Hi
Just bought a new CRS125 to test it in my client’s company. It looks like everything is okay except for a starge trouble with ssh to the router.
I use ethernet ports from 2 to 24 as a LAN switch and ethernet 1 as a gateway port to ISP. A config is very simple, few filter rules (drop on ssh bruteforce), few dnat rules, pptp-client connection, bridge (ethernet2 as masterport+wireless) and dhcp server. No mange, no queues, no VLANs and stuff like that in this config.
The exactly the same config (except for ethernet port amount of course) is running great on 17 RB951 and 4 RB450 in my other client companies.
The problem is wierd and I can’t find what am I doing wrong:
I can access the router by ssh only from ethernet 2 to 24 and via pptp tunnel. And I have NO filter rules or any other rules that may cause such.
ip firewall filter print:
0 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=""
1 ;;; default configuration
chain=input action=accept connection-state=established log=no log-prefix=""
2 ;;; default configuration
chain=input action=accept connection-state=related log=no log-prefix=""
3 chain=input action=drop connection-state=new protocol=tcp src-address-list=blacklist dst-port=22 log=no log-prefix=""
4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=suspect3 address-list=blacklist address-list-timeout=1m dst-port=22 log=no log-prefix=""
5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=suspect2 address-list=suspect3 address-list-timeout=1m dst-port=22 log=no log-prefix=""
6 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=suspect1 address-list=suspect2 address-list-timeout=1m dst-port=22 log=no log-prefix=""
7 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=suspect1 address-list-timeout=1m dst-port=22 log=no log-prefix=""
8 chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix="ssh"
9 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no log-prefix="drop"
10 ;;; default configuration
chain=input action=drop in-interface=sfp1-gateway log=no log-prefix=""
11 ;;; default configuration
chain=forward action=accept connection-state=established log=no log-prefix=""
12 ;;; default configuration
chain=forward action=accept connection-state=related log=no log-prefix=""
13 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""
ip firewall nat print:
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=""
1 chain=dstnat action=dst-nat to-addresses=192.168.0.244 to-ports=22 protocol=tcp dst-address=185.15.x.x dst-port=10024 log=no log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=192.168.0.252 to-ports=443 protocol=tcp src-address=95.x.x.x dst-address=185.15.x.x log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.0.252 to-ports=902 protocol=tcp dst-address=185.15.x.x log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=192.168.0.244 to-ports=5060 protocol=tcp src-address=82.208.x.x dst-address=185.15.x.x dst-port=5060 log=no log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=192.168.0.244 to-ports=5060 protocol=udp src-address=82.208.x.x dst-address=185.15.x.x dst-port=5060 log=no log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=192.168.0.244 to-ports=10000-20000 protocol=tcp src-address=82.208.x.x dst-address=185.15.x.x dst-port=10000-20000 log=no log-prefix=""
7 chain=dstnat action=dst-nat to-addresses=192.168.0.244 to-ports=10000-20000 protocol=udp src-address=82.208.x.x dst-address=185.15.x.x dst-port=10000-20000 log=no log-prefix=""
8 chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=3389 protocol=tcp dst-address=185.15.x.x dst-port=33390 log=no log-prefix=""
9 chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=3389 protocol=tcp dst-address=185.15.x.x dst-port=33391 log=no log-prefix=""
IP adrress print:
0 ;;; default configuration
192.168.0.254/24 192.168.0.0 bridge-local
1 185.15.x.x/30 185.15.x.x-1 ether1-gateway
2 D 192.168.41.13/32 192.168.41.254 itr
IP route print:
0 A S 0.0.0.0/0 185.15.x.x-1 1
1 ADC 185.15.x.x/30 185.15.x.x+1 ether1-gateway 0
2 ADC 192.168.0.0/24 192.168.0.254 bridge-local 0
3 ADC 192.168.41.254/32 192.168.41.13 itr 0
ip service print
0 X telnet 23
1 X ftp 21
2 X www 80
3 ssh 22
4 X www-ssl 443 none
5 X api 8728
6 X winbox 8291
7 X api-ssl 8729 none
interface ethernet print
0 R ether1-gateway 1500 D4:CA:6D:1E:2E:1D enabled none switch1
1 RS ether2-master-local 1500 D4:CA:6D:1E:2E:1E enabled none switch1
2 RS ether3-slave-local 1500 D4:CA:6D:1E:2E:1F enabled ether2-master-local switch1
3 RS ether4-slave-local 1500 D4:CA:6D:1E:2E:20 enabled ether2-master-local switch1
4 RS ether5-slave-local 1500 D4:CA:6D:1E:2E:21 enabled ether2-master-local switch1
5 RS ether6-slave-local 1500 D4:CA:6D:1E:2E:22 enabled ether2-master-local switch1
6 RS ether7-slave-local 1500 D4:CA:6D:1E:2E:23 enabled ether2-master-local switch1
7 RS ether8-slave-local 1500 D4:CA:6D:1E:2E:24 enabled ether2-master-local switch1
8 RS ether9-slave-local 1500 D4:CA:6D:1E:2E:25 enabled ether2-master-local switch1
9 RS ether10-slave-local 1500 D4:CA:6D:1E:2E:26 enabled ether2-master-local switch1
10 RS ether11-slave-local 1500 D4:CA:6D:1E:2E:27 enabled ether2-master-local switch1
11 RS ether12-slave-local 1500 D4:CA:6D:1E:2E:28 enabled ether2-master-local switch1
12 RS ether13-slave-local 1500 D4:CA:6D:1E:2E:29 enabled ether2-master-local switch1
13 S ether14-slave-local 1500 D4:CA:6D:1E:2E:2A enabled ether2-master-local switch1
14 S ether15-slave-local 1500 D4:CA:6D:1E:2E:2B enabled ether2-master-local switch1
15 RS ether16-slave-local 1500 D4:CA:6D:1E:2E:2C enabled ether2-master-local switch1
16 RS ether17-slave-local 1500 D4:CA:6D:1E:2E:2D enabled ether2-master-local switch1
17 S ether18-slave-local 1500 D4:CA:6D:1E:2E:2E enabled ether2-master-local switch1
18 S ether19-slave-local 1500 D4:CA:6D:1E:2E:2F enabled ether2-master-local switch1
19 S ether20-slave-local 1500 D4:CA:6D:1E:2E:30 enabled ether2-master-local switch1
20 S ether21-slave-local 1500 D4:CA:6D:1E:2E:31 enabled ether2-master-local switch1
21 S ether22-slave-local 1500 D4:CA:6D:1E:2E:32 enabled ether2-master-local switch1
22 S ether23-slave-local 1500 D4:CA:6D:1E:2E:33 enabled ether2-master-local switch1
23 S ether24-slave-local 1500 D4:CA:6D:1E:2E:34 enabled ether2-master-local switch1
24 sfp1-gateway 1500 D4:CA:6D:1E:2E:35 enabled none switch1
system package update print
current-version: 6.19
system routerboard print
routerboard: yes
model: CRS125-24G-1S-2HnD
serial-number: 49C6029BA022
current-firmware: 3.18
upgrade-firmware: 3.18
When I try to connect from the internet sniffer shows that I get packets on ether1 to dst-port 22 and that router answers this packets but nothing happens.
When I disable firewall filter rules 3,4,5,6,7,8,9 nothing changes. I still see packets coming ether1 and still nothing.
Filter rules 8 and 9 aren’t logging anything when I connect from the internet. Rule 8 is logging ssh connection from LAN and pptp tunnel (I intentionally did not specified dst-adress).
I don’t really believe in Mikrotik ssh bugs, so tell me what I did wrong with this RB.