Trying to port-forward only one domain

Hello everyone! I am trying to set-up port forwarding, but I'm stuck. I'll get straight to the point.
I have an OpenWRT router that is handling a few Dynamic DNS domains (on, and firewall. I have also set up port forwarding, so that all 80 and 443 traffic is redirected to IP, where I am running an Apache2 reverse proxy. This reverse proxy redirects, again, traffic depending on the domain: points to, where Proxmox VE is running, points to, where Nextcloud is running, and so on.

This is great for HTTP and webservers - but as soon as the service changes, I am completely lost.

I am running an MC server on, on port 25565. Now, the issue is that I can't use the reverse proxy for this, so I set OpenWRT to directly forward 25565 to that IP.
Unfortunately, however, this means that any domain will allow access to the server - even, which makes no sense. I only want to point to that port - but I'm missing the knowledge on how to do it.

I'm not asking for a complete solution, but can anyone point me in the right direction?

Thank you so much!

if all your point to the same IP, it becomes kind of hard ....

Yeah well, I only have one public IP available, unfortunately. This is a home network after all. If you are talking about local IPs (OpenWrt --> local server) - then I could definitely change the to point directly to the game server, and it'd be a good solution, but I don't know how to do it - afaik, it's impossible.

EDIT: I was thinking, isn't there a reverse proxy that actually works with protocols other than HTTP, HTTPS and WS? This is extremely easy for web servers; I don't see why it would be impossible with other stuff, given the tech spec of the protocol. Or even just directly proxying traffic without any kind of interpretation.

the problem isn't within your network, it's the traffic coming to the WAN port of your router.

since they're all the same (public) IP, you need to figure out how to separate them in some other way.

Yes, you are totally correct. Looks like it's not something I can solve with OpenWRT then - I'll probably have to look for a reverse proxy of some sort that supports other protocols.

(I was editing my message while you replied, so you could have missed the new part).

what's the actual problem ?

it can't just be that all your sub domains resolve to the same IP, it feels like a 1st world problem :slight_smile:
there's got to be something else to it :wink:

you can always analyze the traffic, in real time, to see what's what, but that's probably to much.

I'm sorry, but I don't understand your message. You're probably being ironic, but sometimes text messages can be misleading - sorry if this is not the case, lol.

If you are serious - then yes, all my subdomains are pointing to my home server, which has a single IP. This is not an issue for web-based applications as I can just use Apache2 to send different domains to different servers and directories. The issue arises when I want to redirect TCP/UDP ports, which I'm probably going to solve by switching from Apache2 to HAProxy, squid or even just nginx.
So, in the end, it will work like this:
[multiple domains] -> [one public IP] -> [openwrt] -> [reverse proxy server] -> [multiple other servers].

Update: ok, there's no way of doing this locally. The only possibility is to tunnel the game server through a VPN, that can be for example a cheap VPS. This has the benefit of adding kind of a DDoS protection, but also, then, I'd be relying on yet another server just to access my own stuff, which I'm not particularly fond of.
Either way, nothing that can be done in OpenWRT by itself.


What you are trying to achieve is not possible. The reverse proxy operates on http https protocol level whereas the ip forwarding operates on the ip level of the OSI layer. The MC server connects and operates on IP level and it is not designed to work on the https http level. In order to enable that one would need to rewrite the MC server and MC client programs and distribute them among the players.

Cross-posted on reddit...

Since you deleted your tantrum about my cross-post notice, I'll say it here...

Whenever you cross-post, it's considered a courtesy to include the link(s) to the other site(s) you've posted the issue on.

It helps eliminate confusion, and wasting other people's time researching and suggesting things that have already been done.

I'm terribly sorry for what I just said. No excuse for that, I've had a bad day and I let it out here. Took me 1 minute to press the Reply button and rethink my decision. Unfortunately, it was already too late.
Also, I assumed yours was a report of some sort, like scolding me for having posted it in two places, which was maybe not in the rules.
Sorry again.

No worries.

I'll explain why this is not possible and then you can just move on..

A packet comes into your server. You want to know what to do with it. The decision you would like to make is based on which domain name did the client look up before they connected to your server this is information only the client computer knows.

It works for http because when the http connection comes in there is an http header the client sends to your server saying "I'm connecting to" or whatever. But at the IP level in a firewall etc or even in a generic proxy for a general TCP based or UDP based protocol the information about which hostname the client looked up before it connected to you is simply mind-reading that you can't do.

Hope that helps

1 Like

HAPROXY will manage all of your incoming requests. But configuring it is a steep learning curve. Make sure you understand how to configure it correctly otherwise you could expose your system to potential hacking.

and it still can't solve this problem, because it can't possibly know what DNS lookup the client computer did before connecting.

HAPROXY will solve the problem of managing various services from a single public IP address regardless of DNS lookup.

The only time HAPROXY doesn't work well is if the traffic header is encrypted and has no SNI written into the header. It's not the end if there is no SNI if you have some control over the client connection but in general if you're dealing with encrypted traffic the header will need to have the SNI included for you to direct encrypted traffic correctly.

He is trying to proxy a Minecraft server.

know nothing about minecraft so maybe out of my league. But my understanding is he has a dynamic IP and wants to access services hosted at his home from the public side. Even if the minecraft client doesn't include SNI host headers he still can configure HAPROXY to manage the connections it just won't be very elegant. One way would be to have the minecraft server as the final server on the list as a catchall. There can be only one catchall in the list so it has its limits.

If you have a public domain name registered then you can create a DNS SRV record with the subdomain and a specific port.
And after you can configure the portforward in OpenWrt.

Never tried but it might work ?