How to Configure Domain-Specific Port Forwarding on MikroTik Router?

Question

I have a MikroTik router set up at the entrance of our office network. I'm looking to configure it for specific domain-based port forwarding. The task seems to be rather common, but I am stuck. Here's what I need to achieve:

• Requests to office1.example.com:443 should be redirected to Server1 on port 443.
• Similarly, requests to office2.example.com:443 should be redirected to Server2 on port 443. How can I set up these domain-specific port forwarding rules on the MikroTik router?

Any guidance or steps to follow would be greatly appreciated.

Answer 1

• Requests to office1.example.com:443 should be redirected to Server1 on port 443.
• Similarly, requests to office2.example.com:443 should be redirected to Server2 on port 443. How can I set up these domain-specific port forwarding rules on the MikroTik router?

You can't. Port forwarding doesn't work that way. IP headers does not contain any information about domain names, only IP addresses.

TLS contains a Server Name Indication. That can't be done at L3 level, which is where your firewall operates. Furthermore, with encrypted SNI, the TLS connection has to be terminated to know the SNI hostname sent. You need a reverse proxy server that can terminate (and proxy) TLS connections to the destination based on the SNI.

Answer 2

At first you have to create address list entries for your domains

/ip firewall filter add chain=forward protocol=tcp dst-address=<Server1-IP> dst-port=443 action=accept

And then create nat ruls via:

/ip firewall nat add chain=dstnat protocol=tcp dst-address-list=office1.example.com dst-port=443 action=dst-nat to-addresses=<Server1-IP> to-ports=443

Replace the information and if it works repeat for another domain too. Please double check the syntax to prevent errors.