Hi, I’m a completely new to all of crazy amount of features this router comes with and if not for the backup/restore feature I would’ve broken my LAN about 12 times now.
Everything works internally. All my PCs can get to the net.
The problem is I can’t SSH to my linux server outside of my network now. I can from PC-to-Linux in my LAN, but as soon as it’s from another IP it tells me ‘Access Denied’. Now please understand, it’s not a routing/port forwarding problem at all. I get the Login prompt and it even proceeds to ask for my password. But I can’t get in, even with the right password. I KNOW it’s the right password because it’s the exact same one I use to SSH inside my LAN and it works perfectly.
This sounds like an issue with the settings on my linux server, but I never had this problem until I installed this router. And if I put my old router back, I can again connect from an external IP.
Any suggestions at all would be incredibly appreciated. I have been working on this problem all weekend but am nowhere closer to figuring out where the problem even is.
I’ve attached a screenshot of my winbox settings with Firewall->NAT which is where I’m guessing I should be looking.
I think CBrown is correct. It appears that your Dst-nat rule isn’t quite correct.
Mikrotik firewall rules are based around IP tables, which can take a little bit to get used to. When looking at the winbox interface for a rule, the first three tabs (General, Advanced, Extra) are all dedicated to selecting which packets will be manipulated. The actual rule of what to do with the packets is under action.
So under the General tab
Src. Address: Used to limit the Dnat to only a specific source (IE, only open SQL access to a contractor with a static IP). If you want a connection from anywhere, leave it blank.
Dst. Address: The address the packet to come in with, not the computer we want to send it to. If you have a static WAN IP, then put that here. If you get your WAN IP by DHCP, leave this blank and just use In Interface.
Protocol: you already have the correct TCP selected.
Dst. Port: Port you want forwarded. For SSH, this is 22.
In Interface: The interface the packets comes in on. Set this to your WAN interface.
Under the Action tab,
Action: Dst-nat
To Address: The IP of the PC you want the port forwarded to
To Ports: The port you want to forward to. This can be useful if you want to bind a different external port to the internal.
To do this by the command line with a static IP:
add action=dst-nat chain=dstnat comment="Forward SSH to <Server>" disabled=no \
dst-address=<Static WAN IP> dst-port=22 protocol=tcp \
to-addresses=<Server's internal IP> to-ports=22
Sorry for the delay in responding as I’ve been at work all day. But you were absolutely right, it was trying to ssh into the router itself. I felt so retarded that I didn’t realize it initially, but I digress.
I haven’t been able to try all of the suggestions given yet, but I will asap and report back. Yes, it’s definitely a NAT issue, but however I set it up to forward port 22 it didn’t seem to work.
Eventually I just changed the port Linux was listening on so I could connect to both my router and linux server if I wanted to.
So now I can connect to my router fine, it’s just setting up that NAT for linux ssh port.
Ok, I have it setup exactly how it was explained. Unfortunately, I still can’t get in. The error is simply “Network error: Connection Timed out”.
I’ve attached supout.rif (renamed to supout.txt so I could upload, rename back) and two images of my Firewall window, one is the Filter Values and one is the NAT.
All I want is ssh to work with port 25. I was thinking I needed udp as well so I put that in an forwarded it to the server with 0-65535 ports open.
Any suggestions are greatly appreciated! supout.txt (305 KB)
