M
M
Maria Gross2015-07-14 00:32:37
Computer networks
Maria Gross, 2015-07-14 00:32:37

Mikrotik. How to set up forwarding to a web server?

The essence of the problem ...
Port forwarding is configured from 77.77.77.1, 77.77.77.2 to 66.66.66.66.
Behind it is the web server 10.10.10.10.
Network equipment mikrotik cloud core 1036-12G-4S.
So. When clients access 66.66.66.66, the web server sees external ip addresses of clients, and when accessing through 77.77.77.1, 77.77.77.2, the web server shows ip 77.77.77.1, 77.77.77.2.
How to implement port forwarding so that the web server sees the ip addresses of clients going through 77.77.77.1, 77.77.77.2?
ip 66.66.66.66 clients should not see. hiding from ddos.
The graphic scheme is simplified.
a412ed0b523d4a958e332eb049ddca0f.jpg

Answer the question

In order to leave comments, you need to log in

4 answer(s)
L
lega, 2015-07-14
@lega

If there were web servers (for example, nginx) at the front, then it was possible to push the client's ip into the http header (this is when proxying).

A
Artem @Jump, 2015-07-14
Tag

How to set up forwarding to a web server?

Establish a tunnel between 77.77.77.1, 77.77.77.2 and 66.66.66.66 and then set up port forwarding, just as you did on 66.66.66.66.
In general, this is a rather crooked protection against ddos. For these purposes, there is a CDN.

V
Valery Ryaboshapko, 2015-07-14
@valerium

If under port forwarding from 77.77.77.[12] on 66.66.66.66 you mean NAT, then 66.66.66.66 should already receive the correct source IP, since NAT only replaces the recipient. Accordingly, the second NAT at 66.66.66.66 will once again replace the recipient and the correct sender will arrive on 10.10.10.10.
But there might be a problem. If the route is from 77.77.77.[12] lies through a third-party router (for example, between different
DCs), then it will almost certainly drop these packets, because it will understand that their sender is fake. It is necessary either to have an agreement with the owner of this router, or not to have this router, for example, to be hosted in one DC or to raise a VPN or any other tunnel.
By the way, in the case of VPN host 66.66.66.66 is superfluous, it is enough to raise the VPN from 10.10.10.10 to 77.77.77.1 and 77.77.77.2. True, I don’t know if Mikrotik can raise a VPN.

I
Ivan, 2015-07-14
@LiguidCool

One has to wonder what is the difference in tuning, because in fact the tuning for all microts should be the same.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question