Port Forwarding SFTP custom Port

RouterOS General
1

Finally setting up a brand new upgraded 7.1 Router, see my signature, and doing a pretty standard port forward that I had on my Zyxel Router last night (working) but things are just not looking the same and a bit confusing.

Source IP: 5.150.195.195
Source Port: any (it varies so not defined)

Target IP on my Lan: 192.168.1.234
Target port: 22022 on a windows machine and no, nothing has changed on it since yesterday

Protocol is SFTP. It is a backup running from a web server to a Bitvise SFTP server.

  1. I tried setting TCP, but can’t find SFTP in the IP > Firewall > NAT settings.
  2. Not sure if setting srcnat or dstnat or what in the chain. Tried diff variables.

I checked my DNS service (dynamic DNS configured with monitoring and updating software) and renewed the IP address manually on that since it seems the router might be somehow blocking it, but I will look in to that later.

2

That doesn’t sound right. Port forwarding rule looks like this:

/ip firewall nat
add chain=dstnat dst-address=<your public address> protocol=tcp dst-port=<external port number> action=dst-nat to-addresses=<internal address> to-ports=<internal port>
3

There is no public address. Or rather, it can be anything.

5.150.* is the web server address

192.* is my local server address

So maybe I am confusing a non stable public IP with some of those above… or below?

4

Nope, not like that
Remove the DST_ADDRESS 192.x.x.x from the rule, leave protocol & DST-port in there.

Under “Advanced” tab you can set DST-ADDRESS-LIST to for example WAN_IP (if you have a dynamic public IP).

Then go to “Action” tab and select DST-NAT from there, then fill in the TO-ADDRESS with 192.168.1.234
If you leave the “port” blank, exactly the same port is taken as the port 2022, so make sure your backend SFTP is “listening” on 2022 too.
If the SFTP is running on standaard 22, then put port 22 in this field here.

5

… and replace it with your public address (5.150.x.x). That’s if it’s static, otherwise it would require slightly different config.

Edit: I see you mentioned dynamic DNS, so keep Dst. Address empty a use Dst. Address Type → Address Type “local”.

6

I would only comment if I see the config
/export hide-sensitive file=anynameyouwish

Chances are there are multiple changes required…
and some learning required in moving from zyxel to MT ( I am one of those breed )

7 



# jan/09/2022 08:45:07 by RouterOS 7.1.1
# software id = Y7E5-SEZ7
#
# model = RB1100x4
# serial number = D8580E4D7A72
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip arp
add address=192.168.1.234 interface=bridge1 mac-address=2C:76:8A:AD:27:86
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
add address=192.168.1.16 interface=bridge1 mac-address=00:15:5D:01:EA:01
add address=192.168.1.33 interface=bridge1 mac-address=00:15:5D:01:EA:08
add address=192.168.1.35 interface=bridge1 mac-address=00:15:5D:01:EA:09
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.255 client-id=1:8:55:31:c1:67:57 mac-address=\
    08:55:31:C1:67:57 server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=dstnat dst-address=192.168.1.234 dst-port=22022 log=\
    yes log-prefix=SFTP-Inleed protocol=tcp src-address=5.150.195.195
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=mt-ro-homered
8

Dst-nat rule is wrong: dst-address is selector (much like src-address), you need to set to-addresses instead.

The way dst-nat works: it inspects packet headers and compares values to configured ones. In your case it compares src-address from packet to src-address from rule definition. It also compares values of dst-port and protocol type. So far so good. However: it also compares dst-address from packet to configured value and this is where it fails … because packet’s dst-address at this point is most likely same as router’s WAN IP address. Good alternative [] is to use in-interface-list=WAN instead. If all configured selector properties of dst-nat rule match, the NAT engine replaces dst- fields of packet with to-* properties of dst-nat rule (or leaves values intact if they’re not defined). So what you want is to set to-addresses=192.168.1.234 on dst-nat rule and in this case NAT engine would replace dst-address on ingress packet with IP address of your SFTP server.

[*] using in-interface or in-interface-list as selector in dst-nat rule means you can’t use this rule to use SFTP service from inside your LAN by using WAN IP address (e,g. if you have a phone or laptop and you’d want to use service without a change of configuration while device is connected LAN and while device is somewhere in internet), for that one needs hair pin NAT. In your case this is not a case as one of selectors is WAN IP of SFTP client … and you could mostly get away even with ommision of both dst-address and in-interface[-list].

9

Still no joy:

add action=add-dst-to-address-list address-list=" 192.168.1.234" address-list-timeout=none-dynamic chain=dstnat dst-address-type=local log=yes log-prefix=SFTP-Inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.164.1.234 \
    to-ports=22022
10

What is this rule supposed to do? You’re over complicating things.

Your NAT rule should be this:

add action=dst-nat chain=dstnat \
    src-address=5.150.195.195 dst-port=22022 protocol=tcp in-interface-list=WAN \
    log=yes log-prefix=SFTP-Inleed \
    to-addresses=192.168.1.234

I’ve arranged the order of properties just to illustrate: first line simply defines the nature of rule (it’s a dst-nat rule), second line of properties are selectors - they determine to which packets this NAT rule applies. The third line contains some logging properties (they don’t affect selection process nor they affect the way packet might be altered). The last line defines what exactly dst-nat changes on matching packet (in this case dst-address is changed to set value).

N.b. if you decide you want to allow multiple src-addresses, you can add similar rules. But better sollution is to (statically) create address list, containing allowed src addresses. Then you’d change the rule above by replacing property src-address with src-address-list=

11

(1) This needs to be removed it does nothing
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN

(2) This is misconfigured and needs to be removed
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24

(3) Never seen an ip pool configured as such but it must be legit
/ip pool
add name=dhcp ranges=192.168.1.0/24

(4) Your dst nat rule is troubling. but I will let mkx sort it out as he has you on the right track…
My initial read of your first entry was that you didnt have a public IP address…

12

As for 1-2-3 that’s the result of the quick set, I suspected some was wrong, but it works and I cant really do anything about that right now… followed the instructions for 1st setup and have added absolutely zero to that.

4: I have a dynamic public IP, meaning it may change if I reset the fiber modem or if the ISP changes something. My ISP offers fixed IP, but do not recommend it’s usage. That is why I use an updating software and an external DNS host provider to properly direct calls to my network. It has worked for many years now, all back through my ASUS Router, via an Ubiquiti Edge Router and the last, the Zyxel one. I expect it to work with Mikrotik as well, but Mikrotik seems by far the most complex to set up, both in regards to how the interface looks and works, adding to that the seemingly lacking port forwarding instructions in the manual. Ref: https://help.mikrotik.com/docs/dosearchsite.action?queryString=port+forward&where

13

Thanks.

Console complained about errors when I typed it all in one line but I set it in the interface instead. The export seems to give the same as you suggested:

add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.234

After some checking I triggered the backup on the webhost and it landed safe and sound on my local server.

Thank you very much for the help… Now I need to wrap my head around that logic…

14

Coming from zyxel its not too bad, no loopback checkbox and little less spoon feeding. (used to be a reseller for zyxel)

The main difference is only one firewall rule for all port forwardings is done.
The main place for rule details are in the dst-nat rules…
You have the right info.

You have two choices in Mikrotik for formatting the Dst NAT RULES
TYPICALLY
a. for dynamic firewall rules one uses in-interface=ether1 or in-interface-list=WAN (assuming ether1 is the WAN interface, like standard cable)
b. for static, fixed ip, one uses dst-address=PublicIP of WAN

If you think about they say different things but have the same result. The first says for any traffic coming from the WAN side, headed for portxx send the traffic to lanip blah blah
THe second one says that for any traffic heading to my public IP, headed for portxx send the traffic to lanip blah blah.
Pretty straightforward !!

Note: You could use the dst-address for dynamic IPs, but then would have to change the rule everytime the IP changed.

The in-interface list method, for Dynamic WANIPs, is useless if you ever want users or yourself (FOLKS ON THE LAN behind the router) to access the server via the Public WANIP.
I never understood loopback on the zyxel until I ran across this need. I was like, pffffft what losers dont just use the LANIP directly of the server when within the LAN. Clearly there are many cases where people seem to defy logic. :wink:

So there are work arounds to make the dynamic IP scenario LOOK LIKE the fixed IP scenario, so that the router will accept both internal and external users access to the server.
One can see right away that if you use in-interface-list=WAN one is NOT INCLUDING internal users.
However as noted above I could use the IP address but would have to change the rule everytime the IP changed, so how to avoid that is the next format!!

FORMAT
add chain=dstnat action=dst-nat dst-address-list=(applicable firewall address list for your dyndns of choice - most use the IP cloud address on the router itself)
dst-port=xxxx protocol=tcp to-addresses=IPofServer {to ports is not required if the same as dst-port}

What we have done here is to identify the public dynamic IP with a dyndns name which will keep the IP relatively current and thus one can use the format of the fixed IP dst nat rule which would include both internal and external users because they are both pointing at the public IP…

There is one caveat, and that is if the server and the users are in the same subnet we run into something called hairpin NAT. All explained in the article below and more.
Suffice to say one source nat rule fixes this issue, and alternatives are discussed as well.
Enjoy todays instructional lessons!
https://forum.mikrotik.com/viewtopic.php?t=179343

I should note that the dstnat rules can also have source addresses or source address lists which narrow down access to the server, always a good thing!
Since people can get free dyndns names for their own routers, they can give you their static fixed wanip or dynamic URL to put into the firewall address list!!

15

Listen I have to start somewhere, ok… :slight_smile: I chose Mikrotik because of its versatility and reputation, been wanting this for a number of years so with some great advantages I expect to be learning as well… small effort well worth it in the long run. Just you wait till I start pestering the PFSense forums when I have the “friedwall” running… should I ever get there.

16

See above post to start that learning curve, If I can learn it, any idiot can, at least thats what SOB says :wink:

17

The backslash () characters followed by new-line are “continuation” characters (meaning that the command continues in next line). If you typed the rule in single line but kept the backslashes, then this is why console complained.

18

@mkx
I know… just typed it without backslashes in one row, still errors.

I did add /ip and /firewall before typing add in a couple of attempts, but still would not work. Maybe cmd syntax changed in 7.1?

Anyhow, it works and I have documented it.

19

…and verified…

ignore the ipad entries…

20

Eh … the command was meant to be preceeded by /ip firewall nat … in ROS configuration is in a pseudo file system hierarchy and commands have context in tree position … e.g. command add is completetly different elsewhere, say in /interface bridge

Anyway, it’s good it’s working for you now … and I’m sure you’ll learn your way around in no time.