and /ip service has:
set ssh address=“” disabled=no port=22022
MikroTik 2 has the following filters:
add action=jump chain=input disabled=no dst-port=22 jump-target=ssh protocol=tcp
add action=drop chain=ssh comment=“Blacklist ssh abusers and drop them” disabled=no src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=ssh connection-state=new disabled=no src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=ssh connection-state=new disabled=no src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=ssh connection-state=new disabled=no src-address-list=ssh_stage1
and /ip service has:
set ssh address=“” disabled=no port=22
The ip firewall address-list lists do get created which I ssh to MikroTik 1 port 22022 but when I ssh to MikroTik 1 port 22422, I can log in to MikroTik 2 but no lists have been create on either MikroTik 1 or MikroTik 2.
Im not too sure on that one because you are doing double nat
I used to have the same setup as you and my first router was doing the PCC mangling, if you have the detect and blocking rules on Mikrotik2 then if you get an attack its going to block your access from getting into Mikrotik1 from your Mikrotik2 WAN Interface because it thinks that the attack is coming from you MikroTik1 because of double nat and you will lose internet access until you remove the MikroTik1 IP from the blacklisted addresses,
If you really want to get this to work with double nat, twice the amount of rules to Mikrotik1 and not have any Rules on Mikrotik2
What you can do is on mikrotik2 go to>> /ip services and change ssh to port 30 and then on mikrotik1 setup port forwarding to Mikrotik2 port 30
Then add twice the amount of firewall rules but on the second amount of rules change the port to port 30 to that Mikrotik1 detects the attacks going to mikrotik2.
If you need to detect attacks from your LAN side also, then add the same rules on Mikrotik2 But in the rule change the In-Interface= to your LAN interface (you will also need to add twice the amount of rules [the first bunch of rules to port 22 and the other bunch of rules to port 30])
A question about chains here. I understand that connecting to the second Mikrotik happens via DNAT, doesn’t it? If packet arrives to the specified high port, it is DNATted to reach the next mikotik device. At least that is my setup with an internal SSH server that I can reach from internet via DNAT. The trouble I have is that when I test the ssh blacklist rules I would expect after the first connection my external IP would end up in ssh_stage1 list for one minute. However that does not happen.
I know DNAT happens in prerouting. Could that be the reason that the rules
Chain is “forward” (because packet has been DNATted). For the same reason the port is actual 22 (it has been rewritten by DNAT). Connection state “new” added because I want to catch just the first packet, the other elements seem self-explanatory.
