OK, I come zyxel firewall that I manage with no problems at all.
i am not able as an example to forward ssh to an internal comuter.
i think I created a firewall pass rule, a nat rule but it does not gotrough.
also i am not able to connect to the router via ssh from my inside…
I have been searching but did not find ant help…
ciao
Perhaps you could paste a bit of config you’ve tried?
hallo, yes.
first I set up a firewall rule: chain forward,protocol tcp, dst port 22, accept.
then i set up a nat rule: chain dstnat, dst address xx.xx.xx.xx, protocol tcp, dst port 22, action dstnat,dst address xx.xx.xx.xx, to port 22
if I try to ssh my internal machine i get this log
dstnat: in:ether1-gateway out:(none), src-mac 88:f0:31:73:7b:64, proto TCP (SYN), 58.218.213.254:40222->xxx.x.xx.xx:22, len 60
forward: in:ether1-gateway out:bridge-local, src-mac 00:19:cb:c4:d3:49, proto TCP (SYN), 192.168.2.100:40227->192.168.192.190:22, NAT 192.168.2.100:40227->(xxx.x.xxx.xx:22->192.168.192.190:22), len 60
no connection is set up.
i tried searchin but did not find any help…
also the ruter does not answer to ssh fron my internal lan..
??? 
thank you!!
It looks like you have at least 2 LAN segments
192.168.2.x
192.168.192.x
It looks like you’re mapping ssh to host 192.168.192.190
I see some extra src nat is taking place where the ssh request is being src natted to 192.168.2.100
This is probably not what you want. For basic NAT pinhole, you really only need 2 rules in the NAT configuation:
/ip firewall nat
add chain=srcnat out-interface=ether1-gateway action=masquerade
add chain=dstnat dst-address=xx.xx.xx.xx protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.192.190
If you also need hairpin support, add one more rule to srcnat chain:
add chain=srcnat src-address=192.168.192.0/24 out-interface=bridge-local action=masqerade
I’m not sure where the 192.168.2.x in your logs comes from…
hallo zero, thank you for your reply.
the address 192.168.2.100 is the original address of the computer i am ssh.ing that is natted 1:1 with a public address.
i do not really understand why i see it.
i have an 8 static ip assignement and i am coonecting from one public ip to another, where the 2 computer are natted.
also i can not ssh the mikrotik from my lan, why?
ciao and grazie!
If you built the dstnat rule poorly, then it’s going to act on packets that it shouldn’t.
In this case, your rule probably just says “all tcp packets whose destination port is 22 → nat them to 192.168.192.190.”
You can either insert a rule before this rule, which says “accept packets whose destination IP is my LAN IP” - to stop NAT from happening on these…
or you could add the criteria dst-address=wan.ip.of.router to the existing rule (I recommend this method)
so in general, since you’re natting to different public IP addresses - you’re going to need a few rules to make it all work right:
/ip firewall nat
add chain=srcnat src-address=192.168.192.190 action=src-nat to-address=x.x.x.1
add chain=srcnat src-address=192.168.2.0/24 action=src-nat to-address=x.x.x.2
add chain=srcnat src-address=192.168.190.0/24 action=src-nat to-address=x.x.x.2
add chain=dstnat dst-address=x.x.x.1 action=dst-nat to-address=192.168.192.190
Basically, I assume that x.x.x.2 is the public IP for general purpose outbound Internet for most computers. 192.168.192.190 is special in that it gets its own IP 1:1 - so it gets two rules - a srcnat rule that must come before the other srcnat rules… and a dstnat rule.
If you only want to allow ssh to reach this host from the outside, then create a filter rule
(do --NOT-- use protocol/port to limit the NAT rule - that’s a bad habit - if it’s a 1:1 address, then nat it 1:1 and filter it with filter rules)
/ip firewall filter
add chain=forward in-interface=wan dst-address=192.168.192.190 protocol=tcp dst-port=22 action=accept
add chain=forward in-interface=wan action=drop
Dear Zero, thank you really much for your hints.
I am traveling this week, as soon as I will be back I will give it a try.
thank you really much!
ciao
here I am again…
therefore if I would like to grant access to another computer to the port 12000, I shall insert the rule
add chain=forward in-interface=wan dst-address=192.168.192.222 protocol=tcp dst-port=12000 action=accept
right? 
thank you!
Assuming that you have a NAT rule in place that maps some public IP address to host 192.168.192.222, yes, this forward rule is exactly how you permit the traffic in your filter.
I love you zero… 
sunday I will be back home and will try…
ciao!!
in case you didn’t add the destination nat rule:
/ip firewall nat add chain=dstnat dst-address=x.x.x.3 action=dst-nat to-address=192.168.192.222
See - this creates 1:1 nat for a new public IP address to the new private server address, but the filter rule you gave will limit this server to only tcp:12000
You’ll also want to add:
add chain=srcnat src-address=192.168.192.222 action=src-nat to-address=x.x.x.3
but make sure this rule is before the one which matches src-address=192.168.192.0/24
ok, I have been crashing my head for no reason.
I have been making tons of test with no result… then I had lightning trough my head. 
i wass trying to access my network from a ssh to a computer that had its eth on a dmz network. I was not going out the origin. 
I have been able to get the result i needed vert easily once i realized the dmz issue, what a stupid am i…
thanks anyway! 