RB750G Nat and SSH

RouterOS General
1

Hi All,

I’ve just discovered mikrotik and routeros so i am very new to them. My friend highly recommended them. I’ve been a cisco + linux guy for a while now so routeros feels very nice to use.

I have a very obscure problem with my setup. I am trying to simply creat a nat rule for a host on my LAN for ssh but i am failing for some reason. Heres my details:

What i’m finding is that i have a dst-nat rule setup and if i ssh to my wan interface (from an external server) it hits the rule but then times out. Now the wierd thing is i move the rule one time to the first position and then it started to work. I thought great it was a preference thing. so i changed the dst address to another ssh host on my LAN and then it broke again… same symptoms, rule is being hit but it never establishes the connection.

my current NAT config is as follows:

 0  ;;; Lan Masq
     chain=srcnat action=masquerade src-address=10.1.1.0/24 
     out-interface=pppoe-out1 

 1  ;;; SSH to Deb 
     chain=dstnat action=dst-nat to-addresses=10.1.1.242 to-ports=22 
     protocol=tcp in-interface=pppoe-out1 port=22

and my firewall:

 0   ;;; Added by webbox
     chain=input action=accept protocol=icmp 

 1   ;;; Allow established connections
     chain=input action=accept connection-state=established 
     in-interface=pppoe-out1 

 2   ;;; Added by webbox
     chain=input action=accept connection-state=related 
     in-interface=pppoe-out1 

 3   chain=forward action=accept protocol=tcp in-interface=pppoe-out1 
     dst-port=22 

 4   ;;; Added by webbox
     chain=input action=drop in-interface=pppoe-out1

Any ideas anyone ? I’m using a routerboard 750g 2.25 firmware and all my packages are 4.5 for what it’s worth.

Cheers

2

I have an RB750 and have a redirect nat rule to a local server. My syntax is a little different
as I am not using pppoe. Here is my nat rule:

to redirect port 22 from the internet to a local server at 192.168.0.36:

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=22 to-addresses=192.168.0.36 in-interface=ether1

Here is the firewall rules that apply:

8 ;;; From our private LAN
chain=input action=accept src-address=192.168.0.0/24

6 ;;; SSH for secure shell
chain=input action=accept protocol=tcp dst-port=22

Our nat rules are similar. I don’t have the forward rule in my firewall. I just accept port 22.

3

wow ok…

i removed the to-port and it is working/continuing to work. I’ll keep trying to replicate it, if i specify the to-port than it breaks straight away :confused:

4

Good deal. I used the syntax I saw in some of Mikrotik’s examples. It seems logical it would work either way though.

fb

5

Hi at all,

I have a similar problem with an RB3011 (RouterOS 6.40.5).
I’ve several dst nat rules. All of them are doing fine except the rules to forward access to port 22.
When trying to connect from outside using port 22, a timeout occurs.

I’ve added a separate rule forwarding port 222 to 22 for testing purposes. Access to port 222 works fine.

The logs didn’t show any information. It seems, that the request will be handled by the router board before getting DST-NATed.

> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Reverse Proxy
      chain=dstnat action=dst-nat to-addresses=192.168.200.9 protocol=tcp in-interface-list=wan dst-port=80 log=no log-prefix="PROXY" 

 1    ;;; Reverse Proxy
      chain=dstnat action=dst-nat to-addresses=192.168.200.9 protocol=tcp in-interface-list=wan dst-port=443 log=no log-prefix="PROXY" 

 2    ;;; SSH 1
      chain=dstnat action=dst-nat to-addresses=192.168.200.36 protocol=tcp in-interface=uplink1 dst-port=22 log=yes log-prefix="SSH-1" 

 3    ;;; SSH 1
      chain=dstnat action=dst-nat to-addresses=192.168.200.36 to-ports=22 protocol=tcp in-interface=uplink1 dst-port=222 log=yes log-prefix="TMP-SSH-1" 

 4    ;;; SSH 2
      chain=dstnat action=dst-nat to-addresses=192.168.200.13 protocol=tcp in-interface=uplink2 dst-port=22 log=yes log-prefix="SSH-2" 

 5    ;;; SSH 2
      chain=dstnat action=dst-nat to-addresses=192.168.200.13 to-ports=22 protocol=tcp in-interface=uplink2 dst-port=222 log=yes log-prefix="TMP-SSH-2" 

 6    ;;; SMTP
      chain=dstnat action=dst-nat to-addresses=192.168.200.34 protocol=tcp in-interface-list=wan dst-port=25 log=no log-prefix="SMTP" 

 7    ;;; SMTP
      chain=dstnat action=dst-nat to-addresses=192.168.200.34 protocol=tcp in-interface-list=wan dst-port=465 log=yes log-prefix="SMTP" 

 8    ;;; SMTP
      chain=dstnat action=dst-nat to-addresses=192.168.200.34 protocol=tcp in-interface-list=wan dst-port=587 log=no log-prefix="SMTP" 

 9    ;;; IMAP
      chain=dstnat action=dst-nat to-addresses=192.168.200.34 protocol=tcp in-interface-list=wan dst-port=933 log=yes log-prefix="IMAP" 

10    ;;; IMAP
      chain=dstnat action=dst-nat to-addresses=192.168.200.34 protocol=tcp in-interface-list=wan dst-port=143 log=no log-prefix="IMAP" 

11    ;;; WAN uplink1
      chain=srcnat action=masquerade out-interface=uplink1 log=no log-prefix="" 

12    ;;; WAN uplink2
      chain=srcnat action=masquerade out-interface=uplink2 log=no log-prefix=""



> /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; OpenVPN
      chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix="" 

 1    ;;; accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3    ;;; drop all from WAN
      chain=input action=drop in-interface-list=wan log=yes log-prefix="WAN DENY" 

 4    ;;; accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 5    ;;; drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="WAN DENY INVALID" 

 6    ;;; drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=wan log=yes log-prefix="WAN DENY NOT DSTNAT"