Hi all,
I need to configure port forwarding for our SSH JumpHost. I have an ISP “Business Internet” with a Static IP, and the tech layout is as follows:
INTERNET <=> ISP MODEM <=> RB3011 (WAN port is ether1) <=> INTNERNAL Network
The changes I made are:
[admin@RB3011] > /ip/firewall/filter/print where comment="Romulus"
Flags: X - disabled, I - invalid; D - dynamic
1 ;;; Romulus
chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=22 log=no log-prefix=""
[admin@RB3011] > /ip/firewall/nat/print where comment="Romulus"
Flags: X - disabled, I - invalid; D - dynamic
1 ;;; Romulus
chain=dstnat action=dst-nat to-addresses=192.168.XXX.XXX to-ports=6022 protocol=tcp in-interface=ether1 dst-port=22 log=no log-prefix=""
THE ISSUE: When I connect to my server:
Host romulus-ext
HostName XXX.XXX.XXX.XXX <== This is our fixed ISPs IP address
User [obsufacted]
Port 22
using the same ssh config entry above,
(1) The connection when I’m NOT INSIDE the office network works fine, and it’s forwarded directly to the Jump Host.
(2) The connection when I’m INSIDE the office network somehow seems to go to RB3011 (I can tell after the yielded SHA256 signature ):
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:49BjZTUwqtDHfjNwI+Ip5TB+7I1ylz4f/EZW4WVbxYs.
For the sake of clarity, consider the office network as the network managed entirely by our RB3011.
By the Way - I didn’t want to open 22 on the ISP modem. I would have wanted to change it to a more random port, but I need to work with what I can arrange on with ISP.