SSH Connection Timeouts On Simple NAT

RouterOS General
1

I have set up a simple NAT rule to allow me to connect to a server from outside. I can currently ssh to my server from the router itself, as well as inside the network, but am unable to from external connections (connection timeout errors). The other NAT rules work just fine, so is ssh a snowflake, or do I need to tweak something else? Also, what steps would I want to take to diagnose this?

sep/28/2014 22:33:34 by RouterOS 5.26

software id = HFLJ-B1QM

/interface ethernet
set 0 name=sfp1-gateway
set 6 name=ether6-master-local
set 7 master-port=ether6-master-local name=ether7-slave-local
set 8 master-port=ether6-master-local name=ether8-slave-local
set 9 master-port=ether6-master-local name=ether9-slave-local
set 10 name=ether10-WAN
/interface bridge
add admin-mac=D4:CA:6D:6F:6D:F3 auto-mac=no name=bridge-local protocol-mode=rstp
add l2mtu=1598 name=FiberOp-bridge protocol-mode=rstp
/interface vlan
add interface=ether10-WAN l2mtu=1594 name=FiberOp-VLAN vlan-id=35
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods=passthrough management-protection=allowed mode=dynamic-keys name=THA-WPA2 supplicant-identity=""
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=canada disabled=no distance=indoors frequency=2437 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge security-profile=THA-WPA2 ssid=THX1138 wireless-protocol=802.11
/ip pool
add name=InternalPool ranges=192.168.0.105-192.168.0.200
/ip dhcp-server
add add-arp=yes address-pool=InternalPool disabled=no interface=FiberOp-bridge name=FiberOp-DHCP
/interface bridge port
add bridge=FiberOp-bridge interface=ether2
add bridge=FiberOp-bridge interface=ether3
add bridge=FiberOp-bridge interface=ether4
add bridge=FiberOp-bridge interface=ether5
add bridge=FiberOp-bridge interface=ether6-master-local
add bridge=FiberOp-bridge interface=wlan1
/ip address
add address=192.168.0.1/24 interface=FiberOp-bridge
/ip dhcp-client
add disabled=no interface=FiberOp-VLAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add chain=input comment="Accept Ping" protocol=icmp
add chain=input comment="Accept Established" connection-state=established
add chain=input comment="Accept Related" connection-state=related
add action=drop chain=input in-interface=sfp1-gateway
add action=drop chain=input in-interface=FiberOp-VLAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT HTTP" dst-port=80 out-interface=FiberOp-bridge protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=FiberOp-VLAN src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="NAT HTTP" dst-address=this.is.external.ip dst-port=80 protocol=tcp to-addresses=192.168.0.100 to-ports=80
add action=dst-nat chain=dstnat comment="NAT VNC" dst-address=this.is.external.ip dst-port=5900 protocol=tcp to-addresses=192.168.0.100 to-ports=5900
add action=dst-nat chain=dstnat comment="NAT SSH" dst-address=this.is.external.ip dst-port=22 protocol=tcp to-addresses=192.168.0.233 to-ports=22
/ip neighbor discovery
set sfp1-gateway disabled=yes
set ether10-WAN disabled=yes
set wlan1 disabled=yes
set FiberOp-VLAN disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24 port=8080
set ssh address=192.168.0.0/24
set winbox address=192.168.0.0/24
/system clock
set time-zone-name=America/Halifax
/system ntp client
set enabled=yes primary-ntp=142.4.200.228 secondary-ntp=198.245.49.187
/system ntp server
set enabled=yes
/tool mac-server
add disabled=no interface=ether2
add disabled=no interface=ether3
add disabled=no interface=ether4
add disabled=no interface=ether5
add disabled=no interface=ether6-master-local
add disabled=no interface=ether7-slave-local
add disabled=no interface=ether8-slave-local
add disabled=no interface=ether9-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local
/tool sniffer
set filter-direction=any

2

I think you have to wrong IP for the SSH NAT. Port 80 is NAT’ed to 192.168.0.100 and port 22 is NAT’ed to 192.168.0.233. Is that really what you wanted?

3

That is correct. SSH is going to a different place intentionally.