I am working on a computer connected to an hEX-S and trying to connect to other (remote) machines by SSH, HTTP and RDP
The hEX-S seems to be blocking certain (outbound) ports.
Connecting by RDP to a computer at an address like foo-rdp.my_dyndns.tld:3389 works great.
I can also access a website on the remote host when a port is not specified, i.e. https://foo-website.mydyndns.tld . . . or if I redundantly specify the HTTPS port, i.e. https://foo-website.mydyndns.tld:443
HOWEVER, connecting by SSH and/or HTTPS does not work
for example these do not work
foo-ssh.mydyndns.tld:2200
foo-webmin.mydyndns.tld:10000
The remote host in question is accessible from various machines (at different locations) not connected to a MikroTik router. Moreover (thinking that the ISP might be blocking some ports) I took the hEX-S out of the loop and connected directly to the modem. When the hEX-S is eliminated, I can connect on any ports . . .
Where do I start looking? Is this a firewall issue on the hEX-S (nothing is obvious there)? Something else?
After years’ basic networking experience with other routers and then DD-WRT, I am new to RouterOS and configured this (my first RouterOS setup) for my Mom’s home in January . . . with some (no longer available) help. BTW, from other locations I can successfully connect to the hEX-S and machines behind it, just not the other way around.
the problem is certainly the hEX-s. without looking at your config. it’s very difficult to guess what might have gone wrong.
as soon as you mentioned “I can successfully connect to the hEX-S and machines behind it, just not the other way around.”, it started sound like a dst-nat issue.
if you setup port forwarding using dst-nat, without specify the in-interface, then you are applying dst-nat to all your outgoing traffic.
example, if you have something like
If I use webfig (all Linux machines here, so no WinBox), do I simply switch to the webfig terminal to paste the code you have proposed? (obviously taking a backup of the router configuration first)
Is uploading detailed configuration information to the forum actually encouraged? Your response seems to indicate this would be OK.
2a. Is there a good way to post a RouterOS configuration to the forum which does not expose sensitive information? For example, does a supout.rif file expose a MikroTik VPN address (i.e. foo-ID.sn.mynetname.net)? Or, worse, does it expose passwords and/or other sensitive stuff? Is there a better / preferred way?
I have attached a screenshot of the hEX-S’ firewall (it’s very basic to start). This would almost certainly give a more complete picture of my problem. Looking at the “chain” column, I don’t see any entry with dstnat, so this is likely the problem.
Per my original post, I need to connect to a number of remote services, not just SSH. Is there a reasonably secure way to create a “catch-all” rule that would allow SSH, HTTP(S), VNC and other traffic through without specifying each port? This may be important as (for example) I have different SSH ports open on other routers in the case where multiple machines are “exposed” to SSH connections.
Any idea (from the screenshot, maybe) why RDP and basic HTTP (with no specified port) is working?
Thanks so much for any further possible help. RouterOS seems really powerful, but as many others have pointed out, the initial learning curve is quite steep.
I was able to add your code to the terminal window (updating with port numbers specific to my implementation). Unfortunately, the terminal window does not seem to allow pasting in any way. What a pain. (Am I missing something re: pasting into the terminal window?!)
This did not result in the firewall rules visibly changing, then I found the “NAT” tab in firewall. Screenshot attached (including an edited version of your suggestion).
Alas, I still can not SSH to another remote host on port 2200.
Thanks for pointing out WinBox works well under WINE. In my experience many newer Windows programs often don’t work so nicely under WINE, so your comments are promising. It’s nice that MikroTik thought of this when designing WinBox. I’ll give it a shot after reading the linked article.
That said, with a couple particular (limited, even maybe?) use cases (such as connecting to a MikroTik device using MAC address – maybe particularly useful for initial setup and/or after resetting misbehaving wAPs ?) is there much reason to use WinBox over webfig? It seems that webfig is a pretty first-class interface to MikroTik devices (although everyone writing articles seems to prefer WinBox).
Thank you Anav for pointing out this existed! A subsequent search uncovered what seems to be the correct syntax when my first attempt was not properly redacted . . .
For other newbie visitors, I think you may have meant something more like:
“hide-sensitive” being the key to redacting the configuration file
I have attached my redacted hEX-S configuration file.
Being able to upload a complete yet (in particular) security-redacted configuration is a CLEAR win for MikroTik/RouterOS over consumer-grade routers. I anticipate this new “skill” just completely validated my decision to try out MikroTik. [ I further presume this will be super useful to copy “adapted” configurations to similar networking environments without having to configure a new setup on a setting-by-setting basis. This looks better than what I have been able to achieve with saved DD-WRT configuration files. ]
Recommend one bridge and use the vlans to separate out separation of subnets.
As for groupings the better ways to accomplish this and also support firewall rules are
interface lists and address group lists.
Rule of thumb if you have whole as single subnet or part subnet use IP addresses
If you have a a group of interfaces use interface list.
If you have one or more specific IP addresses use IP Addresses.
Obviously since one can put subnets into address lists there is lots of flexibility but I tend to keep address lists to when I have individual IPs in the mix.
I will look at your config soon, just need to go shopping first…not sure i agree with the poster above me, i wouldnt jump on it yet.
Change your config to a single bridge and read the ref first.
It’s almost like a hairpin nat. The forward rule matches packets going to ports 2200 or 10000 even going “out” from LAN to internet.
It’s a “wrong” config as presented in one of the MUM events.
I have “used” this approach until I learned this is not the best and more specific is better.
USE interface lists or address lists or my preference is vlans to separate subnets.
++++++++++++++++++++++++++++++++++++++++
The above are suggestions but not necessary.
(3) The below is a problem as quite clearly you cant both using the same address!!
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=
192.168.1.0
add address=192.168.1.1/24 interface=Bridge-LAN_Ethernet+wAP-Ports network=
192.168.1.0
I think clearly you meant this for the first one to be…
add address=192.168.2.1/24 interface=Bridge_for_Guest-WiFi network=
192.168.2.0
(4) Potentially Missing an entry for interface lists? (depends you may have excluded it due to winbox access control etc…)
/interface list member
add comment=defconf interface=Bridge-LAN_Ethernet+wAP-Ports list=LAN
add interface=Bridge_for_Guest-WiFi network list=LAN ??
add comment=defconf interface=ether1 list=WAN
So whats left.
(5) Destination Nat rules. Missing part of the rules for all and that is where is it coming from??
If dynamic you can detail the Fixed IP (destination address), if dynamic you detail the in-interface-list=WAN typically.
For example the first rule.
add action=dst-nat chain=dstnat comment=“RBG-Server: SSH” dst-port=2200
protocol=tcp to-addresses=192.168.1.100 to-ports=2200
Could be…
add action=dst-nat chain=dstnat comment=“RBG-Server: SSH” dst-port=2200 destination-address=xx.xxx.xx.xx (fixed WANIP address)
protocol=tcp to-addresses=192.168.1.100 (note: to port is not required if identical to dst-port as you did with the rest of the rules oddly enough)
OR
add action=dst-nat chain=dstnat comment=“RBG-Server: SSH” dst-port=2200 in-interface-list=WAN (dynamic WANIP address)
protocol=tcp to-addresses=192.168.1.100
(6) YOu have a duplicate in that you tried to define using port 2200 twice??? get rid of one of them. In other words you cannot forward the same port to two different IP addresses on the LAN.
(7) Lastly sourcenat if you have a dynamic WANIP that looks fine.
as for the one created for vpn, I am not knowledgeable enough to know if this required, appropriate or correct.
?add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.89.0/24?
If for some reason you needed to access port 2200 on a different device you have two options, change the port number on one of the devices/servers such that you dont duplicate 2200 OR use port translation. In other words you come at the router, externally, with a different port as follows.
In this way the router will be able to track an external WANIP request coming in on port 22000, is supposed to go to IP 192.168.1.1 on port 2200.
The router should then be able to route the return traffic properly.
This looked so promising (and seemed to make sense.
However, adding the “out-interface-list=WAN” via WebFig I get the error:
“Couldn’t change NAT Rule <> - outgoing interface matching not possible in input and prerouting chains (6)”
Also (curious, does anyone know) what is the logic in naming “Out. Interface” and “Out. Interface List” so similarly ? The first shows physical ports, bridges, etc., the second shows stuff which seems to be a conceptual step “up” (LAN, WAN, etc.)
I am visiting my Mom again and decided to take another stab at this while my kids are playing with grandma!
I re-read the comment by @solar77 and realized that @gnro 's advice was likely a minor typo and should have read “in-interface-list=WAN”
I updated my configuration thusly and I now have bidirectional access of machines on these ports.
Thanks to all who helped.
This solved my immediate “pain” . . . my next step will be to consider using a single bridge and VLANs and other best practices described in this thread! Looks like I have a lot of reading ahead!
I am starting to read about (your suggestions regarding) using a single bridge and VLANs. It seems a bit counterintuitive to me at first, but the “Router-Switch-AP (all in one)” post seems exactly on point with a very common usage case for me and my clients.
Curious: although it’s probably moot with the relatively small amounts of data we push, wouldn’t separating out guest users with multiple bridges (which occur at the hardware level) be faster than segmenting with VLANs (which occur at the software level, right?) ?
Question above me, in that I have always thought bridges were software driven entities not hardware.
I like to keep it simple, one bridge is enough, just like one woman is enough!!
