I upgraded from 7.16 to 7.20 and now when I SSH out via port 2222 to a remote system the router routes me to a local system that I have on port 2222 that’s portforwarded to. This happens on any port forwarding I have set up, for example if port 443 is forward to an internal system I can’t access sites that are using said port

Also tried to upgrade to 7.21.x and it didn’t fix the issue, not sure what I am missing.

This is my configuration:

```routeros

2026-02-24 09:26:29 by RouterOS 7.21.3

software id = 80TX-VEZY

model = RB5009UPr+S+

/interface bridge
add admin-mac=78:9A:18:D3:33:DA auto-mac=no comment=defconf name=bridge
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1514 poe-out=off
set [ find default-name=ether2 ] l2mtu=1514 poe-out=off
set [ find default-name=ether3 ] l2mtu=1514 rx-flow-control=auto
tx-flow-control=auto
set [ find default-name=ether4 ] l2mtu=1514
set [ find default-name=ether5 ] l2mtu=1514
set [ find default-name=ether6 ] l2mtu=1514
set [ find default-name=ether7 ] l2mtu=1514
set [ find default-name=ether8 ] l2mtu=1514
set [ find default-name=sfp-sfpplus1 ] l2mtu=1514
/interface wireguard
add comment=MainConnection disabled=yes listen-port=13231 mtu=1420 name=WG
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add channel.band=2ghz-ax .frequency=2300-2483 .width=20mhz country=Canada
datapath.bridge=bridge disabled=no multicast-enhance=disabled name=
CaveManCorner2 security.authentication-types=wpa2-psk,wpa2-eap,wpa3-psk
ssid=CaveManCorner
add channel.band=5ghz-ax .frequency=5150-5875 .width=20/40/80mhz country=
Canada datapath.bridge=bridge disabled=no name=CaveManCorner-5g
security.authentication-types=wpa2-psk,wpa2-eap,wpa3-psk ssid=
CaveManCorner-5g
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=REMOVED
/interface wifi

Redacted

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=150 force=yes name=option150 value="'192.168.254.10'"
/ip pool
add name=default-dhcp ranges=192.168.254.10-192.168.254.248
/snmp community
add addresses=::/0 comment=Basement name=Basement security=authorized
write-access=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=
10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=
WAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=FE:E0:9E:B2:4A:12 name=ovpn-server1
/interface wifi cap
set certificate=request discovery-interfaces=bridge
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge
package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=none disabled=no master-configuration=REMOVED radio-mac=
00:00:00:00:00:00
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Phone endpoint-address=
192.168.253.30 endpoint-port=13231 interface=WG name=peer4 public-key=
"REMOVED=" responder=yes
/ip address
add address=192.168.254.249/24 comment=defconf interface=bridge network=
192.168.254.0
add address=192.168.1.5/24 interface=*D network=192.168.1.0
add address=192.168.253.2/24 comment=WG interface=WG network=192.168.253.0
/ip cloud
set ddns-update-interval=5m update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
parent-queue=*FFFFFFFF
/ip dhcp-server lease
REMOVE RESERVED Addresses
/ip dhcp-server network
add address=192.168.254.0/24 comment=defconf dhcp-option=option150
dns-server=8.8.8.8,1.1.1.1 gateway=192.168.254.249
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.254.249 name=router.lan type=A
add address=192.168.254.116 name=taiga.somedomain.com type=A
/ip firewall address-list
add address=taiga.somedomain.com comment="Taiga Server" disabled=yes list=
wlan-ip
add address=192.168.254.116 comment=taiga.somedomain.com disabled=yes list=
wlan-ip
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="WinBox Access" dst-port=8291 protocol=
tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid

// Disabled as it’s blocking outgoing internet
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
disabled=yes in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Tomcat dst-port=2240
in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.254.115
to-ports=22
add action=dst-nat chain=dstnat comment=Sys1SSH disabled=yes dst-port=
2222 in-interface-list=WAN log=yes protocol=tcp to-addresses=
192.168.254.63 to-ports=22
add action=masquerade chain=srcnat disabled=yes src-address=192.168.253.0/24

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ssh port=2222
set www-ssl disabled=no port=4443
set www disabled=yes port=8080
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=
33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/snmp
set contact=dan@somedomain.com enabled=yes location=homebasement
trap-community=Basement trap-version=3
/system clock
set time-zone-name=America/Toronto
/system identity
set name="Router Basement"
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nrc.ca comment=time.nrc.ca
/tool e-mail
set certificate-verification=no from=houseMTRouter port=465 server=
lamp.somedomain.com tls=starttls user=dan@somedomain.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Please edit your post and use "preformatted text" tag for code and remove serials and other secrets from the config

You should try to disable Detect Internet, and set all list to none:

image366×227 4.94 KB

Your issue really looks like that because of the way you configured Detect Internet, all your LAN interfaces (that includes the bridge) are put in the WAN interface list. As a result, they will be affected by these DSTNAT rules:

(because in-interface-list=WAN will match bridge)

EDIT: of course, once the fix is made, you should also re-enable this important rule:

As you can see, that rule blocked your outgoing traffic precisely because your bridge was wrongly placed in the WAN interface list.

Thank you! setting detect internet to none solved the issue. I had never looked into that setting before, will have read up on it more.

All you need to read is Rule #5 :
The twelve Rules of Mikrotik Club