First post to the forum, so be gentle with a noob. I have been using dd-wrt for many years, and have tried to migrate over to Mikrotik step by step. It has been a learning experience, to say the least. I expect my issue is a simple fix, but I have not been able to get it resolved after much searching.
I would like to enable remote ssh access with a DSA key pair. I have been able to get it working correctly when accessing from the LAN side. So I can successfully login by ssh into 192.168.88.1 while I am on the .88 network.
When I try to gain ssh access over the WAN port (to give me access to the LAN) I have not been able to. I have been using a test setup with a double NAT, with the RB951G-2HnD WAN port (ether1-gateway) connected to my LAN, creating a new NAT’ed network with the Mikrotik.
So basically you have the public IP at some dynamic address.
Asus router running dd-wrt with NAT creating 192.168.168.0/26, gateway at .1
Mikrotik router with WAN via DHCP at 192.168.168.36
Mikrotik NAT creating 192.168.88.0/26, gateway at .1
So as long as I am connected by Mikrotik wifi to the .88.x network, I can login via ssh key pair to 192.168.88.1, no issues.
When I connected by Asus wifi to the .168.x network, I cannot access ssh at the 192.168.168.36 address.
I have the following setup in IP-Firewall-NAT:
Chain: dstnat
Protocol: tcp
Dst port: 22
In. Interface: ether1-gateway
Action: dst-nat
To addresses: 192.168.88.1
To ports: 22
Ultimately, I would like to run port 443 on the WAN side and forward to 22 on the LAN side, but for now I am just trying to get it working.
What am I missing? I have tried multiple different settings in the firewall rule.
You don´t need to NAT traffic from .168 network. NATing is only useful if you need to access other device than router from different network.
The problem might be in firewall filter, where is by default block all communication originating from outside (wan) into the router.
Try to disable all rules in firewall->filter or post export of the firewall. You can do it via this command:
ip firewall export file=firewall
It will create file called firewall.rsc, which you can find in menu under “Files” button. Simply drag and drop it to you PC and post content of that file here.
Thanks, that makes some sense. Now I need to figure out how to port forward WAN-443 to 88.1-22. Or as a stepping stone open 22 up wide open and make sure the firewall is the issue.
Okay, I managed to get it working from the WAN side with the following adjustment.
This just opens port 22, however. But it does confirm the firewall rule did restore performance.
How would I adjust the rule to take port 443 and forward it to 22? I would rather use that port to host ssh on the WAN side.
I also noticed that I have to use the -i switch in the ssh command to force the key pair. If I don't, I get a prompt for the user's password, which does not function as key auth is in use. Is there a way to force the Mikrotik to key auth and not provide a non-working password prompt?