I am trying to set up port forwarding as follows:
Let's say the internal address of my router is 192.168.1.1 and the external address is 85.85.85.85. I have a server on the internal network at 192.168.1.99.
When I SSH internally to 192.168.1.1 I want it to SSH onto the router (as it currently does).
When I SSH from the internal network to 85.85.85.85 I want it to forward that request to 192.168.1.99. 85.85.85.85 is a dynamic IP address from my ISP.
I also need SSH to work correctly when connecting outside of the network so that I can connect to remote machines.
How do I achieve this? I've tried all sorts of things but I can't get it to work. I don't know if there is a way to filter based on that dynamic IP address without entering the exact address. I have dynamic DNS setup if that helps.
-
-
xylonsteve
just joined
- Posts: 2
- Joined:
-
-
xylonsteve
just joined
- Posts: 2
- Joined:
Re: Forward external IP address of router port 22 to internal machine
Hmm this is not a paid service, maybe some people are enjoying the weekend LOL
Well you are running into loopback or what is called in MT jargon, hairpin nat.
The easiest thing to do is to place the server you are trying to reach on a different subent OR put the user trying to reach the server on a different subnet --> solved without any hairpin nat changes.
IF that is not possible or not desired then you have to apply some hairpin nat rules which depend a lot on if your internet connection is dynamic or static.
If creating a new subnet is of no interest, then there are multiple ways to solve your dilemma.
In all cases the first thing you need to do is construct a separate srcnat rule (keep the default one) and it looks like this
add chain=srcnat action=masquerade source-address=192.168.1.0/24 destination-address=192.168.1.0/24
Then you need to configure the destination-NAT rule depending upon whether or not you have a static WANIP or a DYNAMIC WANIP.
If you have a static/fixed WANIP then no change to your current destination-nat rule is required.
add chain=dstnat action=dst-nat dst-address=fixedwanip protocol=xx dst-port=yyyy to-addresses=LANIP to-ports (only required if translating to a different port).
If you have a dynamic WANIP then you can do it several ways,
(1) one work around is to use the IP Cloud and free ddns service on the router as per steveOC ( https://www.bing.com/videos/search?q=yo ... &FORM=VIRE)
We are replacing the static wanip (dst-address) by getting the current wanip. Enable the IP cloud, copy the ddns long winded host name on the router and put it in the firewall address list and name the list
"myWANIP". The firewall list will resolve the name to your current wanip.
then your rule becomes
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=xx dst-port=yyyy to-addresses=LANIP
(2) Another gucci method, from *****Sob (didnt know he was italian ;-) is similar in that one in effect pulls the active current wanip and sticks into a firewall address list, from the current dhcp client settings via a script.
So put this in for the dhcp client advanced script area.
:if ($bound=1) do={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no
} else={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] disabled=yes
}
Where,
/ip firewall address-list
add comment=wan1ip disabled=yes list=external_wan
and rule becomes
add chain=dstnat action=dst-nat dst-address-list=external_wan protocol=xx dst-port=yyyy to-addresses=LANIP
The advantage over the DDNS method is that updates are instant.
The advantage of the DDNS method is useful when there's NAT 1:1 and router itself doesn't have public address, plus tis simple and easy to do!!
(3) Finally there is a third method which does not involved extracting any WANIP or mimicking the static WANIP scenario. This involves frick trucking the router by saying look for the interface that is not local as the source of the incoming traffic.
add chain=srcnat action=src-nat dst-address-type=local dst-address=!192.168.1.1 \
protocol=xx dst-port=yyyy to-addresses=LANIP
Well you are running into loopback or what is called in MT jargon, hairpin nat.
The easiest thing to do is to place the server you are trying to reach on a different subent OR put the user trying to reach the server on a different subnet --> solved without any hairpin nat changes.
IF that is not possible or not desired then you have to apply some hairpin nat rules which depend a lot on if your internet connection is dynamic or static.
If creating a new subnet is of no interest, then there are multiple ways to solve your dilemma.
In all cases the first thing you need to do is construct a separate srcnat rule (keep the default one) and it looks like this
add chain=srcnat action=masquerade source-address=192.168.1.0/24 destination-address=192.168.1.0/24
Then you need to configure the destination-NAT rule depending upon whether or not you have a static WANIP or a DYNAMIC WANIP.
If you have a static/fixed WANIP then no change to your current destination-nat rule is required.
add chain=dstnat action=dst-nat dst-address=fixedwanip protocol=xx dst-port=yyyy to-addresses=LANIP to-ports (only required if translating to a different port).
If you have a dynamic WANIP then you can do it several ways,
(1) one work around is to use the IP Cloud and free ddns service on the router as per steveOC ( https://www.bing.com/videos/search?q=yo ... &FORM=VIRE)
We are replacing the static wanip (dst-address) by getting the current wanip. Enable the IP cloud, copy the ddns long winded host name on the router and put it in the firewall address list and name the list
"myWANIP". The firewall list will resolve the name to your current wanip.
then your rule becomes
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=xx dst-port=yyyy to-addresses=LANIP
(2) Another gucci method, from *****Sob (didnt know he was italian ;-) is similar in that one in effect pulls the active current wanip and sticks into a firewall address list, from the current dhcp client settings via a script.
So put this in for the dhcp client advanced script area.
:if ($bound=1) do={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no
} else={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] disabled=yes
}
Where,
/ip firewall address-list
add comment=wan1ip disabled=yes list=external_wan
and rule becomes
add chain=dstnat action=dst-nat dst-address-list=external_wan protocol=xx dst-port=yyyy to-addresses=LANIP
The advantage over the DDNS method is that updates are instant.
The advantage of the DDNS method is useful when there's NAT 1:1 and router itself doesn't have public address, plus tis simple and easy to do!!
(3) Finally there is a third method which does not involved extracting any WANIP or mimicking the static WANIP scenario. This involves frick trucking the router by saying look for the interface that is not local as the source of the incoming traffic.
add chain=srcnat action=src-nat dst-address-type=local dst-address=!192.168.1.1 \
protocol=xx dst-port=yyyy to-addresses=LANIP