Port Forwarding traffic is lost

taylorjonl · March 9, 2021, 4:27pm

Before I can migrate to my CCR1036 I need to get port forwarding working. I am trying to get port 22 forwarded and the traffic is being lost somehow.

A brief description of my setup, I have 4 VLANs that are all bridged. Ether1 is my WAN, SFP+1/2 are both trunks, the rest of the ethernet ports are all access ports for one of the VLANs. From a PC on the network I can SSH into the target machine fine.

So onto the configuration, here is my NAT setup:

 0    chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=22 protocol=tcp in-interface=ether1 dst-port=22
      log=yes log-prefix="NAT"

 1    chain=srcnat action=masquerade dst-address=0.0.0.0/0 out-interface=ether1

And here are my firewall rules:

 1    ;;; FastTrack
      chain=forward action=fasttrack-connection connection-state=established,related

 2    ;;; Established, Related
      chain=forward action=accept connection-state=established,related

14    ;;; WAN: Accept all DST-NAT traffic
      chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface=ether1 log=yes
      log-prefix="WAN: ACCEPT"

I filtered out some of the rules that weren’t related, I will include them if desired. All the drop rules I added a log action to and don’t see them applying to this traffic.

When I look at the logs I see this output:

NAT dstnat: in:ether1 out:(unknown 0), 192.168.100.47:58072->192.168.64.254:22, len 52
WAN: ACCEPT forward: in:ether1 out:vlan10, 192.168.100.47:58072->192.168.0.2:22, NAT 192.168.100.47:58072->(192.168.64.254:22->192.168.0.2:22), len 52
WAN: ACCEPT forward: in:ether1 out:vlan10, 192.168.100.47:58072->192.168.0.2:22, NAT 192.168.100.47:58072->(192.168.64.254:22->192.168.0.2:22), len 52
WAN: ACCEPT forward: in:ether1 out:vlan10, 192.168.100.47:58072->192.168.0.2:22, NAT 192.168.100.47:58072->(192.168.64.254:22->192.168.0.2:22), len 52
WAN: ACCEPT forward: in:ether1 out:vlan10, 192.168.100.47:58072->192.168.0.2:22, NAT 192.168.100.47:58072->(192.168.64.254:22->192.168.0.2:22), len 52
WAN: ACCEPT forward: in:ether1 out:vlan10, 192.168.100.47:58072->192.168.0.2:22, NAT 192.168.100.47:58072->(192.168.64.254:22->192.168.0.2:22), len 52

So I can see that the NAT is working and I think the firewall is letting the traffic through but I can’t establish an SSH connection. As a troubleshooting step, I used ping from winbox and I can ping the target server, but if I use the Telnet(SSH) function from winbox, I can’t establish a connection from the router to the target machine. Not sure what is going on.

sindy · March 9, 2021, 5:00pm

Make your command line window as wide as your screen allows, run /tool sniffer quick ip-address=192.168.0.2 port=22 and try the SSH connection again. Can you see the packets towards 192.168.0.2 to leave via some interface? Is it the correct one? If yes, can you see any responses from 192.168.0.2:22 to come in via that same interface?

taylorjonl · March 9, 2021, 6:12pm

Here is the output when I try to SSH from the router:

/tool sniffer quick ip-address=192.168.0.2 port=22
INTERFACE                    TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS
bridge1                    14.753     71 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074
sfp-sfpplus1               14.753     72 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074
vlan10                     14.753     73 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E        192.168.0.1:49074
bridge1                    14.753     74 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074
sfp-sfpplus1               14.753     75 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074
sfp-sfpplus1               14.784     76 <- 00:1B:21:BC:AC:2E B8:69:F4:C5:EF:E3 10     192.168.0.2:22 (ssh)
bridge1                    14.784     77 <- 00:1B:21:BC:AC:2E B8:69:F4:C5:EF:E3 10     192.168.0.2:22 (ssh)
vlan10                     14.784     78 <- 00:1B:21:BC:AC:2E B8:69:F4:C5:EF:E3        192.168.0.2:22 (ssh)
vlan10                     14.799     79 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E        192.168.0.1:49074
bridge1                    14.799     80 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074
sfp-sfpplus1               14.799     81 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074
vlan10                     14.799     82 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E        192.168.0.1:49074
bridge1                    14.799     83 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074
sfp-sfpplus1               14.799     84 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074
sfp-sfpplus1               14.801     85 <- 00:1B:21:BC:AC:2E B8:69:F4:C5:EF:E3 10     192.168.0.2:22 (ssh)
bridge1                    14.801     86 <- 00:1B:21:BC:AC:2E B8:69:F4:C5:EF:E3 10     192.168.0.2:22 (ssh)
vlan10                     14.801     87 <- 00:1B:21:BC:AC:2E B8:69:F4:C5:EF:E3        192.168.0.2:22 (ssh)
vlan10                     14.801     88 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E        192.168.0.1:49074
bridge1                    14.801     89 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074
sfp-sfpplus1               14.801     90 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.0.1:49074

The address 192.168.0.2 is on sfp-sfpplus1, everything looks good as far as I understand it.

This is the output when trying to SSH from the WAN:

/tool sniffer quick ip-address=192.168.0.2 port=22
INTERFACE                    TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS
vlan10                      81.09      1 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E        192.168.100.47:49398
bridge1                     81.09      2 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398
sfp-sfpplus1                81.09      3 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398
vlan10                       82.1      4 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E        192.168.100.47:49398
bridge1                      82.1      5 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398
sfp-sfpplus1                 82.1      6 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398
vlan10                     84.107      7 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E        192.168.100.47:49398
bridge1                    84.107      8 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398
sfp-sfpplus1               84.107      9 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398
vlan10                     88.121     10 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E        192.168.100.47:49398
bridge1                    88.121     11 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398
sfp-sfpplus1               88.121     12 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398
vlan10                     96.125     13 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E        192.168.100.47:49398
bridge1                    96.125     14 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398
sfp-sfpplus1               96.125     15 -> B8:69:F4:C5:EF:E3 00:1B:21:BC:AC:2E 10     192.168.100.47:49398

Everything looks correct?

sindy · March 9, 2021, 6:19pm

Everything looks correct at the CCR itself - in the dst-nat scenario, the packets to 192.168.0.2 leave the same way (vlan10 → bridge1 → sfp-sfpplus1) like in the case where you ssh from the CCR itself, but unlike in that case, no responses ever come back.

Hence either a route to 192.168.100.47 is missing at 192.168.0.2 (maybe no routes are configured at all, so only the automatically created one to 192.168.0.0/24 exists), or there is a firewall dropping access to port 22 from 192.168.100.47 on the 192.168.0.2 itself.

taylorjonl · March 9, 2021, 7:54pm

At the moment, the WAN of the CCR is plugged into the LAN of my current router until I figure out a way to get SSH access working. The target is a VyOS server that may be doing some voodoo magic I am not aware of, I changed the target of the DST-NAT to another system and it works fine to that system. Looks like it is time to setup my bastion system since the router seems to be doing what it is supposed to and it is just the VyOS server that is causing my issue, I wasn’t permanently going to keep it pointed there anyways.