Community discussions

MikroTik App
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Port 22 / SFTP/SSH Being Blocked

Tue Nov 10, 2020 11:28 pm

Hi all. I'm having an issue trying to SSH or SFTP out of the network. Any attempt I try to make usually times out. I've tried disabling all the drop rules and even added a forward rule just for port 22 but nothing seems to making any difference. Any suggestions as to what I should try next? Thanks!

Here are the firewall rules I'm currently using:
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
    dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp \
    src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=80 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=443 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=86 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=86
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=8080 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=8080
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=4443 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=443
add action=accept chain=dstnat
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 7:17 pm

Can you give us an example or diagram on what are you trying to achieve?
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 7:56 pm

Hi. I'm trying to connect to a SFTP site. As I was investigating the issue I discovered that I wasn't able to access any SFTP or SSH server, however. I was using a couple of free public SFTPs and SSH shells for testing. Normally the server responds with a key to verify identity but I'm not getting that prompt.

There are the ones I'm using to test.
https://www.sftp.net/public-online-sftp-servers
http://sdf.org/
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 8:50 pm

The first one works just fine for me, I issue sftp demo@test.rebex.net and I see a password prompt etc.

web check test.rebex.net:22 demo/password Also supports SSH, FTP/SSL, FTP, IMAP, POP3 and Time protocols. Read-only.

What you can do is really start LOGGING (add logging on rules) a bit so it might reveal a bit more what is a problem.
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:00 pm

Thanks for the suggestion. I'll see about enabling logging. I've also tried using Torch and I see it starting to connect but it never actually does. It just shows ethernet protocol 800 and the port it goes out and attempts to go in on.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:05 pm

You only posted parts of the config. Are you using some form of VPN tunnel and do you route specific traffic into a tunnel ?
Do all other regular Internet services work from that same PC you are testing from ? (eg. generic browsing, dns lookups etc)

Because :
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.1.0/24

I don't see a generic masq rules for regular Internet/surf traffic ? Unless you are using some VPN-link ?
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:28 pm

I didn't think the other rules were relevant. I can post the full config. We have a VPN for remote users who need to work from their desktops at the office. I haven't had an issue with any other internet services. It's just this port 22 and it doesn't work on site or over the VPN. :(
/interface bridge
add admin-mac=*Hidden* auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.239
add name=vpn-pool ranges=192.168.1.240-192.168.1.249
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.1.11 idle-timeout=30m local-address=\
    192.168.1.1 remote-address=vpn-pool session-timeout=8h use-compression=yes
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=*Hidden*/28 interface=ether1 network=184.182.220.64
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.11
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
    dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp \
    src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=80 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=443 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=86 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=86
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=8080 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=8080
add action=dst-nat chain=dstnat dst-address=*Hidden* dst-port=4443 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=443
add action=accept chain=dstnat
/ip route
add distance=1 gateway=*Hidden*
/ip ssh
set forwarding-enabled=both
/system clock
set time-zone-name=America/Phoenix
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Do I need to use a generic masquerade rule if the IPs never change?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:46 pm

/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 should be bridge.

What is the purpose of this rule at the end of the dstnat chain, looks like an accident that should be removed??
add action=accept chain=dstnat
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:57 pm

Thanks for the suggestion. I have switched that interface over to bridge and removed the last NAT rule. Honestly I'm not sure how that ended up in there. I'm new to this level of customization in network configuration so I probably copy and pasted a rule I found online. Unfortunately it didn't seem to make a difference. Do I need to restart the router or should these changes be instant? Thanks!
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 9:58 pm

Ah OK, the line below IS your generic masq rule providing "NAT'ed" access for all the internal 192.168.1.0/24 IP's.
The comment was a bit misleading.

>> add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.1.0/24

You have the rules in place in the forward-chain to accomodate the return-traffic, that looks good.


Add some logging on these rules and see if you hit anything.

>> add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
>> add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 10:05 pm

The odd thing is that I even disabled those rules and still wasn't able to get out on that port. I just turned on logging.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 10:19 pm

Traffic outbound isnt usually blocked by the router so perhaps its your ISP??

Hmm wonder if these rules are getting in the way from LAN to Internet for some reason.
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp \
src-address=192.168.1.0/24

Here is what I would do instead of this rule............ Reminder only admin needs access to the router.

add action=accept chain=input comment="allow admin access" \
in-interface=LAN src-address-list=adminaccess

Firewall address list
add address=ip of admin desktop list=adminaccess
add address=ip of admin laptop; list=adminaccess
add address=ip of admin ipad etc. list=adminaccess
add address=ip of admin when coming in on vpn list=adminaccess
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 10:34 pm

I always had that thought in the back of my mind about ISP potentially blocking it. No idea why they would though....

Here are the logs of me attempting to connect to that SFTP.

Image
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 10:56 pm

I just tried modifying your input rule to how you suggested. That did not seem to help either. :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 11:08 pm

im outta ideas LOL
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Nov 12, 2020 11:17 pm

Haha. I appreciate the help. I might try calling the ISP and find out if they are blocking that port for some odd reason.
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Mon Feb 08, 2021 8:00 pm

Good morning. I was hoping to revisit this issue I am having. I have since called the ISP and verified that port 22 is not being blocked. Any SFTP site works just fine when we plug directly into the modem and bypass the MikroTik so there is a rule somewhere that is causing issues. Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Mon Feb 08, 2021 9:34 pm

No worries, please post your complete config again as it is now.

/export hide-sensitive file=anynameyouwish
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Mon Feb 08, 2021 11:35 pm

Here you go.
# feb/08/2021 14:27:39 by RouterOS 6.47.7
# software id = VGFH-V40X
#
# model = RB760iGS
# serial number = ###
/interface bridge
add admin-mac=(Removed) auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.239
add name=vpn-pool ranges=192.168.1.241-192.168.1.249
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.1.11 idle-timeout=30m local-address=\
    192.168.1.1 remote-address=vpn-pool session-timeout=8h use-compression=yes
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=(Gateway IP) interface=ether1 network=(Static IP)
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.11
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall address-list
add address=192.168.1.240 list=AdminAccess
add address=192.168.1.10 list=AdminAccess
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow ssh,webadmin,winbox from VPN" \
    in-interface=all-ethernet log=yes log-prefix="VPN ADMIN" src-address-list=\
    AdminAccess
# no interface
add action=accept chain=input in-interface=*F00037 src-address-list=AdminAccess
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=forward dst-port=22 log=yes log-prefix=Port22 protocol=\
    tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=Test_Invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=Test_DSTNAT
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 log-prefix=HairpinNat src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none log=yes log-prefix="WAN Masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=80 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=80
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=443 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=443
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=86 \
    protocol=tcp to-addresses=192.168.1.12 to-ports=86
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=8080 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=8080
add action=dst-nat chain=dstnat dst-address=184.182.220.67 dst-port=4443 \
    protocol=tcp to-addresses=192.168.1.13 to-ports=443
add action=accept chain=dstnat disabled=yes
/ip route
add distance=1 gateway=184.182.220.65
/ip ssh
set forwarding-enabled=both
/ppp secret
add name=(Removed) profile=default-encryption remote-address=192.168.1.240
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add disabled=yes name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
add name=(Removed) profile=default-encryption
/system clock
set time-zone-name=America/Phoenix
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Port 22 / SFTP/SSH Being Blocked

Mon Feb 08, 2021 11:50 pm

Have you tried with:
/ip ssh
set forwarding-enabled=no
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Tue Feb 09, 2021 6:05 pm

Have you tried with:
/ip ssh
set forwarding-enabled=no
Thanks for the suggestion but that did not seem to make a difference.
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Thu Feb 11, 2021 5:30 pm

Does anyone else have a suggestion? It looks like the outbound traffic is working as I'm able to see syn sent in the log file, I'm just not getting a return packet from any SFTP connection.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Thu Feb 11, 2021 8:09 pm

what is this?????????
# no interface
add action=accept chain=input in-interface=*F00037


This rule bothers me for a number of reasons.
a. you dont need it
b. you put it before the other forward rules and thus is in the wrong order (outcome thus unknown).
c. if you want a log rule for forward chain traffic USE ACTION = log, not forward.

Recommend this be changed from
add action=accept chain=forward dst-port=22 log=yes log-prefix=Port22 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid [this line to show how out of place your SSH line is located]

TO
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=Test_Invalid [to show new location of rule]
add action=log chain=forward dst-port=22 log=yes log-prefix=Port22 protocol=tcp


Also concur with previous poster, no clue what the purpose of this rule is
/ip ssh
set forwarding-enabled=both

suggest try the above changes with this off first and then on for example.
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Wed Feb 17, 2021 9:07 pm

Thank you for your suggestions. I have implemented all of them but unfortunately I'm still not able to connect to any SFTP. Here are a couple of the log hits for my filter rule Port22:

Image
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Mon Mar 01, 2021 10:03 pm

Any other suggestions? Thanks.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Port 22 / SFTP/SSH Being Blocked

Tue Mar 02, 2021 12:49 am

Export current configuration, then NetInstall current rOS version and Import your configuration. I have seen random weirdness with devices before. I just had to NetInstall a new hAP AC that was in a boot loop straight out of the box.
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Wed Mar 03, 2021 5:13 pm

Export current configuration, then NetInstall current rOS version and Import your configuration. I have seen random weirdness with devices before. I just had to NetInstall a new hAP AC that was in a boot loop straight out of the box.
Thank you for the suggestion. I'm going to give this a shot.
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Sat Mar 13, 2021 8:56 pm

I just finished trying to netinstall and unfortunately it did not make any difference. I decided to try to use the initial config to see if I could connect to an SFTP site with the least amount of rules as possible and again even that failed. Here's the export of the basic config I was using. I even disabled all the firewall rules.
# mar/13/2021 11:52:56 by RouterOS 6.48.1
# software id = VGFH-V40X
#
# model = RB760iGS
# serial number = AE380A68C25D
/interface bridge
add admin-mac=74:4D:28:A6:5B:AD auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Phoenix
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Does anyone have any suggestions as to which of these rules would be causing this? Thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Sat Mar 13, 2021 9:05 pm

The only thing I can think of is something on the server or PC,or FTP software application, that is blocking the port like software firewall or something?
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Sat Mar 13, 2021 9:27 pm

The only thing I can think of is something on the server or PC,or FTP software application, that is blocking the port like software firewall or something?
I don't believe that's the case because I can connect to any SFTP if I put my laptop on my hotspot. Also it works if I'm connected directly to the modem. I'm starting to wonder if it's an issue with bridging our modem to the Routerboard.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port 22 / SFTP/SSH Being Blocked

Sat Mar 13, 2021 9:46 pm

The only thing I can think of is something on the server or PC,or FTP software application, that is blocking the port like software firewall or something?
I don't believe that's the case because I can connect to any SFTP if I put my laptop on my hotspot. Also it works if I'm connected directly to the modem. I'm starting to wonder if it's an issue with bridging our modem to the Routerboard.
So you can connect your PC directly to the modem, do you get a public IP or a private IP address?
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Sat Mar 13, 2021 10:46 pm

The only thing I can think of is something on the server or PC,or FTP software application, that is blocking the port like software firewall or something?
I don't believe that's the case because I can connect to any SFTP if I put my laptop on my hotspot. Also it works if I'm connected directly to the modem. I'm starting to wonder if it's an issue with bridging our modem to the Routerboard.
So you can connect your PC directly to the modem, do you get a public IP or a private IP address?
Public IP address.
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Mon Mar 15, 2021 8:50 pm

Any other suggestions? I'm about ready to buy a new router at this point. :(
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Port 22 / SFTP/SSH Being Blocked

Mon Mar 15, 2021 9:47 pm

Any other suggestions? I'm about ready to buy a new router at this point. :(
Why is your config containing some lines with

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes

To me, this looks like these rules are not active, and they need to be in order to work. (eg. allowing established/related packets back in the WAN-side)
 
Pezant
just joined
Topic Author
Posts: 21
Joined: Tue Nov 10, 2020 11:17 pm

Re: Port 22 / SFTP/SSH Being Blocked

Mon Mar 15, 2021 10:08 pm

Any other suggestions? I'm about ready to buy a new router at this point. :(
Why is your config containing some lines with

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes

To me, this looks like these rules are not active, and they need to be in order to work. (eg. allowing established/related packets back in the WAN-side)
I disabled them to see if it made any difference. I also tried using the default configuration and I was still having the same issue.

Who is online

Users browsing this forum: lurker888, tesme33 and 28 guests