Forward SSH from static IP to internal network

vds · May 10, 2021, 9:27pm

Hi All,
I read tons of forum posts and articles, but I still can’t make it work.
I’m trying to reach an internal machine from outside my LAN using my static IP.
This is the NAT rule I added:
/ip firewall nat add action=dst-nat chain=dstnat comment=“Forward SSH for access point on port 2022” dst-address=151.167.8.12 dst-port=2022 protocol=tcp to-addresses=192.168.88.3 to-ports=22

The SSH client times out with this output:

OpenSSH_7.6p1 Ubuntu-4ubuntu0.4, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/vds/.ssh/config
debug1: /home/vds/.ssh/config line 27: Applying options for 151.167.8.12
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 151.167.8.12 [151.167.8.12] port 2022.
debug1: connect to address 151.167.8.12 port 2022: Connection timed out
ssh: connect to host 151.167.8.12 port 2022: Connection timed out

How do I fix this?
Thanks,
vds

anav · May 11, 2021, 11:10am

post your config
/export hide-sensitive file=anynameyouwish

I am assuming you mean you are coming in from an external WAN connection (like coffee shop etc.) and wish to connect to your LAN through the public IP address of your Router??

vds · May 11, 2021, 7:46pm

Yes, exactly, this is the configuration:

may/11/2021 21:42:50 by RouterOS 6.48.2

software id = H4NZ-V3MV

model = RB4011iGS+5HacQ2HnD

serial number = D43B0CA7221D

/interface bridge
add admin-mac=48:8F:5A:9E:72:0D auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto
installation=indoor mode=ap-bridge secondary-channel=auto ssid=
MikroTik-9E7217 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=MikroTik-5BA045 wireless-protocol=802.11
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.3 client-id=
ff:e4:e7:6c:68:0:2:0:0:ab:11:42:ce:4b:46:79:c0:5d:51 mac-address=
DC:A6:32:CC:04:7F server=defconf
add address=192.168.88.2 client-id=
ff:87:e6:51:c7:0:2:0:0:ab:11:e5:e6:1c:f0:cd:a8:7b:76 mac-address=
B8:27:EB:53:D8:1F server=defconf
add address=192.168.88.248 mac-address=AC:ED:5C:A7:6D:09 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Forward SSH to rp02” dst-address=
151.167.8.12 dst-port=2022 log=yes log-prefix=“Forward SSH” protocol=
tcp to-addresses=192.168.88.3 to-ports=22
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set www-ssl address=192.168.88.0/24
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Zurich
/system leds
add interface=wlan2 leds=“wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le
d,wlan2_signal4-led,wlan2_signal5-led” type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · May 11, 2021, 8:21pm

a quick look dont see why its not working assuming you have indicated your public IP (hopefully just an example and not the actual)??
Also this has nothing to do with the SSH settings on the router right?

add action=dst-nat chain=dstnat comment=“Forward SSH to rp02” dst-address=
151.167.8.12 dst-port=2022 log=yes log-prefix=“Forward SSH” protocol=
tcp to-addresses=192.168.88.3 to-ports=22

mkx · May 11, 2021, 8:36pm

@vds, I’d like to draw your attention to what @anav already asked: are you actually trying to connect from WAN side of your router? Because your current config won’t do for connecting to public address from LAN side of your router.

vds · May 11, 2021, 8:38pm

Nothing to do with the SSH settings of the router, no.

anav · May 11, 2021, 9:41pm

Just for giggles,
I want you to try this.
Put this in your source nat config in addition to the existing sourcenat rule.

add chain=srcnat action=masquerade source-address=192.168.88.0/24 destination-address=192.168.88.0/24

See if that helps!

vds · May 15, 2021, 12:35pm

@anav So, I was testing it wrong and it was already working from the outside, thank you and @mkx for pointing it out.
Anyway, with your last rule, it works also from inside the LAN, which is what I also wanted, shall I keep the rule or it’s not a good idea?

anav · May 15, 2021, 2:07pm

No the rule should stay if you want inside users to connect via the WANIP of the router.

vds · May 16, 2021, 8:44am

Great, thanks @anav!

anav · May 16, 2021, 12:34pm

I just pass on the information I learned here, if you want to thank somebody thank MKX, who pointed it out to me long ago.
To be truly helpful I would explain why this works, if I could.
It has something to do with
a. router takes shortcuts sometimes in certain cases where the ip address is local on the router and can bypass connection tracking.
b. so when the the router sees the packets coming back from the server responding to the request, instead of sending it through NAT and back to the original destination IP it sees the answer coming back from the same subnet as the request and simply routes the return packet directly to the originator (however, the originator machine is expecting the packet back from the WANIP and rejects the packet coming from the local server IP).
c. so one can either change the subnet the server is on, and for this the router respects the NAT process OR as per the rule that MKX providing,
in this case the source IP from the originator is also changed, what happens after is a mystery to me but it works… as I dont see how the source nat will help, as I get lost in what the router will see on the reply and how it handles the reverse action of the extra source nat rule, and yet ignores the dilemma of what caused the problem in the first place