Community discussions

MikroTik App
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Port 22 / SFTP/SSH Being Blocked

Tue Nov 10, 2020 11:28 pm

Hi all. I'm having an issue trying to SSH or SFTP out of the network. Any attempt I try to make usually times out. I've tried disabling all the drop rules and even added a forward rule just for port 22 but nothing seems to making any difference. Any suggestions as to what I should try next? Thanks!

Here are the firewall rules I'm currently using:
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
    dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp \
    src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=80 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=443 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=86 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=86
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=8080 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=8080
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=4443 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=443
add action=accept chain=dstnat
 
erkexzcx
Member Candidate
Member Candidate
Posts: 175
Joined: Mon Oct 07, 2019 11:42 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 7:17 pm

Can you give us an example or diagram on what are you trying to achieve?
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 7:56 pm

Hi. I'm trying to connect to a SFTP site. As I was investigating the issue I discovered that I wasn't able to access any SFTP or SSH server, however. I was using a couple of free public SFTPs and SSH shells for testing. Normally the server responds with a key to verify identity but I'm not getting that prompt.

There are the ones I'm using to test.
https://www.sftp.net/public-online-sftp-servers
http://sdf.org/
 
User avatar
jvanhambelgium
Member
Member
Posts: 393
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 8:50 pm

The first one works just fine for me, I issue sftp demo@test.rebex.net and I see a password prompt etc.

web check test.rebex.net:22 demo/password Also supports SSH, FTP/SSL, FTP, IMAP, POP3 and Time protocols. Read-only.

What you can do is really start LOGGING (add logging on rules) a bit so it might reveal a bit more what is a problem.
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:00 pm

Thanks for the suggestion. I'll see about enabling logging. I've also tried using Torch and I see it starting to connect but it never actually does. It just shows ethernet protocol 800 and the port it goes out and attempts to go in on.
 
User avatar
jvanhambelgium
Member
Member
Posts: 393
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:05 pm

You only posted parts of the config. Are you using some form of VPN tunnel and do you route specific traffic into a tunnel ?
Do all other regular Internet services work from that same PC you are testing from ? (eg. generic browsing, dns lookups etc)

Because :
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.1.0/24

I don't see a generic masq rules for regular Internet/surf traffic ? Unless you are using some VPN-link ?
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:28 pm

I didn't think the other rules were relevant. I can post the full config. We have a VPN for remote users who need to work from their desktops at the office. I haven't had an issue with any other internet services. It's just this port 22 and it doesn't work on site or over the VPN. :(
/interface bridge
add admin-mac=*Hidden* auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.239
add name=vpn-pool ranges=192.168.1.240-192.168.1.249
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.1.11 idle-timeout=30m local-address=\
    192.168.1.1 remote-address=vpn-pool session-timeout=8h use-compression=yes
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=*Hidden*/28 interface=ether1 network=184.182.220.64
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.11
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
    dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp \
    src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=80 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=443 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=86 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=86
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=8080 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=8080
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=4443 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=443
add action=accept chain=dstnat
/ip route
add distance=1 gateway=*Hidden*
/ip ssh
set forwarding-enabled=both
/system clock
set time-zone-name=America/Phoenix
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Do I need to use a generic masquerade rule if the IPs never change?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:46 pm

/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 should be bridge.

What is the purpose of this rule at the end of the dstnat chain, looks like an accident that should be removed??
add action=accept chain=dstnat
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:57 pm

Thanks for the suggestion. I have switched that interface over to bridge and removed the last NAT rule. Honestly I'm not sure how that ended up in there. I'm new to this level of customization in network configuration so I probably copy and pasted a rule I found online. Unfortunately it didn't seem to make a difference. Do I need to restart the router or should these changes be instant? Thanks!
 
User avatar
jvanhambelgium
Member
Member
Posts: 393
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:58 pm

Ah OK, the line below IS your generic masq rule providing "NAT'ed" access for all the internal 192.168.1.0/24 IP's.
The comment was a bit misleading.

>> add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.1.0/24

You have the rules in place in the forward-chain to accomodate the return-traffic, that looks good.


Add some logging on these rules and see if you hit anything.

>> add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
>> add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 10:05 pm

The odd thing is that I even disabled those rules and still wasn't able to get out on that port. I just turned on logging.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 10:19 pm

Traffic outbound isnt usually blocked by the router so perhaps its your ISP??

Hmm wonder if these rules are getting in the way from LAN to Internet for some reason.
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp \
src-address=192.168.1.0/24

Here is what I would do instead of this rule............ Reminder only admin needs access to the router.

add action=accept chain=input comment="allow admin access" \
in-interface=LAN src-address-list=adminaccess

Firewall address list
add address=ip of admin desktop list=adminaccess
add address=ip of admin laptop; list=adminaccess
add address=ip of admin ipad etc. list=adminaccess
add address=ip of admin when coming in on vpn list=adminaccess
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 10:34 pm

I always had that thought in the back of my mind about ISP potentially blocking it. No idea why they would though....

Here are the logs of me attempting to connect to that SFTP.

Image
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 10:56 pm

I just tried modifying your input rule to how you suggested. That did not seem to help either. :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 11:08 pm

im outta ideas LOL
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 11:17 pm

Haha. I appreciate the help. I might try calling the ISP and find out if they are blocking that port for some odd reason.
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Mon Feb 08, 2021 8:00 pm

Good morning. I was hoping to revisit this issue I am having. I have since called the ISP and verified that port 22 is not being blocked. Any SFTP site works just fine when we plug directly into the modem and bypass the MikroTik so there is a rule somewhere that is causing issues. Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Mon Feb 08, 2021 9:34 pm

No worries, please post your complete config again as it is now.

/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Mon Feb 08, 2021 11:35 pm

Here you go.
# feb/08/2021 14:27:39 by RouterOS 6.47.7
# software id = VGFH-V40X
#
# model = RB760iGS
# serial number = ###
/interface bridge
add admin-mac=(Removed) auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.239
add name=vpn-pool ranges=192.168.1.241-192.168.1.249
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.1.11 idle-timeout=30m local-address=\
    192.168.1.1 remote-address=vpn-pool session-timeout=8h use-compression=yes
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=(Gateway IP) interface=ether1 network=(Static IP)
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.11
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall address-list
add address=192.168.1.240 list=AdminAccess
add address=192.168.1.10 list=AdminAccess
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
    in-interface=all-ethernet log=yes log-prefix="VPN ADMIN" src-address-list=\
    AdminAccess
# no interface
add action=accept chain=input in-interface=*F00037 src-address-list=AdminAccess
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=forward dst-port=22 log=yes log-prefix=Port22 protocol=\
    tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=Test_Invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=Test_DSTNAT
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 log-prefix=HairpinNat src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none log=yes log-prefix="WAN Masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=80 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=443 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=86 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=86
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=8080 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=8080
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=4443 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=443
add action=accept chain=dstnat disabled=yes
/ip route
add distance=1 gateway=184.182.220.65
/ip ssh
set forwarding-enabled=both
/ppp secret
add name=(Removed) profile=default-encryption remote-address=192.168.1.240
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add disabled=yes name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
/system clock
set time-zone-name=America/Phoenix
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
2frogs
Long time Member
Long time Member
Posts: 602
Joined: Fri Dec 03, 2010 1:38 am

Re: Port 22 / SFTP/SSH Being Blocked

Mon Feb 08, 2021 11:50 pm

Have you tried with:
/ip ssh
set forwarding-enabled=no
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Tue Feb 09, 2021 6:05 pm

Have you tried with:
/ip ssh
set forwarding-enabled=no
Thanks for the suggestion but that did not seem to make a difference.
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Feb 11, 2021 5:30 pm

Does anyone else have a suggestion? It looks like the outbound traffic is working as I'm able to see syn sent in the log file, I'm just not getting a return packet from any SFTP connection.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6171
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Thu Feb 11, 2021 8:09 pm

what is this?????????
# no interface
add action=accept chain=input in-interface=*F00037


This rule bothers me for a number of reasons.
a. you dont need it
b. you put it before the other forward rules and thus is in the wrong order (outcome thus unknown).
c. if you want a log rule for forward chain traffic USE ACTION = log, not forward.

Recommend this be changed from
add action=accept chain=forward dst-port=22 log=yes log-prefix=Port22 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid [this line to show how out of place your SSH line is located]

TO
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=Test_Invalid [to show new location of rule]
add action=log chain=forward dst-port=22 log=yes log-prefix=Port22 protocol=tcp


Also concur with previous poster, no clue what the purpose of this rule is
/ip ssh
set forwarding-enabled=both

suggest try the above changes with this off first and then on for example.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Wed Feb 17, 2021 9:07 pm

Thank you for your suggestions. I have implemented all of them but unfortunately I'm still not able to connect to any SFTP. Here are a couple of the log hits for my filter rule Port22:

Image
 
Pezant
just joined
Topic Author
Posts: 15
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Mon Mar 01, 2021 10:03 pm

Any other suggestions? Thanks.
 
2frogs
Long time Member
Long time Member
Posts: 602
Joined: Fri Dec 03, 2010 1:38 am

Re: Port 22 / SFTP/SSH Being Blocked

Tue Mar 02, 2021 12:49 am

Export current configuration, then NetInstall current rOS version and Import your configuration. I have seen random weirdness with devices before. I just had to NetInstall a new hAP AC that was in a boot loop straight out of the box.

Who is online

Users browsing this forum: Joe1962, lghikas and 53 guests