Using ssh tunnel to proxy web surfing while traveling

RouterOS
1

I've replaced a pfSense 2100 router which used to be my WAN router with an RB5009. On the pfSense I was using an ssh tunnel from wherever I was in the world to proxy my websurfing back home to a squid proxy server. Now the pfSense/squid has been moved into my LAN. I thought this would be as simple as redirecting the tunnel to the new ip address.

So far on the RB5009 I've created my user and can log in.

/ip ssh
set forwarding-enabled=both

This should tunnel pretty easily, so I thought. Any suggestions? I don't suspect this requires any new firewall rules.

2

Well, it's not the router or the OS or the proxy. It's the browser (Mozilla) causing the issues. Using chrome with the system proxy set everything works. Using Mozilla I get PR_CONNECTION_RESET_ERROR. Cookies, probably.

3

I can use the proxy internally from my laptop to the proxy inside the subnet, but when using ssh to the RB5009 I'm thinking the packets from the proxy are not "related" to the forwarded packets.

What would be a sample firewall rule to permit such traffic?

4

I think I have a valid solution using port forwarding: https://www.pavelp.cz/posts/eng-mikrotik-port-forwarding/

Using applicable variants of the rules below permits me to ssh in from the WAN side and connect directly to the proxy and then I can set my browser proxy settings:

/ip firewall nat
# add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="SSH from outside" dst-port=2222 in-interface-list=WAN protocol=tcp to-addresses=192.168.68.10 to-ports=22
add action=dst-nat chain=dstnat comment="SSH from inside" dst-port=2222 in-interface-list=LAN protocol=tcp to-addresses=192.168.68.10 to-ports=22
add action=masquerade chain=srcnat comment="SSH from inside (snat)" dst-address=192.168.68.10 dst-port=22 protocol=tcp src-address=192.168.68.0/24