Cannot port forward through dstnat

r0berts · June 29, 2023, 12:03pm

Thanks, p3rad0x,

My rules are a bit different. I have a setup where I am behind carrier grade NAT and need to SSH into my debian server.

This is an illustration. My static IP is 100.100.100.100/32 and it has a L2TP connection on l2tp client interface l2tp-aa which has 100.100.50.50 as a gateway.

For some time I was able to see incoming ssh connection on my debian server when I connected from my laptop connected to internet via my mobile phone with tcpdump and saw that the tcp connection stopped at handshake (no synack packets making their way back to ssh client) but now I cannot see even that. I am not using IPv6 at all. Interestingly - connection happens well if I change my laptop to LAN wifi. Despite the connection being made to the 100.100.100.100:55552 (so DNAT and SRCNAT work well in that case - which I can see on TCPDUMP)

Where have I gone wrong?

# 2023-06-29 12:41:57 by RouterOS 7.10
# sanitized version of config acquired by /export

add admin-mac=48:8F:5A:17:4B:44 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=G-ciems2 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=6 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=G-ciems5 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] use-peer-dns=no
add apn=wap.isp.co.uk authentication=pap name="ISP internet" use-peer-dns=no user=web
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles="ISP internet" band=""
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/interface l2tp-client
add allow=chap,mschap1,mschap2 connect-to=100.100.100.50 disabled=no name=l2tp-aa profile=default user=user1
/routing table
add comment="for incoming connections to external ip via l2tp-aa connection" disabled=no fib name=l2tp-table
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add comment=myconf interface=l2tp-aa list=WAN
/interface lte settings
set external-antenna=auto
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-relay
add dhcp-server=192.168.88.27 interface=ether1 name=dhcp-relay1
/ip dns
set allow-remote-requests=yes servers=192.168.88.27
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark incoming new (SSH) connection" dst-port=55552 in-interface=l2tp-aa new-connection-mark=L2TP_CONN passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment="mark for returning SSH communication for l2tp routing table" connection-mark=L2TP_CONN new-routing-mark=l2tp-table passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNAT to the ssh server on LAN" dst-address=100.100.100.100 dst-port=55552 log=yes log-prefix=SSH-DNAT-from-EXT: protocol=tcp to-addresses=192.168.88.18 \
    to-ports=22
add action=src-nat chain=srcnat comment="SNAT for the SSH connection" dst-address=192.168.88.18 log=yes log-prefix=SRCNAT-TRIGGER: protocol=tcp to-addresses=100.100.100.100
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.88.0/24 src-address=192.168.88.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=100.100.50.50 pref-src="" routing-table=l2tp-table scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2244
set www-ssl certificate=*1 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no dst-address=100.100.100.100/32 routing-mark=l2tp-table table=l2tp-table
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 routing-mark=l2tp-table src-address="" table=l2tp-table
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/system upgrade upgrade-package-source
add address=159.148.147.204
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no