I am running RouterOS v6.44beta28 (testing) on my Mikrotik and I'm not being successful in port forwarding ssh port 22 from the Internet to an internal system. I've set up the NAT rules as per instructions but I can't reach my internal system on ssh.

I've looked at the IP->Firewall->Filter Rules tab and I need some guidance on how to sequence the filter rules. I can't seem to find a way to order via the WebFig option. Any hints welcome.

I've included for your reference.

Thank you.

To change the order of the rule, just click on it and drag it to where you want it placed in the order.

To change the order of the rule, just click on it and drag it to where you want it placed in the order.

I am using webfig only. the browser does not allow that it seems. i do not want to run a windows binary (I don't have windows nor do i want to run wine).

Is there a cli mode?

Thanks.

you can use "move" command

for filter rule
/ip firewall filter move numbers="[old rule no] destination="[new rule no]"

for nat rule
/ip firewall nat move numbers="[old rule no] destination="[new rule no]"

for mangle rule
/ip firewall mangle move numbers="[old rule no] destination="[new rule no]"

example :
I want to move my filter rule no 3 to become no 1.So i use command below:

Thank you. That's all I needed.

I prefer the browser or CLI modes as these are something that one can do without any
dependency of OS on the local machine.

Thank you again.

Harish

Setting up a NAT rule is not enough. If your firewall is blocking the connection then the NAT rule will not work. You'd be better doing an export of both your firewall filters and NAT table for everyone to see and advise on.
The default config has a rule to drop anything non-dst NAT'd which is very useful for setting up port forwards and not having to create individual firewall accept rules for each port forward.

On a standard configured MT, you do not need to add firewall rules to forward port 22 from the outside.
Only change the fw if you have rules that explicit configures port 22 (block)
AFAIK the order of the Nat rules are not important. Maybe the masquerade

This should work from web if you like to open 22 to server 192.168.88.12
IP->Firewall->Nat->Add New
Chain: dstnat
Protocol: 6 tcp
Dest Port: 22
In Interface: ether1 (your wan interface)
Action: netmap
To Addresses: 192.168.88.12 (you server IP)
To Port: 22

But, DO NOT OPEN PORT 22 if you do not know what you are doing.
Use another port than 22, eks set Dest Port: 45564
Use port knocking
Use access list (to allow any some to access you)

Why: My MT are hit 2 times every second on port 22 form user/hackers trying to get inn to it.
I do not even have it open

Totally agreed that 22 is constantly being abused. All of my servers have ssh listening on multiple other ports. I have on one system port knocking done (http://portknocking.org/), but only from within the LAN.