Hi,
I am trying to log into a MT router, with Winbox, that is on a local area network behind another MT router connected to the public internet with a static ip.
Router A, connected to the public internet with static ip: LAN address: 192.168.1.1
Router B, connected to Router a on the LAN with static ip: 192.168.1.225
Router A firewall:
/ip firewall address-list
add address=192.168.1.0/24 list=mylan
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="accept port 80 input" dst-port=80 in-interface=ether1-gateway protocol=tcp
add chain=input comment="accept port 22 input" dst-port=22 in-interface=ether1-gateway protocol=tcp
add chain=input comment="default configuration" dst-port=8291 in-interface=ether1-gateway protocol=tcp
add chain=forward comment="default configuration" dst-port=8297 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="rule 1" connection-state=invalid
add action=drop chain=forward comment="rule 2" connection-state=invalid
add chain=input comment="rule 3" src-address-list=mylan
add chain=input comment="rule 4" connection-state=established
add chain=forward comment="rule 6" connection-state=new src-address-list=mylan
add chain=forward comment="rule 7" connection-state=related
add chain=forward comment="rule 8" connection-state=established
add action=drop chain=forward comment="rule 9"
add action=drop chain=input comment="rule 5"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.1 to-ports=22
add action=dst-nat chain=dstnat dst-port=8297 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.225 to-ports=8291
[admin@mikrotik] /ip firewall>
######### end of router A firewall #########
With the firewall filter active, I cannot connect to router B, with Winbox, from the public internet.
With the firewall turned off, I can connect to router B, with Winbox, from the public internet.
My question is:
Thanks,
Don James
I am unable to contact router B from the public internet
try changing this
add chain=forward comment="default configuration" dst-port=8297 in-interface=ether1-gateway protocol=tcp
to
add chain=forward comment="default configuration" dst-port=8291 in-interface=ether1-gateway protocol=tcp
I wouldn’t leave SSH service in its default port (22), move it to another unused high port.
Leaving well-known management ports opened in the input chain (the own router) will surely lead your router to suffer brute force attacks.
pukkita:
ry changing this
Code: Select all
Code: Select all
I have other MT routers on the local area network. In order to reach them, I have to use a port other than 8291. I have to do port translation:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8297 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.225 to-ports=8291
Regards,
Don James
I have other MT routers on the local area network. In order to reach them, I have to use a port other than 8291. I have to do port translation:
/ip firewall nat
>
> Regards,
>
> Don James
then you'll have to use different dst-port in dst-nat rules as you already did.
I think you're mixing dst-nat dst-port with filter rules dst-port.
The change I proposed, i.e.
```text
add chain=forward comment="default configuration" dst-port=8291 in-interface=ether1-gateway protocol=tcp
Is telling the router:
Let forwarded connections (i.e. those traversing the router) to dst-port tcp/8291 entering by ether1-gateway pass.
dst-nat happens before a single packet enters the forward chain, once dst-nat is done, the dst-port in that connection is 8291, not 8297, that’s why you can’t connect.
If you wanted to port forward to more routers, you’d keep that single filter rule, just need to add more dst-nat rules, e.g.
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8295 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.225 to-ports=8291
add action=dst-nat chain=dstnat dst-port=8296 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.226 to-ports=8291
add action=dst-nat chain=dstnat dst-port=8297 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.227 to-ports=8291
add action=dst-nat chain=dstnat dst-port=8298 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.228 to-ports=8291
without the need to add more filter rules.
Have a look at Packet Flow Diagram for more info.
Hi pukkita,
You were exactly right. I finally got it to work. Here’s my firewall configuration:
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=forward comment="default configuration" disabled=yes dst-port=8295 in-interface=ether1-gateway protocol=tcp
add chain=input comment="accept port 80 input" dst-port=80 in-interface=ether1-gateway protocol=tcp
add chain=input comment="accept port 22 input" dst-port=22 in-interface=ether1-gateway protocol=tcp
add chain=forward comment="default configuration" dst-address=192.168.1.0/24 dst-port=8291 in-interface=ether1-gateway protocol=tcp
add chain=input comment="default configuration" dst-address=192.168.1.0/24 dst-port=8291 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="rule 1" connection-state=invalid
add action=drop chain=forward comment="rule 2" connection-state=invalid
add chain=input comment="rule 3" connection-state=new src-address-list=mylan
add chain=input comment="rule 3" connection-state=new src-address-list=mylan2
add chain=input comment="rule 4" connection-state=established
add chain=forward comment="rule 6" connection-state=new src-address-list=mylan
add chain=forward comment="rule 6" connection-state=new src-address-list=mylan2
add chain=forward comment="rule 7" connection-state=related
add chain=forward comment="rule 8" connection-state=established
add action=drop chain=input comment="rule 5"
add action=drop chain=forward comment="rule 9"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-address=208.180.113.242 dst-port=22 protocol=tcp to-addresses=192.168.1.1 to-ports=22
add action=dst-nat chain=dstnat dst-address=208.180.113.242 dst-port=80 protocol=tcp to-addresses=192.168.1.1 to-ports=80
add action=dst-nat chain=dstnat dst-port=8291 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.1 to-ports=8291
add action=dst-nat chain=dstnat dst-port=8295 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.4 to-ports=8291
Thanks a bunch.
Sincerely,
Don James