Community discussions

MikroTik App
 
wagnelib
just joined
Topic Author
Posts: 11
Joined: Mon Jul 02, 2018 4:17 pm

SSH Port Forwarding

Tue Jul 03, 2018 11:58 am

Hi,

I would like to forward SSH so that the port 50XX on the outside would map to ip 192.168.100.XX and port 22.

I have tried:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5022 protocol=tcp to-addresses=192.168.100.22 to-ports=22

And:
/ip firewall filter
add action=accept chain=input dst-port=5022 protocol=tcp in-interface-list=WAN

But when I try to connect from outside:
ssh name@IP -p 5022

it doesn't goes though.

Where is the catch? Thanks.
 
User avatar
evince
Member
Member
Posts: 353
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: SSH Port Forwarding

Tue Jul 03, 2018 12:08 pm

Hello,

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5022 protocol=tcp to-addresses=192.168.100.22 to-ports=22

You need to specify in-interface (your WAN) or dst-address.(Your public IP)

Regards,
 
wagnelib
just joined
Topic Author
Posts: 11
Joined: Mon Jul 02, 2018 4:17 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 12:16 pm

Hello,

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5022 protocol=tcp to-addresses=192.168.100.22 to-ports=22

You need to specify in-interface (your WAN) or dst-address.(Your public IP)

Regards,
Doesn't help,
but, the rule is recognized as the package counter is increasing when I try to connect, even without the in-interface.
 
User avatar
evince
Member
Member
Posts: 353
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: SSH Port Forwarding

Tue Jul 03, 2018 12:23 pm

Do you have any forward rule in your firewall filter?

Even if the counter increases, you need to specify dst-address or in-interface.
 
wagnelib
just joined
Topic Author
Posts: 11
Joined: Mon Jul 02, 2018 4:17 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 12:31 pm

Yes:


/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; allow Web config from outside
chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=80 log=no log-prefix=""

3 ;;; enable ssh from outside
chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""

4 chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=5022

5 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

6 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
 
User avatar
evince
Member
Member
Posts: 353
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: SSH Port Forwarding

Tue Jul 03, 2018 1:03 pm

OK

3 ;;; enable ssh from outside
chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""

should be

3 ;;; enable ssh from outside
chain=forward action=accept protocol=tcp dst-port=22 log=no log-prefix=""

Because input chain is for the router itself, and forward is for peripherals after the router.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: SSH Port Forwarding

Tue Jul 03, 2018 1:20 pm

Add dst-address-type=local, otherwise your outgoing ssh connections will be translated too.

@below, correct, you don't need dst-address-type for input chain and your forward chain is already allowing dstnat'ed connections.
Last edited by nescafe2002 on Tue Jul 03, 2018 1:42 pm, edited 1 time in total.
 
wagnelib
just joined
Topic Author
Posts: 11
Joined: Mon Jul 02, 2018 4:17 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 1:39 pm

Actually, this rule is to enable ssh from outside to the router. I have changed the rule for port 5022 to forward but it also doesn't help.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 2:37 pm

And connection from inside to 192.168.100.22:22 of course works, right? And it's open to any source address, not just LAN.

If the counter for dstnat rule increases, then fire up Tools->Torch, select LAN interface, set filter for 192.168.100.22:22 and see if there are packets from router going to server, and if server sends anything back.
 
wagnelib
just joined
Topic Author
Posts: 11
Joined: Mon Jul 02, 2018 4:17 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 3:20 pm

I can ssh to 192.168.100.22 from the router itself. For the second question I have no idea how to check...

And Torch doesn't show anything.

Correction:
I ha set filter for Src. Address it show some connection to my IP outside the network but just Tx. If I set is for Dst. Address, there is nothing.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 3:39 pm

You can use logging rules instead, e.g.:
/ip firewall mangle
add action=log chain=prerouting dst-port=5022 protocol=tcp log-prefix=step1
add action=log chain=forward dst-port=22 protocol=tcp log-prefix=step2
add action=log chain=postrouting dst-port=22 protocol=tcp log-prefix=step3
You might need some additional limits (e.g. src-address=<where you're testing from>) if you have a lot of other ssh trafic. Put them at the beginning of each chain, try to connect and you should see all three steps logged. If you do, and you see that packet was sent to server in step3, then dstnat is working. Then you can use similar rule to look for reply:
/ip firewall mangle
add action=log chain=prerouting src-port=22 protocol=tcp log-prefix=step4
 
wagnelib
just joined
Topic Author
Posts: 11
Joined: Mon Jul 02, 2018 4:17 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 3:52 pm

Thanks, up the step3 it is ok:
14:49:01 firewall,info step1 prerouting: in:ether1 out:(unknown 0), src-mac 34:e6:d7:0c:57:d8, proto TCP (SYN), 10.35.101.6:43918->10.35.101.28:5022, NAT 10.35.101.6:43918->(10.35.101.28:5022->192.168.100.22:22), len 60 
14:49:01 firewall,info step2 forward: in:ether1 out:bridge1, src-mac 34:e6:d7:0c:57:d8, proto TCP (SYN), 10.35.101.6:43918->192.168.100.22:22, NAT 10.35.101.6:43918->(10.35.101.28:5022->192.168.100.22:22), len 60 
14:49:01 firewall,info step3 postrouting: in:(unknown 0) out:bridge1, src-mac 34:e6:d7:0c:57:d8, proto TCP (SYN), 10.35.101.6:43918->192.168.100.22:22, NAT 10.35.101.6:43918->(10.35.101.28:5022->192.168.100.22:22), len 60 
but no reply (step4)...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 4:22 pm

Then it looks like server's fault for not responding. Try to investigate there, check if ssh daemon logs incoming connection, or even if there's incoming packet (using tcpdump), if a reply is sent back, where it goes (server has this router as default gw, right?), etc...
 
wagnelib
just joined
Topic Author
Posts: 11
Joined: Mon Jul 02, 2018 4:17 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 4:58 pm

Ok, the problem was in the DHCP configuration. Thanks a lot.

Is there a way how to configure this automatically, i.e. for ports 50xx map to 192.168.100.xx:22?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 5:36 pm

If you'd be good with RouterOS scripting, it should be easy to make a script to generate such rules. I'm not, so it would take me less time if I made them by hand. Although I wouldn't exactly make them by hand, I'd cheat and let a simple one-line php script generate them for me. :)

If you'd like something more evolved, just one magic firewall rule to map part of port number to address, I don't think it's possible.
 
wagnelib
just joined
Topic Author
Posts: 11
Joined: Mon Jul 02, 2018 4:17 pm

Re: SSH Port Forwarding

Tue Jul 03, 2018 6:07 pm

Ok, thanks anyway.
 
elismerkaj
just joined
Posts: 2
Joined: Wed Jun 10, 2015 4:15 pm

Re: SSH Port Forwarding

Wed Feb 26, 2020 11:54 am

Hello,

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5022 protocol=tcp to-addresses=192.168.100.22 to-ports=22

You need to specify in-interface (your WAN) or dst-address.(Your public IP)

Regards,

this works for me thnx
 
leikoilja
just joined
Posts: 6
Joined: Sat May 08, 2021 10:53 am

Re: SSH Port Forwarding

Sat May 08, 2021 12:33 pm

Can someone please help me a bit?
I can't seem to fine-tune firewall to allow SSH from outside.

My default firewall filter rule
defconf: drop all not coming from LAN
are blocking the incoming SSH connection. When I disable that rule all works fine. I believe it's meant to drop WAN input chain traffic, but I want one exception that allows me to externally connect to port 795 that I port-forward to router's SSH 22nd port.
My exception rule looks like
add action=accept chain=input comment="SSH MIkrotik from outside" dst-port=795 in-interface-list=WAN protocol=tcp
But it doesn't help.

All rules:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="SSH MIkrotik from outside" dst-port=795 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Who is online

Users browsing this forum: holvoetn and 40 guests