NAT port forwarding

I am trying to forward incoming requests to port 2222 through to 10.0.0.15:22. I am able to

/system ssh 10.0.0.15

from the router itself. I have set up the nat rule with

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1-gateway log=yes \
    log-prefix=SSHNAT protocol=tcp to-addresses=10.0.0.15 to-ports=22
    
/ip firewall filter
add chain=forward action=accept dst-port=22 log=yes log-prefix=SSHFORWARD protocol=tcp

And yet it still doesn’t work. I’m seeing the SSHNAT and SSHFORWARD entries in the log, but it seems that they aren’t reaching the server. I have a similar setup on another router with port 5900 for VNC forwarding and that works great.

What could be eating those connections?

Make sure you have proper masquerade set on the router, and the proper gateway set on the server.

Go to the server, and make sure you can successfully do something like “ping google.com”

I do have the masquerade on the router:

/ip firewall nat
add action=masquerade chain=srcnat comment="outbound masquerade" log=yes \
    log-prefix=MASKNAT out-interface=ether1-gateway

I’m able to ping internet ip addresses and hostnames from the sever itself, and the router as well.

Ok, good, have you checked the server to see if it has it’s own firewall open for incoming connections from outside connections? The router is on the same network, so it may be allowed, while outside devices may be blocked inside the server.

Yes, the server configuration was the problem. This is a bit of a tricky network, with multiple sites connected by EOIP tunnels, and the gateway on this server was set to a different router. So it was able to ping the world, but it was trying to respond to the SSH through a different router. That router did not know about the NAT’d connection so it couldn’t do anything with it.

I have another machine for which I’m trying to NAT the HTTPS port, and I suspect it is a similar problem.

Is there a way to mark this topic as solved?