SSH service not working

sphairos · March 17, 2022, 2:56am

Hi there,

I wonder why my router can’t be sshed from external IP addresses.

Does anybody have a clue on this?

# mar/18/2022 08:29:45 by RouterOS 6.48.6
# software id = VSTX-MV85
#
# model = RBD52G-5HacD2HnD
# serial number = C6140C2E3ACE
/interface bridge
add admin-mac=48:8F:5A:6C:FD:60 auto-mac=no name=bridge
add name=bridge_jcc
/interface ethernet
set [ find default-name=ether4 ] comment="SMC switch old network"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
    mode=dynamic-keys supplicant-identity=my::NET
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    group-key-update=1h mode=dynamic-keys name=<myname> supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=akguest \
    supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys name=kids \
    supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    mode=dynamic-keys name=akdom supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    group-ciphers=tkip,aes-ccm management-protection=allowed mode=\
    dynamic-keys name=CANLBOX-URM supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    mode=dynamic-keys name="Cabinet Bowen" supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    mode=dynamic-keys name=jccjuju supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps channel-width=20/40mhz-Ce country=france \
    disabled=no distance=indoors frequency=auto mode=ap-bridge rate-set=\
    configured security-profile=<myname> ssid=<myname> station-roaming=enabled \
    tx-power=30 tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge security-profile=<myname> ssid=<myname> station-roaming=enabled \
    wireless-protocol=802.11 wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:69 master-interface=\
    wlan1 multicast-buffering=disabled name=CANLBOX-URM1 security-profile=\
    CANLBOX-URM ssid=CANLBOX-URM wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6A master-interface=\
    wlan2 multicast-buffering=disabled name=CANLBOX-URM2 security-profile=\
    CANLBOX-URM ssid=CANLBOX-URM wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6D master-interface=\
    wlan2 multicast-buffering=disabled name="Cabinet Bowen 2" \
    security-profile="Cabinet Bowen" ssid="Cabinet Bowen" wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6C \
    master-interface=wlan1 multicast-buffering=disabled name="Cabinet Bowen1" \
    security-profile="Cabinet Bowen" ssid="Cabinet Bowen" wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:68 \
    master-interface=wlan1 multicast-buffering=disabled name=akdom1 \
    security-profile=akdom ssid=akdom wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6B master-interface=\
    wlan2 multicast-buffering=disabled name=akdom2 security-profile=akdom \
    ssid=akdom wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:64 master-interface=\
    wlan1 multicast-buffering=disabled name=akguest1 security-profile=akguest \
    ssid=akguest station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:65 master-interface=\
    wlan2 multicast-buffering=disabled name=akguest2 security-profile=akguest \
    ssid=akguest station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:66 master-interface=\
    wlan1 multicast-buffering=disabled name=akkids1 security-profile=kids \
    ssid=akkids station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:67 master-interface=\
    wlan2 multicast-buffering=disabled name=akkids2 security-profile=kids \
    ssid=akkids station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6E \
    master-interface=wlan1 multicast-buffering=disabled name=jccjuju1 \
    security-profile=jccjuju ssid=jccjuju wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6F master-interface=\
    wlan2 multicast-buffering=disabled name=jccjuju2 security-profile=jccjuju \
    ssid=jccjuju wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=dhcp_jcc ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=6h name=dhcp
add address-pool=dhcp_jcc disabled=no interface=bridge_jcc lease-time=6h10m \
    name=dhcp_jcc
/ppp profile
add change-tcp-mss=yes name=mls on-up=onup
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether1 \
    keepalive-timeout=60 name=FTTH profile=mls service-name=MLS use-peer-dns=\
    yes user=clavien417150@mls.nc
/queue tree
add max-limit=1G name=Download parent=bridge
add max-limit=300M name=Upload parent=FTTH
/queue type
add kind=pcq name=DSL-DL pcq-classifier=dst-address
add kind=pcq name=DSL-UL pcq-classifier=src-address
/queue tree
add name=queue1 packet-mark=lan-pqt,lan6-pqt parent=Download queue=DSL-DL
add name=queue2 packet-mark=lan-pqt,lan6-pqt parent=Upload queue=DSL-UL
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=user policy="read,write,web,sensitive,!local,!telnet,!ssh,!ftp,!reboo\
    t,!policy,!test,!winbox,!password,!sniff,!api,!romon,!dude,!tikapp" skin=\
    user
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=akguest1
add bridge=bridge interface=akguest2
add bridge=bridge interface=akkids1
add bridge=bridge interface=akkids2
add bridge=bridge interface=akdom1
add bridge=bridge interface=CANLBOX-URM1
add bridge=bridge interface=ether5
add bridge=bridge interface="Cabinet Bowen1"
add bridge=bridge interface="Cabinet Bowen 2"
add bridge=bridge_jcc interface=jccjuju1
add bridge=bridge_jcc interface=jccjuju2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=FTTH list=WAN
add interface=bridge_jcc list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.1.254/24 interface=bridge_jcc network=192.168.1.0
add address=10.8.0.0/24 interface=bridge network=10.8.0.0
/ip arp
add address=192.168.88.235 interface=bridge mac-address=B8:27:EB:04:86:FB
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.88.3 client-id=1:dc:a6:32:64:63:5a comment=akrp4knife \
    mac-address=DC:A6:32:64:63:5A server=dhcp
add address=192.168.88.250 client-id=1:0:1:6c:d6:3d:4 comment=PC-<myname>-FIX \
    mac-address=00:01:6C:D6:3D:04 server=dhcp
add address=192.168.88.128 client-id=1:2c:59:e5:bc:6:21 comment=\
    PC-<myname>-PORTABLE mac-address=2C:59:E5:BC:06:21 server=dhcp
add address=192.168.88.130 client-id=\
    ff:eb:1d:85:e1:0:1:0:1:28:ab:c3:3a:b8:27:eb:1d:85:e1 comment=akvpn \
    mac-address=B8:27:EB:1D:85:E1 server=dhcp
/ip dhcp-server network
add address=10.6.0.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    next-server=192.168.88.1 ntp-server=192.168.88.1 wins-server=192.168.88.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
add address=192.168.88.0/24 dns-server=192.168.88.1,192.168.88.7 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.7
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.8 name=aksalt
add address=192.168.88.4 name=akncnc
add address=192.168.88.18 name=aksub
add address=192.168.88.5 name=akngx
add address=192.168.88.121 name=akconverter
add address=192.168.88.148 name=osmcliving
add address=192.168.88.5 name=cloud.<myname>.nc
add address=192.168.88.5 name=muz.<myname>.nc
add address=192.168.88.5 name=webmail.<myname>.nc
add address=192.168.88.2 name=mail.<myname>.nc
add address=192.168.88.5 name=cam.<myname>.nc
add address=192.168.88.5 name=camlive.<myname>.nc
add address=192.168.88.114 name=aknas
add address=192.168.88.117 name=akrp4knife
add address=192.168.1.1 name=akvpnjcc
add address=192.168.88.5 name=git.<myname>.nc
add address=192.168.88.5 name=git.tag.nc
add address=192.168.88.6 name=akweb
add address=192.168.88.5 name=site.tag.nc
add address=192.168.88.5 name=url.tag.nc
add address=192.168.88.7 name=akdns
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
add address=202.22.224.14 comment="MLS Firewall" list=support
add address=202.22.224.7 comment="Dude server" list=support
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/3 list=bogons
add address=100.64.0.0/10 list=bogons
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.0.0/16 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=10.8.0.0/24 list=LAN
add address=202.22.229.166 list=support
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="accept from support" src-address-list=\
    support
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=accept chain=input comment="Accept local connection CAPsMAN" \
    dst-address=127.0.0.1
add action=drop chain=forward comment="drop bogons" dst-address-list=bogons \
    log=yes out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
    log=yes
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Winbox on WAN" dst-port=8291 \
    in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=lan-cnx \
    passthrough=yes src-address-list=LAN
add action=mark-packet chain=forward connection-mark=lan-cnx new-packet-mark=\
    lan-pqt passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="akngx 443" dst-address=\
    118.179.232.213 dst-port=443 protocol=tcp to-addresses=192.168.88.5 \
    to-ports=443
add action=dst-nat chain=dstnat comment="akngx 80" dst-address=\
    118.179.232.213 dst-port=80 port="" protocol=tcp to-addresses=\
    192.168.88.5 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=118.179.232.213 \
    dst-port=22 protocol=tcp to-addresses=192.168.88.6 to-ports=22
add action=dst-nat chain=dstnat dst-address=118.179.232.213 dst-port=53 log=\
    yes protocol=udp to-addresses=192.168.88.7 to-ports=53
add action=dst-nat chain=dstnat dst-address=118.179.232.213 dst-port=53 \
    protocol=tcp to-addresses=192.168.88.7 to-ports=53
add action=redirect chain=dstnat comment="Proxy DNS" dst-port=53 \
    in-interface-list=all log-prefix="DNS -->" protocol=udp
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24 port=4444
set ssh address=192.168.88.0/24,202.22.229.166/32
set api address=202.22.224.14/32,2407:4a00:0:f00d::cafe/128 disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ipv6 address
# address pool error: pool not found: Poolv6 (4)
add advertise=no from-pool=Poolv6 interface=ether1
# address pool error: pool not found: Poolv6 (4)
add from-pool=Poolv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=FTTH pool-name=Poolv6 request=prefix
/ipv6 firewall address-list
add address=2407:4a00:0:f00d::cafe/128 comment="serveur MLS" list=support
add address=2407:4a00:0:173::/64 comment="SAV MLS" list=support
add address=2407:4a00:0:171::/64 comment="RD MLS" list=support
add address=2407:4a00::224:232:7/128 comment="Serveur Dude" list=support
add address=::/128 comment="unspecified address" list=bad_ipv6
add address=::1/128 comment=lo list=bad_ipv6
add address=fec0::/10 comment=site-local list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=ipv4-mapped list=bad_ipv6
add address=::/96 comment="ipv4 compat" list=bad_ipv6
add address=100::/64 comment="discard only" list=bad_ipv6
add address=2001:db8::/32 comment=documentation list=bad_ipv6
add address=2001:10::/28 comment=ORCHID list=bad_ipv6
add address=3ffe::/16 comment=6bone list=bad_ipv6
add address=::224.0.0.0/100 comment=other list=bad_ipv6
add address=::127.0.0.0/104 comment=other list=bad_ipv6
add address=::/104 comment=other list=bad_ipv6
add address=::255.0.0.0/104 comment=other list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="accept from support" src-address-list=\
    support
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="From support" src-address-list=support
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=accept chain=input comment="accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=\
    equal:1 protocol=icmpv6
add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="accept HIP" protocol=139
add action=accept chain=forward comment="accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment=\
    "accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=mark-connection chain=forward in-interface-list=LAN \
    new-connection-mark=lan6_cnx passthrough=yes
add action=mark-packet chain=forward connection-mark=lan6_cnx \
    new-packet-mark=lan6-pqt passthrough=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no mtu=1480
/system clock
set time-zone-autodetect=no
/system clock manual
set time-zone=+11:00
/system identity
set name=clavien417150@mls.nc
/system logging
add topics=wireless
add prefix=FW--> topics=firewall
add prefix=DNS--> topics=dns
/system ntp client
set enabled=yes primary-ntp=202.22.224.18
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add interval=1d name=upgrade_os on-event=upgrade_os policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/29/2018 start-time=03:00:00
add interval=1d name=upgrade_rb on-event=upgrade_rb policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/01/2020 start-time=03:20:00
/system script
add dont-require-permissions=no name=onup owner=*sys policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    delay 20s\r\
    \n:local uptime [/system resource get uptime];\r\
    \n:local macadd [/interface get [find default-name=ether1] mac-address];\r\
    \n:local ver [/system resource get version];\r\
    \n:local name [/interface pppoe-client get number=0 user];\r\
    \n:local wan [/interface pppoe-client get number=0 name];\r\
    \n:local model [/system routerboard get model];\r\
    \n:local gw [/ip route get [find gateway=\$wan distance=0] dst-address];\r\
    \n:local dhcp [/ipv6 dhcp-client get number=0 status];\r\
    \n:if (\$dhcp =\"bound\") do={\r\
    \n:set \$ip6 [/ipv6 pool get [find name=Poolv6] prefix];\r\
    \n} else={\r\
    \n:set \$ip6 \"nov6\";}\r\
    \n/system identity set name=\$name;\r\
    \n:set \$str \"rtrName=\$name&rtrMac=\$macadd&rtrUptime=\$uptime&rtrVersio\
    n=\$ver&rtrModel=\$model&rtrGW=\$gw&rtr6=\$ip6\";\r\
    \n:put \$str;\r\
    \n:do {\r\
    \n:put \"Checking-in\";\r\
    \n/tool fetch mode=https url=https://mtk.mls.nc/clientsmtkX.php keep-resul\
    t=yes dst-path=resultat.txt http-method=post http-data=\$str ;\r\
    \n} on-error={ log warning \"Greeter: Send to server Failed!\" }"
add dont-require-permissions=no name=upgrade_os owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system\
    \_package update\r\
    \ncheck-for-updates once\r\
    \n:delay 3s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install }"
add dont-require-permissions=no name=upgrade_rb owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system\
    \_routerboard \r\
    \n:if ([get current-firmware] < [get upgrade-firmware]) do={ \r\
    \n:log info \"Updating firmware\"; \r\
    \nupgrade; \r\
    \n/system reboot;\r\
    \n} else={ \r\
    \n:log info \"No update.\" }"
add dont-require-permissions=yes name=enable_rule_mi_box owner=<myname> policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter add chain=forward src-address=192.168.88.124 action=dro\
    p comment=\"mibox\"\r\
    \n/ip firewall filter add chain=forward src-address=192.168.88.126 action=\
    drop comment=\"mibox\"\r\
    \n"
add dont-require-permissions=no name=disable_rule_mi_box owner=<myname> policy=\
    read,write,policy source=\
    "/ip firewall filter remove [find comment=\"mibox\"]"
/tool graphing interface
add allow-address=192.168.88.0/24 interface=FTTH
add allow-address=192.168.88.0/24 interface=ether1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks in advanced for your help.

tdw · March 17, 2022, 3:09am

The permitted external address for SSH in /ip services does not match either of the addresses in the /ip firewall address-list named support.

sphairos · March 17, 2022, 3:28am

Right thanks but not working eventhough I added in

/ip firewall address-list> print
Flags: X - disabled, D - dynamic

LIST ADDRESS CREATION-TIME TIMEOUT

0 LAN 192.168.88.0/24 jan/02/1970 00:01:17
1 ;;; MLS Firewall
support 202.22.224.14 jan/02/1970 00:01:17
2 ;;; Dude server
support 202.22.224.7 jan/02/1970 00:01:17
3 bogons 169.254.0.0/16 jan/02/1970 00:01:17
4 bogons 127.0.0.0/8 jan/02/1970 00:01:17
5 bogons 224.0.0.0/3 jan/02/1970 00:01:17
6 bogons 100.64.0.0/10 jan/02/1970 00:01:17
7 bogons 0.0.0.0/8 jan/02/1970 00:01:17
8 bogons 172.16.0.0/12 jan/02/1970 00:01:17
9 bogons 192.0.0.0/24 jan/02/1970 00:01:17
10 bogons 192.0.2.0/24 jan/02/1970 00:01:17
11 bogons 192.168.0.0/16 jan/02/1970 00:01:17
12 bogons 198.18.0.0/15 jan/02/1970 00:01:17
13 bogons 198.51.100.0/24 jan/02/1970 00:01:17
14 bogons 203.0.113.0/24 jan/02/1970 00:01:17
15 LAN 10.8.0.0/24 jan/21/2022 14:54:49
16 support 202.22.229.166

tdw · March 17, 2022, 1:44pm

Do you have a public IP on the Mikrotik itself?

Many ISPs are resorting to CGNAT to conserve IPv4 addresses, if this is the case the WAN address on the Mikrotik will likely be in the range 100.64.0.0-100.127.255.255 (or less likely 10.x.x.x, 172.16.0.0-172.31.255.255, or 192.168.x.x) and inbound access is not possible.

sphairos · March 17, 2022, 9:23pm

Yes I do have a public IP like 118.179.232.XXX so it’s not the case you are describing?

tdw · March 17, 2022, 10:20pm

OK, does your ISP filter any well-known ports such as SSH?

sphairos · March 18, 2022, 4:55am

I don’t think so.

tangent · March 18, 2022, 8:01am

Your router’s SSH server is listening on two other IPs, not one in that /24 scheme. (Line 292 in your config.)

add action=drop chain=input comment=“drop ssh brute forcers” dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp

>

I think this is a side issue, but it's possible you've triggered this weak protection mechanism in your testing.

As far as I can tell, what this says is that any single IP making 3 SSH connections inside a minute gets dropped into the blocklist for 10 days.

SSH brute force blocking is best done with tools that analyze SSH server messages to look for active rejection messages, rather than simply count raw TCP connection attempts. I use and recommend fail2ban. If I wanted to do this — and I don't, since I don't expose my RouterOS SSH to the public Internet, for this reason and others — I'd configure logging on the router to [forward to another host](https://wiki.mikrotik.com/wiki/Manual:System/Log) that can run fail2ban, then configure the "jail" there to call back to the router and add rules to the block list when it sees enough active rejections sent to a given IP.

tangent · March 18, 2022, 8:03am

If only there were ways to find out instead of guessing…