Community discussions

MikroTik App
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Cannot SSH from LAN to outside devices - strange

Mon Sep 13, 2021 2:19 pm

Hi guys,

I have a strange problem with the Mikrotik router:

I can't make ssh connections on systems outside the network (in internet), which is very strange.
On telnet it times out. I checked the problem is not on the target system.

When configuring the router, I kept the default firewall rules:

Image

What should I do?

Thanks
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot SSH from LAN to outside devices - strange

Mon Sep 13, 2021 2:40 pm

The screenshot you posted does not tell enough of story. Post full config in text: execute /export hide-sensitive file=anynameyouwish inside terminal window, fetch resulting file, open it using text editor and copy-paste contents here ... inside [code] [/code] environment. Before copy-paste check if there's still some sensitive information shown (such as WiFi passwords, public IP addresses, ...) and obfuscate that information (don't just leave it out or else we'll have a blind spot again).
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Cannot SSH from LAN to outside devices - strange

Mon Sep 13, 2021 2:53 pm

The screenshot you posted does not tell enough of story. Post full config in text: execute /export hide-sensitive file=anynameyouwish inside terminal window, fetch resulting file, open it using text editor and copy-paste contents here ... inside [code] [/code] environment. Before copy-paste check if there's still some sensitive information shown (such as WiFi passwords, public IP addresses, ...) and obfuscate that information (don't just leave it out or else we'll have a blind spot again).
Hi mkx,

Here you have the output:
/interface bridge
add admin-mac=08:55:31:9D:BF:74 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip pool
add name=dhcp ranges=192.168.2.60-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=172.16.0.1/30 interface=Cloud network=172.16.0.0
add address=172.18.0.1/30 interface=Plenita network=172.18.0.0
add address=172.19.0.1/30 interface="Mihai Popa - UK" network=172.19.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=IPSECDST
add address=192.168.3.0/24 list=IPSECDST
add address=192.168.32.0/24 list=IPSECDST
add address=192.168.2.0/24 list=IPSECSOURCE
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=SSH dst-port=22 protocol=tcp \
    to-addresses=192.168.2.10 to-ports=22
add action=dst-nat chain=dstnat comment=Wireguard dst-port=41194 protocol=udp \
    to-addresses=192.168.2.10 to-ports=41194
/ip firewall service-port
set irc disabled=yes
set sip disabled=yes
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=172.18.0.2
add distance=1 dst-address=192.168.3.0/24 gateway=172.16.0.2
add distance=1 dst-address=192.168.32.0/24 gateway=172.19.0.2
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=office.bisar.ro
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Cannot SSH from LAN to outside devices - strange  [SOLVED]

Mon Sep 13, 2021 2:58 pm

You destroy all outgoing traffic with this rule:
/ip firewall nat
add action=dst-nat chain=dstnat comment=SSH dst-port=22 protocol=tcp to-addresses=192.168.2.10 to-ports=22
Every SSH connection than transit on the router are redirected to 192.168.2.10
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot SSH from LAN to outside devices - strange

Mon Sep 13, 2021 3:00 pm

The rule identified by @rextended ... you should change it to
add action=dst-nat chain=dstnat comment=SSH dst-port=22 protocol=tcp to-addresses=192.168.2.10 to-ports=22 in-interface-list=WAN
(added the in-interface-list property). Ditto for the wireguard port forwarding rule.
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Cannot SSH from LAN to outside devices - strange

Mon Sep 13, 2021 3:04 pm

Thank you very much.
Indeed, that's the issue, somehow I added the dst-nat rule wrong :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Cannot SSH from LAN to outside devices - strange

Mon Sep 13, 2021 3:06 pm

Do not leave SSH open to the whole world, specify the source address, or at least one address list of trusted source IPs,
or better use SSH after you are Wireguarded inside... :lol:
 
User avatar
bisar
just joined
Topic Author
Posts: 12
Joined: Fri Apr 23, 2021 9:25 am
Location: Bucharest
Contact:

Re: Cannot SSH from LAN to outside devices - strange

Mon Sep 13, 2021 4:53 pm

Do not leave SSH open to the whole world, specify the source address, or at least one address list of trusted source IPs,
or better use SSH after you are Wireguarded inside... :lol:
Hmm, even if you use SSH keys only to connect?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Cannot SSH from LAN to outside devices - strange

Mon Sep 13, 2021 5:16 pm

Yes, more you think the connection is secure (and open to entire world),
more is probable the connection is hacked on 1st vulnerabilty finded and not revealed to the world...

Who is online

Users browsing this forum: sergejs and 55 guests