SSH out via dst-nat

Hello,


I have issue with SSH going out (tcp 22) to server outside my network. I use ZeroTier VPN (added to LAN interface list) and this NAT line
Chain dstnat, action dst-nat, in interface list LAN, dst port 22 (connect to home server from VPN)

But when I try to connect from internal network to ssh outside my network, this dst-nat redirect it to local port.
Any ideas why is it going through dstnat chain when I expect srcnat? I solved it by adding in interface VPN but I would like to understand reason behind this behaviour.

Best regards,
Filip

Can you post your config and try to explain in simpler terms what you are trying to do? I think you just want to redirect any outbound ssh traffic somewhere? If that’s the case, it’s a destination NAT you need, redirect back to the MikroTik or dst-nat to other IP. No source NAT involved unless you are intentionally sending it up a VPN tunnel but you are not clear what you are trying to do.

Sure,

I have small server in my network accessible from both inside and outside on port 22.
When I connect from computer in the same network to another server outside my network with the same port (22), it is forwarded to the server in my LAN as both of them use port 22 and I have rule to forward port 22.

I expected NAT rule with action dst-nat not to catch any connection from my local network unless it is changed to src-nat. So I guess connections outside goes thru both src-nat and then dst-nat?

/caps-man channel
add band=2ghz-b/g/n name=channel2
add band=5ghz-a/n/ac name=channel5
/interface bridge
add name=bridge port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
country=“czech republic” disabled=no installation=indoor mode=ap-bridge
ssid=WiFi wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX country=“czech republic” disabled=no installation=indoor
mode=ap-bridge ssid=WiFi wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] comment=A
set [ find default-name=ether3 ] comment=B
set [ find default-name=ether4 ] comment=C
set [ find default-name=ether5 ] comment=D
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/caps-man datapath
add bridge=bridge name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=channel5 country=“czech republic” datapath=datapath1
installation=indoor mode=ap name=cfg5 security=security1 ssid=WiFi
add channel=channel2 country=“czech republic” datapath=datapath1
installation=indoor mode=ap name=cfg2 security=security1 ssid=WiFi
/interface list
add name=WAN
add name=VPN
add include=VPN name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/zerotier
set zt1 comment=“ZeroTier Central controller - > https://my.zerotier.com/> "
name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=
zt1 name=zerotier1 network=XXX
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,g,gn
master-configuration=cfg2 name-format=identity
add action=create-dynamic-enabled hw-supported-modes=ac,an
master-configuration=cfg5 name-format=identity
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=wlan2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=wireguard1 list=VPN
add interface=zerotier1 list=VPN
/interface wireguard peers
add allowed-address=192.168.85.5/32 interface=
wireguard1 name=peer18 public-key=
“XXX”
add allowed-address=192.168.85.6/32 interface=
wireguard1 name=peer19 public-key=
“XXX”
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.85.1/24 interface=wireguard1 network=192.168.85.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.88.6 client-id=1:d8:3a:dd> > 12:55 wlan”
mac-address=DD:DD:DD:DD:DD:DD server=dhcp1
add address=192.168.88.5 client-id=1:d8:3a:dd> > 12:54 lan"
mac-address=3A:3A:3A:3A:3A:3A server=dhcp1
add address=192.168.88.16 client-id=1:84:d8:1b:cf:88:86
mac-address=84:84:84:84:84:84 server=dhcp1
add address=192.168.88.15 client-id=1:28:87:ba:18:45:61
mac-address=61:61:61:61:61:61 server=dhcp1
add address=192.168.88.11 mac-address=C8:C8:C8:C8:C8:C8
server=dhcp1
add address=192.168.88.2 client-id=1:78:9a:18:bf:41:ee comment=
“cap” mac-address=78:9A:18:BF:41:EE server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.5,192.168.88.1 gateway=
192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related,untracked hw-offload=no
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=forward disabled=yes
in-interface-list=LAN
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=input dst-port=13231
protocol=udp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=ping in-interface-list=LAN protocol=
icmp
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat
out-interface-list=LAN
add action=dst-nat chain=dstnat dst-port=2283 protocol=
tcp to-addresses=192.168.88.5 to-ports=2283
add action=dst-nat chain=dstnat dst-port=22
in-interface-list=VPN protocol=tcp to-addresses=192.168.88.5 to-ports=22
add action=dst-nat chain=dstnat dst-port=548
in-interface-list=VPN protocol=tcp to-addresses=192.168.88.5 to-ports=548
add action=dst-nat chain=dstnat dst-port=8092
in-interface-list=VPN protocol=tcp to-addresses=192.168.88.5 to-ports=
8992
add action=dst-nat chain=dstnat dst-port=8080
in-interface-list=VPN protocol=tcp to-addresses=192.168.88.11 to-ports=80
add action=dst-nat chain=dstnat dst-port=445
in-interface-list=VPN protocol=tcp to-addresses=192.168.88.5 to-ports=445

SRC-NAT and DST-NAT are very distinct operations, they happen at very different times (dst-nat is pretty early in packet processing, before firewall, and src-nat happens pretty late, after firewall) and both can affect same packet/connection … if there are src-nat and dst-nat rules which match against same packet/connection. Which means that one has to be careful when constructing rules, one needs to add appropriate matching criteria so that rules only apply to packets needing it.
Which means that connection going outside should only hit src-nat and if it’s not, then dst-nat is “too greedy”. OTOH connection being directed at internal server should hilt only dst-nat and specific src-nat (see bellow), it should not hit the default “masquerade traffic going out” rule …

When looking at your diagram I’m guessing you’ll need hair-pin NAT for those SSH connections (so both dst-nat and src-nat for elligible connections).