Community discussions

MikroTik App
 
peterda84
just joined
Topic Author
Posts: 5
Joined: Fri Jul 02, 2021 2:02 pm

Can't SSH into Mikrotik network

Sun Jul 04, 2021 10:52 pm

Hi,

I am a Mikrotik newbie, just got a HEX router. My problem that I can not SSH from my 192.168.0.0/24 network into a server that I put behind the HEX on 192.168.88.254
I have tried to modify firewall filter and NAT rules but no success. Could you please help?

Current firewall config is below:

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=input action=accept src-address=192.168.0.0/24 log=no log-prefix=""

2 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

3 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

5 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

7 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

8 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

9 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN




0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none


Network configuration:
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't SSH into Mikrotik network

Sun Jul 04, 2021 10:57 pm

/export hide-sensitive file=anynameyouwish
 
peterda84
just joined
Topic Author
Posts: 5
Joined: Fri Jul 02, 2021 2:02 pm

Re: Can't SSH into Mikrotik network

Sun Jul 04, 2021 11:54 pm

/export hide-sensitive file=anynameyouwish

# jul/04/2021 17:44:13 by RouterOS 6.48.3
# software id = DQ9L-XBWC
#
# model = RB750Gr3
# serial number = CC210D9C8930
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input src-address=192.168.0.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't SSH into Mikrotik network

Mon Jul 05, 2021 3:58 am

(1) Config looks okay,
Would add dns-server here though
ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=192.168.88.1

(2) add action=accept chain=input src-address=192.168.0.0/24
The rule should be removed as it does not have purpose

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

(3) In terms of the issue if the HEx is setup as a router and you want to access a server you need port forwarding to work.
a. you have the requisite firewall rule
b. what you are missing is a destination nat rule
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Can't SSH into Mikrotik network

Mon Jul 05, 2021 4:48 pm

(1) Config looks okay,

I'd say it looks confused.

Serious question for the OP, not trying to be mean: double-NAT, really? Why?

If it's just for temporary testing while you're learning RouterOS, then that's fine, but eventually you should be thinking of putting the ISP router into bridge mode and using the MikroTik as the actual router. Then you have a public IP on one side of the MT and one of these two separate 192.168 networks on the private side.

you need port forwarding to work.
a. you have the requisite firewall rule
b. what you are missing is a destination nat rule

That or a routing rule, yes.

peterda84, what anav is saying is that correct "export" output should contain an "/ip firewall nat" section with "add" commands to enable the port-forward you need for this. Here is a port-forwarding guide for RouterOS.

What I'm adding is that the other option you have is to set up explicit routing from 192.168.0.0/24 to 192.168.88.0/24, two completely different networks. This is a more appropriate configuration when there are servers on the other side of the inner router and you're in control of both sides.

Indeed, I think you can't get away without adding some amount of static routing even in the NAT configuration. Enabling NAT port-forwarding on the MT doesn't tell the "CLIENT" computer in your diagram that 192.168.88.0/24 is reachable via the LAN rather than the default route, so it'll do the wrong thing with ARP until you tell it this detail: it'll try to send packets towards the Internet, and your ISP will then drop them, since 192.168.x.y isn't a public IP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't SSH into Mikrotik network

Mon Jul 05, 2021 8:59 pm

Hi Tangent, My thinking was that route on the primary router was not necessary because the Traffic was coming from the same LAN subnet.
If I enter in an IP to get to, that is on the same subnet, I shouldnt need a route.
The problem here is that the LANIP I am reaching is actually the WANIP of the second router.
In this case the port forwarding should take a request and do the port forwarding, if I understand this right?
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Can't SSH into Mikrotik network

Mon Jul 05, 2021 10:29 pm

route on the primary router was not necessary

I'm not suggesting modifying the ISP router's config, but the CLIENT machine's config, in the OP's diagram.

Before he started changing things, he had only the default route plus whatever dynamic routes the OS computed from the assigned IP and netmask, right? Now he's added another subnet (192.168.88.0/24) which matches only the default route in that configuration. Until he adds a static route telling it the "near" side IP of the MT router is the next-hop, it'll do an ARP for the default route's IP (192.168.0.1) and send the packets to that MAC instead of to the MT router.

Through the magic of switched Ethernet, the MT router won't get a copy of those packets, because the switch built into the ISP router "knows" where the MAC belonging to 192.168.0.1 is: it's internal!

Traffic was coming from the same LAN subnet.

That's the problem: OP's got two private subnets now: 192.168.88.0/24 and 192.168.0.0/24.

You'd be right that they're the same subnet if he abused the RFC 1918 assignment and called both /16, but that's not only evil, it's not what the OP said he actually did.

I'm suggesting he doesn't do double-NAT, but use static routing instead, at least until he's got the MT configured well enough that it's ready to replace the routing functions of the ISP router, which presumably can be configured as a bridge, making it take on modem functions only.

port forwarding should take a request and do the port forwarding, if I understand this right?

If you set up what MikroTik calls "dstnat" and the rest of the home networking world calls port forwarding, and you also configure the CLIENT machine to statically route packets toward that MT when the IP is for the subnet on its other side (192.168.88.0/24) then you have a new problem: how do packets know how to get back across that NAT link?

It's possible that the default route from the far side of the network suffices, but I'd have to study the configuration in vivo to work this out, and I don't have two spare MT routers here to set it up to trace things out. It'll depend in part on things like whether this SERVER machine is doing any DHCP or not.

DHCPing with servers isn't always wrong: static DHCP reservations can be quite useful with such, resulting in a static IP but dynamic DNS and routes and such.

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot] and 22 guests