unable to access SSH via mikrotik

RouterOS Forwarding Protocols
1

Hello,

I’m looking for some help, I’ve tried various searches and tests without success.
My configuration:

  • A fiber internet access with a router provided by my access provider
  • A Mikrotik routeur managing my network based on many VLANs:
  • 1 port is used to access the Internet router
    • 1 port is a TRUNK for all VLANs
    • Other ports are not used

My issue:
I would like to connect to one of my servers hosted in a data center from inside my personal network (i.e. behind the Mikrotik router).
This does not work. Locally I receive message (permission denied, please try again) but password is correct.
So, I decided to test the ssh connection by bypassing the Mikrotik (connecting the PC directly to the fiber router): connection succeeded.
It may be important ssh port is 3823 not 22.
And yes I have access to the internet from the PC.
I suspect I’m missing a configuration somewhere in the Mikrotik router.
Could anyone help me?

2

Have you created any dstnat rules for this to-port without appropriate in-interface or dst-address(-type)?

If you suspect a configuation issue, please post your configuration here using /export hide-sensitive in terminal (or /ip firewall export hide-sensitive if you suspect firewall).

3

thanks nescafe2002 for any help.

please find exported config below.
I’ve hidden some internal addresses and ports

oct/01/2018 03:57:04 by RouterOS 6.38.7

software id = SEVL-FZP4

/ip neighbor discovery
set ether1 discover=no
/interface vlan
add interface=ether5 name=commun-3 vlan-id=3
add interface=ether5 name=maison-11 vlan-id=11
add interface=ether5 name=nico-10 vlan-id=10
add interface=ether5 name=ohmi-20 vlan-id=20
add interface=ether5 name=vlan1 vlan-id=1
add interface=ether5 name=vlan30 vlan-id=30
add interface=ether5 name=vlan60 vlan-id=60
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-1 ranges=192.168.100.100-192.168.100.254
add name=pool-11 ranges=192.168.11.100-192.168.11.254
add name=pool-10 ranges=192.168.10.100-192.168.10.254
add name=pool-60 ranges=192.168.60.100-192.168.60.254
add name=pool-20 ranges=192.168.20.100-192.168.20.254
add name=pool-3 ranges=192.168.3.100-192.168.3.254
add name=pool-30 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2 name=defconf
add address-pool=pool-1 disabled=no interface=vlan1 lease-time=1w name=lan-1
add address-pool=pool-11 disabled=no interface=maison-11 lease-time=1w name=lan-11
add address-pool=pool-10 disabled=no interface=nico-10 lease-time=1w name=lan-10
add address-pool=pool-60 disabled=no interface=vlan60 lease-time=1w name=lan-60
add address-pool=pool-20 disabled=no interface=ohmi-20 lease-time=1w name=lan-20
add address-pool=pool-3 disabled=no interface=commun-3 lease-time=1w name=lan-3
add address-pool=pool-30 disabled=no interface=vlan30 lease-time=1w name=lan-30
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.100.1/24 interface=vlan1 network=192.168.100.0
add address=192.168.11.1/24 interface=maison-11 network=192.168.11.0
add address=192.168.10.1/24 interface=nico-10 network=192.168.10.0
add address=192.168.60.1/24 interface=vlan60 network=192.168.60.0
add address=192.168.20.1/24 interface=ohmi-20 network=192.168.20.0
add address=192.168.3.1/24 interface=commun-3 network=192.168.3.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.3.5 mac-address=00:22:4D:7A:CF:1A server=lan-3
add address=192.168.3.6 mac-address=02:00:00:76:E5:65 server=lan-3
add address=192.168.3.7 mac-address=02:00:00:B3:A5:DD server=lan-3
add address=192.168.3.33 mac-address=02:00:00:B7:4C:6A server=lan-3
add address=192.168.3.131 mac-address=02:00:00:F0:55:9A server=lan-3
add address=192.168.3.103 client-id=1:30:5:5c:78:e1:9d mac-address=30:05:5C:78:E1:9D server=lan-3
add address=192.168.3.8 mac-address=02:00:01:F0:55:9A server=lan-3
add address=192.168.3.9 mac-address=02:00:01:00:00:03 server=lan-3
add address=192.168.100.242 client-id=1:80:2a:a8:8f:7:6 mac-address=80:2A:A8:8F:07:06 server=lan-1
add address=192.168.100.241 client-id=1:80:2a:a8:10:92:d5 mac-address=80:2A:A8:10:92:D5 server=lan-1
add address=192.168.100.243 client-id=1:80:2a:a8:46:b8:8a mac-address=80:2A:A8:46:B8:8A server=lan-1
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=8.8.8.8 gateway=192.168.3.1 netmask=24
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1 netmask=24
add address=192.168.11.0/24 dns-server=8.8.8.8 gateway=192.168.11.1 netmask=24
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1 netmask=24
add address=192.168.60.0/24 dns-server=8.8.8.8 gateway=192.168.60.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=ether1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes
add action=accept chain=forward in-interface=maison-11 out-interface=commun-3
add action=drop chain=forward in-interface=maison-11 out-interface=!ether1
add action=drop chain=forward in-interface=nico-10 out-interface=!ether1
add action=drop chain=forward in-interface=commun-3 out-interface=!ether1
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=ether1
add action=dst-nat chain=dstnat dst-port=5060 protocol=udp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.zzz.zzz to-ports=pppp
add action=dst-nat chain=dstnat dst-port=1611 protocol=tcp to-addresses=192.168.zzz.zzz to-ports=1611
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 protocol=udp to-addresses=192.168.zzz.zzz to-ports=5060
add action=dst-nat chain=dstnat dst-port=2611 log=yes protocol=tcp to-addresses=192.168.zzz.zzz to-ports=pppp
add action=dst-nat chain=dstnat dst-port=1605 protocol=tcp to-addresses=192.168.zzz.zzz to-ports=pppp
add action=dst-nat chain=dstnat dst-port=3823 protocol=tcp to-addresses=192.168.zzz.zzzz to-ports=22
/system clock
set time-zone-name=Europe/Paris
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2

4 
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 protocol=udp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.zzz.zzz to-ports=pppp
add action=dst-nat chain=dstnat dst-port=1611 protocol=tcp to-addresses=192.168.zzz.zzz to-ports=1611
add action=dst-nat chain=dstnat dst-port=2611 log=yes protocol=tcp to-addresses=192.168.zzz.zzz to-ports=pppp
add action=dst-nat chain=dstnat dst-port=1605 protocol=tcp to-addresses=192.168.zzz.zzz to-ports=pppp
add action=dst-nat chain=dstnat dst-port=3823 protocol=tcp to-addresses=192.168.zzz.zzzz to-ports=22

This is exactly what i meant. action=dst-nat chain=dstnat dst-port=3823 means that every connection (either coming from ether1 or coming from ether5) is translated to an internal address.
You should add the following attribute to each of these filters, if you only want to redirect traffic going to the router address (either wan or lan address): dst-address-type=local

E.g.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=3823 protocol=tcp to-addresses=192.168.zzz.zzzz to-ports=22

This setting (dst-address-type) can be found in the ‘Extra’ tab in Winbox.

Note: please upgrade your ROS version to 6.40.8 (or 6.40.9 if considered stable enough) because of a RouterOS vulnerability which can be exploited from your internal network: https://blog.mikrotik.com/security/winbox-vulnerability.html

5

perfect I gain access to my server again.
thanks a lot nescafe2002.

tried to use http interface but did not work.
I changed value via telnet /ip firewall nat set 6 dst-address-type=local