh wait - you said 'host: facebook.com' so I'm going to send you to this other IP.... "

It's too late. The SYN/ACK sequence has already completed. You could have a special host that doesn't need to do the handshake to send TCP segments to the other host, but the TCP sequence numbers are going to make it nearly impossible to jump in the middle with a proxy and send data like this... (that's intentional - this behavior is a man-in-the-middle attack).....

You could use L7 matches to change NAT behavior more effectively with UDP since it is connectionless, but web is TCP-based.

OP needs to dedicate an IP address to being "the web server (farm)" and then use name-virtual-host (in Apache terminology) to decide which page to show the caller. The IP can be utilized even more efficiently by using the same IP address, but mapping the ports for email to a different internal server (group). DNS can be mapped to yet another server, etc. So one single IP can map all of the useful services to completely different internal addresses. But it's at the protocol/port level, so it's unable to map (using NAT alone) to different servers based on website URL. It takes a proxy to do that.

please read this to understand why is not feasible
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 9568
Joined: Tue Feb 25, 2014 12:49 pm
Location: 🇮🇹, my 💔 is in 🇺🇦

Re: Url-based incoming NAT? Possible

Fri Jul 08, 2022 6:47 pm

(Who was the message for? :?: )
 
PackElend
Member Candidate
Member Candidate
Posts: 240
Joined: Tue Sep 29, 2020 6:05 pm

Re: Url-based incoming NAT? Possible

Fri Jul 08, 2022 7:13 pm

src-address-list?
initially, I read
www.foo1.com ==> 195.167.199.39 ==> dst-nat to: 192.168.1.1
traffic from foo1.com to Route, shall be forwarded to 192.168.1.1, what was wrong as simply as that

Who is online

Users browsing this forum: No registered users and 5 guests