Community discussions

MikroTik App
 
vds
just joined
Topic Author
Posts: 5
Joined: Tue May 11, 2021 12:04 am

Forward SSH from static IP to internal network

Tue May 11, 2021 12:27 am

Hi All,
I read tons of forum posts and articles, but I still can't make it work.
I'm trying to reach an internal machine from outside my LAN using my static IP.
This is the NAT rule I added:
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward SSH for access point on port 2022" dst-address=151.167.8.12 dst-port=2022 protocol=tcp to-addresses=192.168.88.3 to-ports=22

The SSH client times out with this output:

OpenSSH_7.6p1 Ubuntu-4ubuntu0.4, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/vds/.ssh/config
debug1: /home/vds/.ssh/config line 27: Applying options for 151.167.8.12
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 151.167.8.12 [151.167.8.12] port 2022.
debug1: connect to address 151.167.8.12 port 2022: Connection timed out
ssh: connect to host 151.167.8.12 port 2022: Connection timed out

How do I fix this?
Thanks,
vds
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward SSH from static IP to internal network

Tue May 11, 2021 2:10 pm

post your config
/export hide-sensitive file=anynameyouwish

I am assuming you mean you are coming in from an external WAN connection (like coffee shop etc.) and wish to connect to your LAN through the public IP address of your Router??
 
vds
just joined
Topic Author
Posts: 5
Joined: Tue May 11, 2021 12:04 am

Re: Forward SSH from static IP to internal network

Tue May 11, 2021 10:46 pm

Yes, exactly, this is the configuration:

# may/11/2021 21:42:50 by RouterOS 6.48.2
# software id = H4NZ-V3MV
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D43B0CA7221D
/interface bridge
add admin-mac=48:8F:5A:9E:72:0D auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge secondary-channel=auto ssid=\
MikroTik-9E7217 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-5BA045 wireless-protocol=802.11
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.3 client-id=\
ff:e4:e7:6c:68:0:2:0:0:ab:11:42:ce:4b:46:79:c0:5d:51 mac-address=\
DC:A6:32:CC:04:7F server=defconf
add address=192.168.88.2 client-id=\
ff:87:e6:51:c7:0:2:0:0:ab:11:e5:e6:1c:f0:cd:a8:7b:76 mac-address=\
B8:27:EB:53:D8:1F server=defconf
add address=192.168.88.248 mac-address=AC:ED:5C:A7:6D:09 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Forward SSH to rp02" dst-address=\
151.167.8.12 dst-port=2022 log=yes log-prefix="Forward SSH" protocol=\
tcp to-addresses=192.168.88.3 to-ports=22
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set www-ssl address=192.168.88.0/24
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Zurich
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward SSH from static IP to internal network

Tue May 11, 2021 11:21 pm

a quick look dont see why its not working assuming you have indicated your public IP (hopefully just an example and not the actual)??
Also this has nothing to do with the SSH settings on the router right?

add action=dst-nat chain=dstnat comment="Forward SSH to rp02" dst-address=\
151.167.8.12 dst-port=2022 log=yes log-prefix="Forward SSH" protocol=\
tcp to-addresses=192.168.88.3 to-ports=22
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Forward SSH from static IP to internal network

Tue May 11, 2021 11:36 pm

@vds, I'd like to draw your attention to what @anav already asked: are you actually trying to connect from WAN side of your router? Because your current config won't do for connecting to public address from LAN side of your router.
 
vds
just joined
Topic Author
Posts: 5
Joined: Tue May 11, 2021 12:04 am

Re: Forward SSH from static IP to internal network

Tue May 11, 2021 11:38 pm

Nothing to do with the SSH settings of the router, no.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward SSH from static IP to internal network  [SOLVED]

Wed May 12, 2021 12:41 am

Just for giggles,
I want you to try this.
Put this in your source nat config in addition to the existing sourcenat rule.

add chain=srcnat action=masquerade source-address=192.168.88.0/24 destination-address=192.168.88.0/24

See if that helps!
 
vds
just joined
Topic Author
Posts: 5
Joined: Tue May 11, 2021 12:04 am

Re: Forward SSH from static IP to internal network

Sat May 15, 2021 3:35 pm

@anav So, I was testing it wrong and it was already working from the outside, thank you and @mkx for pointing it out.
Anyway, with your last rule, it works also from inside the LAN, which is what I also wanted, shall I keep the rule or it's not a good idea?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward SSH from static IP to internal network

Sat May 15, 2021 5:07 pm

@anav So, I was testing it wrong and it was already working from the outside, thank you and @mkx for pointing it out.
Anyway, with your last rule, it works also from inside the LAN, which is what I also wanted, shall I keep the rule or it's not a good idea?
No the rule should stay if you want inside users to connect via the WANIP of the router.
 
vds
just joined
Topic Author
Posts: 5
Joined: Tue May 11, 2021 12:04 am

Re: Forward SSH from static IP to internal network

Sun May 16, 2021 11:44 am

Great, thanks @anav!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward SSH from static IP to internal network

Sun May 16, 2021 3:34 pm

I just pass on the information I learned here, if you want to thank somebody thank MKX, who pointed it out to me long ago.
To be truly helpful I would explain why this works, if I could.
It has something to do with
a. router takes shortcuts sometimes in certain cases where the ip address is local on the router and can bypass connection tracking.
b. so when the the router sees the packets coming back from the server responding to the request, instead of sending it through NAT and back to the original destination IP it sees the answer coming back from the same subnet as the request and simply routes the return packet directly to the originator (however, the originator machine is expecting the packet back from the WANIP and rejects the packet coming from the local server IP).
c. so one can either change the subnet the server is on, and for this the router respects the NAT process OR as per the rule that MKX providing,
in this case the source IP from the originator is also changed, what happens after is a mystery to me but it works....... as I dont see how the source nat will help, as I get lost in what the router will see on the reply and how it handles the reverse action of the extra source nat rule, and yet ignores the dilemma of what caused the problem in the first place

Who is online

Users browsing this forum: Uqbar and 53 guests