Pezant
November 10, 2020, 9:28pm
1
Hi all. I’m having an issue trying to SSH or SFTP out of the network. Any attempt I try to make usually times out. I’ve tried disabling all the drop rules and even added a forward rule just for port 22 but nothing seems to making any difference. Any suggestions as to what I should try next? Thanks!
Here are the firewall rules I’m currently using:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp \
src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=80 \
protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=443 \
protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=86 \
protocol=tcp to-addresses=192.168.1.12 to-ports=86
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=8080 \
protocol=tcp to-addresses=192.168.1.13 to-ports=8080
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=4443 \
protocol=tcp to-addresses=192.168.1.13 to-ports=443
add action=accept chain=dstnat
Can you give us an example or diagram on what are you trying to achieve?
Pezant
November 12, 2020, 5:56pm
3
Hi. I’m trying to connect to a SFTP site. As I was investigating the issue I discovered that I wasn’t able to access any SFTP or SSH server, however. I was using a couple of free public SFTPs and SSH shells for testing. Normally the server responds with a key to verify identity but I’m not getting that prompt.
There are the ones I’m using to test.https://www.sftp.net/public-online-sftp-servers http://sdf.org/
The first one works just fine for me, I issue sftp demo@test.rebex.net and I see a password prompt etc.
web check test.rebex.net:22 demo/password Also supports SSH, FTP/SSL, FTP, IMAP, POP3 and Time protocols. Read-only.
What you can do is really start LOGGING (add logging on rules) a bit so it might reveal a bit more what is a problem.
Pezant
November 12, 2020, 7:00pm
5
Thanks for the suggestion. I’ll see about enabling logging. I’ve also tried using Torch and I see it starting to connect but it never actually does. It just shows ethernet protocol 800 and the port it goes out and attempts to go in on.
You only posted parts of the config. Are you using some form of VPN tunnel and do you route specific traffic into a tunnel ?
Because :
I don’t see a generic masq rules for regular Internet/surf traffic ? Unless you are using some VPN-link ?
Pezant
November 12, 2020, 7:28pm
7
I didn’t think the other rules were relevant. I can post the full config. We have a VPN for remote users who need to work from their desktops at the office. I haven’t had an issue with any other internet services. It’s just this port 22 and it doesn’t work on site or over the VPN.
/interface bridge
add admin-mac=*Hidden* auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.239
add name=vpn-pool ranges=192.168.1.240-192.168.1.249
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.1.11 idle-timeout=30m local-address=\
192.168.1.1 remote-address=vpn-pool session-timeout=8h use-compression=yes
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=*Hidden*/28 interface=ether1 network=184.182.220.64
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.11
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp \
src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=80 \
protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=443 \
protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=86 \
protocol=tcp to-addresses=192.168.1.12 to-ports=86
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=8080 \
protocol=tcp to-addresses=192.168.1.13 to-ports=8080
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=4443 \
protocol=tcp to-addresses=192.168.1.13 to-ports=443
add action=accept chain=dstnat
/ip route
add distance=1 gateway=*Hidden*
/ip ssh
set forwarding-enabled=both
/system clock
set time-zone-name=America/Phoenix
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Do I need to use a generic masquerade rule if the IPs never change?
anav
November 12, 2020, 7:46pm
8
/ip address
What is the purpose of this rule at the end of the dstnat chain, looks like an accident that should be removed??add action=accept chain=dstnat
Pezant
November 12, 2020, 7:57pm
9
Thanks for the suggestion. I have switched that interface over to bridge and removed the last NAT rule. Honestly I’m not sure how that ended up in there. I’m new to this level of customization in network configuration so I probably copy and pasted a rule I found online. Unfortunately it didn’t seem to make a difference. Do I need to restart the router or should these changes be instant? Thanks!
Ah OK, the line below IS your generic masq rule providing “NAT’ed” access for all the internal 192.168.1.0/24 IP’s.
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=192.168.1.0/24
You have the rules in place in the forward-chain to accomodate the return-traffic, that looks good.
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
Pezant
November 12, 2020, 8:05pm
11
The odd thing is that I even disabled those rules and still wasn’t able to get out on that port. I just turned on logging.
anav
November 12, 2020, 8:19pm
12
Traffic outbound isnt usually blocked by the router so perhaps its your ISP??
Hmm wonder if these rules are getting in the way from LAN to Internet for some reason.
Here is what I would do instead of this rule… Reminder only admin needs access to the router.
add action=accept chain=input comment=“allow admin access” adminaccess
Firewall address list
Pezant
November 12, 2020, 8:34pm
13
I always had that thought in the back of my mind about ISP potentially blocking it. No idea why they would though…
Here are the logs of me attempting to connect to that SFTP.
Pezant
November 12, 2020, 8:56pm
14
I just tried modifying your input rule to how you suggested. That did not seem to help either.
Pezant
November 12, 2020, 9:17pm
16
Haha. I appreciate the help. I might try calling the ISP and find out if they are blocking that port for some odd reason.
Pezant
February 8, 2021, 6:00pm
17
Good morning. I was hoping to revisit this issue I am having. I have since called the ISP and verified that port 22 is not being blocked. Any SFTP site works just fine when we plug directly into the modem and bypass the MikroTik so there is a rule somewhere that is causing issues. Thanks!
anav
February 8, 2021, 7:34pm
18
No worries, please post your complete config again as it is now.
/export hide-sensitive file=anynameyouwish
Pezant
February 8, 2021, 9:35pm
19
Here you go.
# feb/08/2021 14:27:39 by RouterOS 6.47.7
# software id = VGFH-V40X
#
# model = RB760iGS
# serial number = ###
/interface bridge
add admin-mac=(Removed) auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.239
add name=vpn-pool ranges=192.168.1.241-192.168.1.249
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.1.11 idle-timeout=30m local-address=\
192.168.1.1 remote-address=vpn-pool session-timeout=8h use-compression=yes
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=(Gateway IP) interface=ether1 network=(Static IP)
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.11
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall address-list
add address=192.168.1.240 list=AdminAccess
add address=192.168.1.10 list=AdminAccess
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
in-interface=all-ethernet log=yes log-prefix="VPN ADMIN" src-address-list=\
AdminAccess
# no interface
add action=accept chain=input in-interface=*F00037 src-address-list=AdminAccess
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=forward dst-port=22 log=yes log-prefix=Port22 protocol=\
tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix=Test_Invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=Test_DSTNAT
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.1.0/24 log-prefix=HairpinNat src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none log=yes log-prefix="WAN Masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=80 \
protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=443 \
protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=86 \
protocol=tcp to-addresses=192.168.1.12 to-ports=86
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=8080 \
protocol=tcp to-addresses=192.168.1.13 to-ports=8080
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=4443 \
protocol=tcp to-addresses=192.168.1.13 to-ports=443
add action=accept chain=dstnat disabled=yes
/ip route
add distance=1 gateway=184.182.220.65
/ip ssh
set forwarding-enabled=both
/ppp secret
add name=(Removed) profile=default-encryption remote-address=192.168.1.240
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add disabled=yes name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
/system clock
set time-zone-name=America/Phoenix
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2frogs
February 8, 2021, 9:50pm
20
Have you tried with:
/ip ssh
set forwarding-enabled=no
