Port foward doesn't work SSH

RouterOS Beginner Basics
1

Hi.

Maybe someone can point me in the right direction.

Problem: I have created list of allowed IP adresses who can access our server from outside.
Everything is working for :80 port. Allowed users can access it and work. Problem is with SSH connection. Developers cant SSH into server. They can reach :80 ofcourse.

This works:
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=“SM inbound :80” dst-port=80
in-interface=ether1 protocol=tcp src-address-list=AllowedUsers
to-addresses=192.168.0.99 to-ports=80

This doesn’t work:
add action=dst-nat chain=dstnat comment=“inbound SSH from WAN to local host”
dst-port=1227 in-interface=ether1 log=yes protocol=tcp src-address-list=
AllowedUsers to-addresses=192.168.0.99 to-ports=22

I have tried to make firewall filter rule allowing :1227 port etc. Have searched forum for couple of days. No solution has helped me yet. After every new rule, i always ask them to try connection.


/ip firewall filter

add action=accept chain=input comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=input comment=\
    "Accept all connections from local network" in-interface=bridge1
add action=accept chain=input comment="Accept OpenVPN" dst-port=1194 \
    protocol=tcp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment=\
    "Drop all packets which are not destined to routes IP address" \
    dst-address-type=!local
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
    ch should not exist in public network" in-interface=ether1 \
    src-address-list=NotPublic
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=forward comment="Allow DSTNAT connections to WAN" \
    connection-nat-state=dstnat connection-state=established,related,new
add action=fasttrack-connection chain=forward comment="Fasttrack filter" \
    connection-state=established,related
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet w\
    hich should not exist in public network" in-interface=ether1 \
    src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to \
    internet which should not exist in public network" dst-address-list=\
    NotPublic in-interface=bridge1
add action=drop chain=forward comment="Drop all packets in local network which\
    \_does not have local network address" in-interface=bridge1 src-address=\
    !192.168.0.0/24

/ip firewall nat

add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="SM inbound :80" dst-port=80 \
    in-interface=ether1 protocol=tcp src-address-list=AllowedUsers \
    to-addresses=192.168.0.99 to-ports=80
add action=dst-nat chain=dstnat comment="inbound SSH from WAN to local host" \
    dst-port=1227 in-interface=ether1 log=yes protocol=tcp src-address-list=\
    AllowedUsers to-addresses=192.168.0.99 to-ports=22
add action=dst-nat chain=dstnat comment="xxxxxx" dst-address=\
    xxx.xxx.xxx.xxx dst-port=3389 log=yes protocol=tcp to-addresses=\
    192.168.0.32 to-ports=3389
add action=dst-nat chain=dstnat comment=xxxxxxx dst-address=xxx.xxx.xxx.xxx \
    dst-port=104 log=yes protocol=tcp to-addresses=192.168.0.30 to-ports=104

Log file, they tried connecting couple of times

12:37:14 firewall,info 1 prerouting: in:ether1 out:(unknown 0), src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->Our_outer_IP:1227, len 52 
12:37:14 firewall,info dstnat: in:ether1 out:(unknown 0), src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->Our_outer_IP:1227, len 52 
12:37:14 firewall,info 3 forward: in:ether1 out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT s.s.s.s.s.s.ss->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:14 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT s.s.s.s.s.s.ss->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:30 firewall,info 1 prerouting: in:ether1 out:(unknown 0), src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->Our_outer_IP:1227, len 52 
12:37:30 firewall,info dstnat: in:ether1 out:(unknown 0), src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->Our_outer_IP:1227, len 52 
12:37:30 firewall,info 3 forward: in:ether1 out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT s.s.s.s.s.s.ss->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:30 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT s.s.s.s.s.s.ss->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:31 firewall,info 1 prerouting: in:ether1 out:(unknown 0), src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->Our_outer_IP:1227, NAT (s.s.s.s.s.s.ss->192.168.0.1:50366)->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:31 firewall,info 3 forward: in:ether1 out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT (s.s.s.s.s.s.ss->192.168.0.1:50366)->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:31 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT (s.s.s.s.s.s.ss->192.168.0.1:50366)->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:33 firewall,info 1 prerouting: in:ether1 out:(unknown 0), src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->Our_outer_IP:1227, NAT (s.s.s.s.s.s.ss->192.168.0.1:50366)->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:33 firewall,info 3 forward: in:ether1 out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT (s.s.s.s.s.s.ss->192.168.0.1:50366)->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:33 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT (s.s.s.s.s.s.ss->192.168.0.1:50366)->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:37 firewall,info 1 prerouting: in:ether1 out:(unknown 0), src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->Our_outer_IP:1227, NAT (s.s.s.s.s.s.ss->192.168.0.1:50366)->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:37 firewall,info 3 forward: in:ether1 out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT (s.s.s.s.s.s.ss->192.168.0.1:50366)->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:37 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT (s.s.s.s.s.s.ss->192.168.0.1:50366)->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:45 firewall,info 1 prerouting: in:ether1 out:(unknown 0), src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->Our_outer_IP:1227, len 52 
12:37:45 firewall,info dstnat: in:ether1 out:(unknown 0), src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->Our_outer_IP:1227, len 52 
12:37:45 firewall,info 3 forward: in:ether1 out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT s.s.s.s.s.s.ss->(Our_outer_IP:1227->192.168.0.99:22), len 52 
12:37:45 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac xx.x.x.x.x.x, proto TCP (SYN), s.s.s.s.s.s.ss->192.168.0.99:22, NAT s.s.s.s.s.s.ss->(Our_outer_IP:1227->192.168.0.99:22), len 52
2

Show the command you used to do SSH from WAN side.

should be something like

ssh ROUTERIP -p 1227

3

You didn’t post the rules that produced the log, so we don’t know what you have there. If you don’t have it already, add also this, to log responses from server:

/ip firewall mangle
add chain=prerouting src-address=192.168.0.99 protocol=tcp src-port=22 action=log

And you’ll see if server responds or not.

4

Basically as you said :

ssh ROUTERIP -p 1227

Tried putty software too.

5

Sorry man. New to this.

In Firewall mangle i have:

0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 
 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 
 3    chain=prerouting action=log protocol=tcp in-interface=ether1 dst-port=22 log-prefix="1" 
 4    chain=postrouting action=log protocol=tcp dst-address=192.168.0.99 dst-port=22 log-prefix="4" 
 5    chain=prerouting action=log protocol=tcp src-address=192.168.0.99 src-port=22 log-prefix="5" 
 6    chain=postrouting action=log protocol=tcp src-address=192.168.0.99 src-port=22 log-prefix="7"
6

The thing I noted is that your masquerade rule is not complete…
add action=masquerade chain=srcnat
Normally
add action=masquerade chain=srcnat out-interface=eth1 (assuming you have a dynamic WANIP)

I dont think that is the source of your problems and the other rules seem ok including the port translation from 1227 to 22.
One doesnt need special rules on the firewall side, but you must have a rule (and probably the default rule) that allows port forwarding otherwise the first case would not have worked.

Conclusion: Its the server LOL. or the PC firewall on the server

7

So you already have the rule (with prefix “5”) and it doesn’t log anything. In that case, check the server, because router is sending packets there, but server doesn’t send anything back.

8

We have a Static IP. If i add out-interface=ether1 then everything brakes :slight_smile:

Yea, i think so too, that theres something wrong with server. But it’s funny, coz server is ours, but software running on it doesn’t belong to us. So they don’t give out any credentials to us. We as a company can’t SSH in to server or whatever. Its theyr policy.


Anyway thanks guys, will try to reach them again and again with questions.

9

The sourcenat rule for a staticWANIP should be in the following format,
add action=src-nat chain=srcnat to address='thefixedwanIP" out-interface=WAN

The only other question I have is how are you attempting to access the Server
From inside the LAN or only from external internet users??

10

So NAT first 2 rules look likes this ?

0    chain=srcnat action=masquerade log=no log-prefix="" 
1    chain=srcnat action=src-nat to-addresses=StaticWANIP out-interface=ether1 log=no log-prefix=""

So on server we have a website.
From LAN side everyone is using it.
From WAN side only 1 Office WAN IP are allowed to access it.

  • from WAN side Developers for :80 (works) and :22 (which isnt working)
11

You can delete or if you feel better just disable the the masquerade rule it is not required.
So from the lan side people just use port 22 and the lanip of the server??


What are all the mange rules for??
I would get rid of them (disable temporarily) and see if port forwarding works then.,

12

Actually, tried to disable masquerade rule and everything brakes. I can’t connect to our server from LAN. And nobodys can’t connect from outside too.

From lan side people only use website which is on :80. They use 192.168.0.99 or our inner domain name http://aplicationname
From outside SSH uses only software devolopers. They said, that we cant test it from inside coz theres no permission on that.

Thouse are for testing the connection for SSH to see if packets goes to server or no. Tried to disable all mangle rules, same, cant SSH to server.

I think i will just put back old router and ask them to test connection to it fast. If they can ssh to server then something is wrong with my mikrotik configuration.

13

Weird, try interface-out=WAN instead of the ethport.

14

Nop, does’t work. Tested even out-interface-list etc.

15

Well for any more support you are going to have to post the entire config, less the sensitive bits…

16 



/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] arp=proxy-arp comment=LAN
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="SVC dynamic LAN Pool" name=dhcp ranges=192.168.0.100-192.168.0.254
add comment="VPN Pool" name=VPN_Pool ranges=192.168.11.10-192.168.11.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3d name=dhcp1
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.0.1 name=VPN \
    remote-address=dhcp use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=combo1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes \
    require-client-certificate=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN
/ip address
add address=192.168.0.1/24 comment=LAN interface=bridge1 network=192.168.0.0
add address=Static_wan_IP/24 comment=WAN interface=ether1 network=xx.xxx.xx.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=62.65.16.7,192.168.0.1 gateway=\
    192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=195.122.12.242,80.232.230.242
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=xxxxxxx comment="xxxxxxxx xxxx" disabled=yes list=\
    AllowedUsers
add address=192.168.0.2-192.168.0.254 list=AllowedLan
add address=xxxx comment=xxxxx list=AllowedUsers
add address=xxxxx comment="xxx xxx xx " list=AllowedUsers
add address=xxxxxx comment="xxx xxx xxx xxx " list=AllowedUsers
add address=xxxxxx comment=xxxxxxxxxxx disabled=yes list=AllowedUsers
/ip firewall filter
add action=log chain=forward disabled=yes dst-address=192.168.0.99 dst-port=22 \
    log-prefix=3 protocol=tcp
add action=log chain=forward disabled=yes log-prefix=6 protocol=tcp \
    src-address=192.168.0.99 src-port=22
add action=accept chain=input comment="Accept established and related packets" \
    connection-state=established,related
add action=accept chain=input comment=\
    "Accept all connections from local network" in-interface=bridge1
add action=accept chain=input comment="Accept OpenVPN" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment=\
    "Drop all packets which are not destined to routes IP address" \
    dst-address-type=!local
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which\
    \_should not exist in public network" in-interface=ether1 src-address-list=\
    NotPublic
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=forward comment="Allow DSTNAT connections to WAN" \
    connection-nat-state=dstnat connection-state=established,related,new
add action=fasttrack-connection chain=forward comment="Fasttrack filter" \
    connection-state=established,related
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=drop chain=forward comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet whi\
    ch should not exist in public network" in-interface=ether1 \
    src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to in\
    ternet which should not exist in public network" dst-address-list=NotPublic \
    in-interface=bridge1
add action=drop chain=forward comment="Drop all packets in local network which d\
    oes not have local network address" in-interface=bridge1 src-address=\
    !192.168.0.0/24
/ip firewall mangle
add action=log chain=prerouting disabled=yes dst-port=22 in-interface=ether1 \
    log-prefix=1 protocol=tcp
add action=log chain=postrouting disabled=yes dst-address=192.168.0.99 \
    dst-port=22 log-prefix=4 protocol=tcp
add action=log chain=prerouting disabled=yes log-prefix=5 protocol=tcp \
    src-address=192.168.0.99 src-port=22
add action=log chain=postrouting disabled=yes log-prefix=7 protocol=tcp \
    src-address=192.168.0.99 src-port=22
/ip firewall nat
add action=masquerade chain=srcnat
add action=src-nat chain=srcnat disabled=yes out-interface=ether1 to-addresses=\
    Static_wan_IP
add action=dst-nat chain=dstnat comment="xxxx xxxxx xxx" dst-port=80 \
    in-interface=ether1 protocol=tcp src-address-list=AllowedUsers \
    to-addresses=192.168.0.99 to-ports=80
add action=dst-nat chain=dstnat comment="inbound SSH from WAN to local host" \
    dst-port=1227 in-interface=ether1 log=yes protocol=tcp src-address-list=\
    AllowedUsers to-addresses=192.168.0.99 to-ports=22
add action=dst-nat chain=dstnat comment="Remote desktop" dst-address=\
    Static_wan_IP dst-port=3389 log=yes protocol=tcp to-addresses=192.168.0.32 \
    to-ports=3389
add action=dst-nat chain=dstnat comment=Rentgenam dst-address=Static_wan_IP \
    dst-port=104 log=yes protocol=tcp to-addresses=192.168.0.30 to-ports=104
/ip route
add distance=1 gateway=xx.xxx.xx.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2222
set api disabled=yes
set winbox address=192.168.0.0/24 port=xxxxxx
set api-ssl disabled=yes
/lcd
set color-scheme=dark default-screen=stats-all read-only-mode=yes
/ppp secret
add name=xxxxx profile=VPN service=ovpn
/system clock
set time-zone-name=Europe/Riga
/system logging
add topics=pptp
add disabled=yes topics=dhcp
add disabled=yes topics=ovpn
add topics=ssh
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
17 
/ip firewall filter
add action=accept chain=input comment="Accept established and related packets" \
    connection-state=established,related
add action=accept chain=input comment=\
    "Accept all connections from local network" in-interface=bridge1
add action=accept chain=input comment="Accept OpenVPN" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment=\
    "Drop all packets which are not destined to routes IP address" \
    dst-address-type=!local
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which\
    \_should not exist in public network" in-interface=ether1 src-address-list=\
    NotPublic
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=forward comment="Allow DSTNAT connections to WAN" \
    connection-nat-state=dstnat connection-state=established,related,new
add action=fasttrack-connection chain=forward comment="Fasttrack filter" \
    connection-state=established,related
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=drop chain=forward comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet whi\
    ch should not exist in public network" in-interface=ether1 \
    src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to in\
    ternet which should not exist in public network" dst-address-list=NotPublic \
    in-interface=bridge1
add action=drop chain=forward comment="Drop all packets in local network which d\
    oes not have local network address" in-interface=bridge1 src-address=\
    !192.168.0.0/24

(1) Okay these rules are garbage and noisy GET RID OF THEM. I dont use them and in the end not sure what purpose they serve…
add action=drop chain=input comment=
“Drop all packets which are not destined to routes IP address”
dst-address-type=!local
add action=drop chain=input comment=
“Drop all packets which does not have unicast source IP address”
src-address-type=!unicast
add action=drop chain=input comment=“Drop all packets from public internet which
_should not exist in public network” in-interface=ether1 src-address-list=
NotPublic

Just use one rule at the end of input chain…
add chain=input action=drop comment=“Drop All Else”

(2) Your forward chain is messy for example this…

   "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet whi\
    ch should not exist in public network" in-interface=ether1 \
    src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to in\
    ternet which should not exist in public network" dst-address-list=NotPublic \
    in-interface=bridge1
add action=drop chain=forward comment="Drop all packets in local network which d\
    oes not have local network address" in-interface=bridge1 src-address=\
    !192.168.0.0/24

and this

add action=accept chain=forward comment="Allow DSTNAT connections to WAN" \
    connection-nat-state=dstnat connection-state=established,related,new
add action=fasttrack-connection chain=forward comment="Fasttrack filter" \
    connection-state=established,related




Forward chain should be clear and simple so Moving Forward rearrange to this approach.
first rule: the default fastrrack rule, if what you have is not the default (you have modifed it, get rid of it and put the default back in)
second rule: default accept
third rule: default block invalid packets.
THEN USER RULES which traffic to allow.
last rule: block all else.

add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward “defconf: accept established,related” connection-state=
established,related
add action=drop chain=forward comment=
“Drop invalid/malformed packets” connection-state=invalid

USER RULES LIKE
ALLOW LAN TO WAN
ALLOW admin PC to other subnets or vlans if you had them
ALLOW users in one subnet to use a shared printer in another subnet etc…
{important one for port forwarding}
add chain=forward action=accept in-interface=wan
connection-nat-state=dstnat

Last rule:
add action=drop chain=forward comment=
“DROP ALL other FORWARD traffic”

I dont particularly use the NEW setting because when the filter matches a rule you have allowed (accept) that is the new session subsequent traffic packets are captured by established or related.

18

Thanks man. Cleaned everything up.

Called them. So the problem is that server for SSH requests only responds to theyr WAN IP.

How server sees it, is theyr connecting to us, and then router forwards theyr request to server. But server sees mikrotik IP address 192.168.0.1 so it doesn't send anything back. Hence it fails to respond.
He managed to put mikrotik IP address in server (192.168.0.1.). And everything works now.

But he told me that this is not right. This just a quick fix.

Maybe you have some ideas how to fix this ?

This is log file from SSH conenction to server, when he added 192.168.0.1 to the server accepted address list and connection worked.

14:08:08 firewall,info 3 forward: in:ether1 out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (ACK), Developers_WAN_IP:19237->192.168.0.99:22, NAT (Developers_WAN_IP:19237->192.168.0.1:19237)->(Our_WAN_IP:1227->192.168.0.99:22), len 40 
14:08:08 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (ACK), Developers_WAN_IP:19237->192.168.0.99:22, NAT (Developers_WAN_IP:19237->192.168.0.1:19237)->(Our_WAN_IP:1227->192.168.0.99:22), len 40 
14:10:02 firewall,info dstnat: in:ether1 out:(unknown 0), src-mac aa:44:00:00:00:71, proto TCP (SYN), Developers_WAN_IP:16057->Our_WAN_IP:1227, len 52 
14:10:02 firewall,info 3 forward: in:ether1 out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (SYN), Developers_WAN_IP:16057->192.168.0.99:22, NAT Developers_WAN_IP:16057->(Our_WAN_IP:1227->192.168.0.99:22), len 52 
14:10:02 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (SYN), Developers_WAN_IP:16057->192.168.0.99:22, NAT Developers_WAN_IP:16057->(Our_WAN_IP:1227->192.168.0.99:22), len 52 
14:10:02 firewall,info 5 prerouting: in:bridge1 out:(unknown 0), src-mac 00:1a:4b:e6:86:7a, proto TCP (SYN,ACK), 192.168.0.99:22->192.168.0.1:16057, NAT (192.168.0.99:22->Our_WAN_IP:1227)->(192.168.0.1:16057->Developers_WAN_IP:16057), len 52 
14:10:02 firewall,info 6 forward: in:bridge1 out:ether1, src-mac 00:1a:4b:e6:86:7a, proto TCP (SYN,ACK), 192.168.0.99:22->Developers_WAN_IP:16057, NAT (192.168.0.99:22->Our_WAN_IP:1227)->(192.168.0.1:16057->Developers_WAN_IP:16057), len 52 
14:10:02 firewall,info 7 postrouting: in:(unknown 0) out:ether1, src-mac 00:1a:4b:e6:86:7a, proto TCP (SYN,ACK), 192.168.0.99:22->Developers_WAN_IP:16057, NAT (192.168.0.99:22->Our_WAN_IP:1227)->(192.168.0.1:16057->Developers_WAN_IP:16057), len 52 
14:10:02 firewall,info 3 forward: in:ether1 out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (ACK), Developers_WAN_IP:16057->192.168.0.99:22, NAT (Developers_WAN_IP:16057->192.168.0.1:16057)->(Our_WAN_IP:1227->192.168.0.99:22), len 40 
14:10:02 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (ACK), Developers_WAN_IP:16057->192.168.0.99:22, NAT (Developers_WAN_IP:16057->192.168.0.1:16057)->(Our_WAN_IP:1227->192.168.0.99:22), len 40 
14:10:05 firewall,info 3 forward: in:ether1 out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (ACK,FIN), Developers_WAN_IP:16057->192.168.0.99:22, NAT (Developers_WAN_IP:16057->192.168.0.1:16057)->(Our_WAN_IP:1227->192.168.0.99:22), len 40 
14:10:05 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (ACK,FIN), Developers_WAN_IP:16057->192.168.0.99:22, NAT (Developers_WAN_IP:16057->192.168.0.1:16057)->(Our_WAN_IP:1227->192.168.0.99:22), len 40 
14:10:05 firewall,info 5 prerouting: in:bridge1 out:(unknown 0), src-mac 00:1a:4b:e6:86:7a, proto TCP (ACK), 192.168.0.99:22->192.168.0.1:16057, NAT (192.168.0.99:22->Our_WAN_IP:1227)->(192.168.0.1:16057->Developers_WAN_IP:16057), len 40 
14:10:05 firewall,info 6 forward: in:bridge1 out:ether1, src-mac 00:1a:4b:e6:86:7a, proto TCP (ACK), 192.168.0.99:22->Developers_WAN_IP:16057, NAT (192.168.0.99:22->Our_WAN_IP:1227)->(192.168.0.1:16057->Developers_WAN_IP:16057), len 40 
14:10:05 firewall,info 7 postrouting: in:(unknown 0) out:ether1, src-mac 00:1a:4b:e6:86:7a, proto TCP (ACK), 192.168.0.99:22->Developers_WAN_IP:16057, NAT (192.168.0.99:22->Our_WAN_IP:1227)->(192.168.0.1:16057->Developers_WAN_IP:16057), len 40 
14:10:05 firewall,info 5 prerouting: in:bridge1 out:(unknown 0), src-mac 00:1a:4b:e6:86:7a, proto TCP (ACK,FIN), 192.168.0.99:22->192.168.0.1:16057, NAT (192.168.0.99:22->Our_WAN_IP:1227)->(192.168.0.1:16057->Developers_WAN_IP:16057), len 40 
14:10:05 firewall,info 6 forward: in:bridge1 out:ether1, src-mac 00:1a:4b:e6:86:7a, proto TCP (ACK,FIN), 192.168.0.99:22->Developers_WAN_IP:16057, NAT (192.168.0.99:22->Our_WAN_IP:1227)->(192.168.0.1:16057->Developers_WAN_IP:16057), len 40 
14:10:05 firewall,info 7 postrouting: in:(unknown 0) out:ether1, src-mac 00:1a:4b:e6:86:7a, proto TCP (ACK,FIN), 192.168.0.99:22->Developers_WAN_IP:16057, NAT (192.168.0.99:22->Our_WAN_IP:1227)->(192.168.0.1:16057->Developers_WAN_IP:16057), len 40 
14:10:05 firewall,info 3 forward: in:ether1 out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (ACK), Developers_WAN_IP:16057->192.168.0.99:22, NAT (Developers_WAN_IP:16057->192.168.0.1:16057)->(Our_WAN_IP:1227->192.168.0.99:22), len 40 
14:10:05 firewall,info 4 postrouting: in:(unknown 0) out:bridge1, src-mac aa:44:00:00:00:71, proto TCP (ACK), Developers_WAN_IP:16057->192.168.0.99:22, NAT (Developers_WAN_IP:16057->192.168.0.1:16057)->(Our_WAN_IP:1227->192.168.0.99:22), len 40

He gave this info what he sees from hes side:

tcpdump:
13:59:31.577031 IP 192.168.0.1.domain > 192.168.0.99.28420: 40568 3/0/0 CNAME they.comany.eu., CNAME they.comany.eu., A Theyr_WAN_IP (100)

sshd auth:

connection is from Theyr_WAN_IP, but on dst-srv sees:

Mar 18 13:59:23 ourcompany sshd[51335]: twist 192.168.0.1 to /bin/echo "You are not welcome to use sshd from 192.168.0.1."
Mar 18 13:59:38 ourcompany sshd[51431]: Connection reset by 127.0.0.1 port 28780 [preauth]

19

If ssh server sees MT’s IP as source address, then you have a SRC-NAT rule which interferes. In particular:

/ip firewall nat
add chain=srcnat action=masquerade

It is too greedy and performs masquerade for just any packet passing router regardless origin or destination.

Default rule is

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Note the last part about out-interface_-list_ …

20

Thanks anav and mkx for help.

Problem solved.

For thouse who are interested in solution.

Problem 1: If you don’t know what’s in configuration on server, better first call or write to support.
Problem 2: I thought, that server allows all connection to apache server port :80.

So when i put rule in NAT:
add action=masquerade chain=srcnat

It’s working on port :80 couse in server requests from 127.0.0.1 is allowed. But requests for SSH is allowed only from developers IP. So somebody from outside connects to :80 and servers sees that requests come from 192.168.0.1 (LAN). It’s allowed, so server responds. But it doesn’t work on SSH coz requests from inner IP’s isnt’t allowed.

When anav told me to change rule for masquerade to only out interface it stopped working. Coz now server sees outer IP as a requester. So it denies :80 requests from ME! So in my mind i think that it brakes things.. But actualy it’s fixed and allowed IP’s in server are welcomed.

Solution:
0 ;;; HAIRPIN
chain=srcnat action=masquerade src-address=192.168.0.0/24
dst-address=192.168.0.0/24 log=no log-prefix=“”

1 ;;; def masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=“”
ipsec-policy=out,none

Simple solution but yea. Lesson learned.