Port Forwarding on Port 5900 (VNC) and 22 (SSH) doesn't work

lobo · September 11, 2023, 9:05am

Good morning to everyone.
I’m using a Mikrotik mAP (RBmAP2nD). I’ve tried to make a port forwarding on port 5900 (VNC), and port 22 (SSH) but it doesn’t work.
I’ve tried on port 80 and everything works fine, but when I change the port on 5900 or 22 I can’t reach the device to control.
I’ve used two different mAP devices with RouterOS 7.11.2, and 6.49.8.
Is there anybody who’s had the same issue and found a solution?
Thank you in advance.

BartoszP · September 11, 2023, 9:21am

A. Do not expose and redirect these ports because of security. Use VPN.
B. If you have to redirect these services then use any other port as eg. 54322 to redirect it to inside 22 … why to make crackers’ life easier?

lobo · September 11, 2023, 10:35am

Thanks for the good advice.
I’ve just tried using port 55900 to redirect inside 5900.
It doesn’t work yet.

BartoszP · September 11, 2023, 12:01pm

The first should be enough to redirect all trafic to port 514 of MYPRECIOUSIP incoming from WAN_LISTed interfaces to internal 10.1.1.42 host

add action=dst-nat chain=dstnat dst-address=MYPRECIOUSIP dst-port=514 in-interface-list=WAN_LIST protocol=udp to-addresses=10.1.1.42

This fools 10.1.1.42 that the traffic originates from router with IP 10.1.1.254 as it’s a part of harpIn nat
It is not necessary for external traffic if only 10.1.1.42 could reach Internet.

add action=src-nat chain=srcnat dst-address=10.1.1.42 log=yes src-address=!10.1.1.42 to-addresses=10.1.1.254

anav · September 11, 2023, 1:38pm

Unlike my Polish friend, I am unable to work without facts/evidence…, my forte is not in crystal balls, chicken bones and ouji boards
Please post config
/export file=anynameyouwish ( minus router serial number and any public WANIP information ).

lobo · September 12, 2023, 8:52am

Good morning,
Here is the exported file.

# 2023-09-12 09:45:54 by RouterOS 7.11.2
# software id = XXXX-XXXX
#
# model = RBmAP2nD
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=XXXXXXXXXXXX wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=XXXXXXXX
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=10.10.XXX.TTT-10.10.XXX.SSS
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf disabled=yes interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.10.XXX.ZZZ/24 comment=defconf interface=bridge network=\
    10.10.XXX.0
add address=192.168.YYY.WWW/24 interface=ether1 network=192.168.YYY.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.10.XXX.0/24 comment=defconf dns-server=10.10.XXX.ZZZ gateway=\
    10.10.XXX.ZZZ netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.YYY.QQQ
/ip dns static
add address=10.10.XXX.ZZZ comment=defconf name=XXXXXX
/ip firewall address-list
add address=192.168.YYY.WWW list=WAN
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=5900 in-interface-list=WAN \
    protocol=tcp to-addresses=10.10.XXX.DDD (device ip) to-ports=5900
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=XXXXXXXXX
/system note
set show-at-login=no

anav · September 12, 2023, 11:48am

why do you hide the private IP address structure of the bridge, there is nothing to protect on that side, only the public WANIP information.
The same with your WANIP, its not public its only a private IP assigned on a subnet on an upstream router…

Do you forward ports from the upstream router to the private WANIP you are assigned on the ISP router subnet lan.

Format for static fixed WANIP is wrong should be and you have the wrong text in front of the port number!!!
from:
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=5900 in-interface-list=WAN
protocol=tcp to-addresses=10.10.XXX.DDD (device ip) to-ports=5900
TO:
/ip firewall nat
add action=scr-nat chain=srcnat out-interface=ether1 to-address=192.168.YYY.WWW
add action=dst-nat chain=dstnat dst-port=5900 dst-address=192.168.YYY.WWW
protocol=tcp to-addresses=10.10.XXX.DDD

lobo · September 12, 2023, 12:45pm

Sorry, it was an oversight caused by many attempts.
Here is the code of the current settings with the IPs in clear text.

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5900 in-interface-list=WAN protocol=\
    tcp to-addresses=10.10.150.2 to-ports=5900
add action=src-nat chain=srcnat out-interface-list=WAN protocol=tcp src-port=\
    5900 to-addresses=192.168.0.122 to-ports=5900

anav · September 12, 2023, 1:16pm

Why do you have an additional source-nat rule using a source port …what is this for ??
Also, you didnt change your formats to those for static WANIP, is your wanip fixed or dynamic???

lobo · September 12, 2023, 1:40pm

Initially, the setting was just

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5900 in-interface-list=WAN protocol=tcp to-addresses=10.10.150.2 to-ports=5900

Then I added the additional source-nat because I read it in the forum. So can I remove the additional source-nat?

I set address acquisition to static in the quick set. How do I have to change formats?

anav · September 12, 2023, 1:57pm

Yikes, quickset LOL.
It depends.

Do you have users on the same subnet that need access to the server?
If so, how do they connect to the server via LANIP ??

lobo · September 12, 2023, 2:07pm

If quickset isn’t good why does it exist?

Devices connecting to the LAN (IP: 10.10.150.x) via WLAN can reach the server without any problem.
But I have to reach the server from the WAN (IP: 192.168.0.x)

anav · September 12, 2023, 2:19pm

Again, the private IP of your WAN 192.168.0.x is not a secret LOL, no point in hiding it.
Its only a private IP on a subnet on the ISP router LAN.

Can you confirm you can forward ports to your router ( aka have access to configure the ISP router ) ??
Can you confirm that the WANIP of your ISP provider is public and not some cgnat thingy…
If users cannot reach this IP, then you cannot host.

lobo · September 12, 2023, 2:31pm

I didn’t hide the IP but simply I tried to say that all devices with addresses like 192.168.0.x can’t connect. Just like I did with the LAN IPs.
But what’s the problem if I want to write this way? I don’t think I’m unclear or offending anyone

I don’t understand what you’re asking. The WAN is actually a LAN, as you understood.

anav · September 12, 2023, 3:30pm

Let me make it clear.
No external users can come to your router ( for port forwarding or to a vpn server ) UNLESS the associated port on the upstream router ( presumably the ISP modem/router forward the port ).
This also assumes the ISP modem router gets a public IP itself.

lobo · September 13, 2023, 8:56am

I recall what I said in the first post:
“I’ve tried on port 80 and everything works fine, but when I change the port on 5900 or 22 I can’t reach the device to control.”

anav · September 13, 2023, 7:01pm

Post your latest config and I will have a look…