Hey guys,
I'm not able to establish outgoing SSH connection from any machine connected via my Mikrotik router. I have RouterOS v6.39.2 (stable). I just tested outgoing SSH connection via Mikrotik's Terminal and it works. Also, if I connect desktop to VPN I can connect to remote SSH server no problem. I'm pretty sure that I used to be able to connect previously and have not changed anything at all.
Any pointers on how I can troubleshoot this?
I did search for this issue and have not found anything here, but forgive me in advance if this is a duplicate question.
Thank you!
-
-
nescafe2002
Forum Veteran
- Posts: 897
- Joined:
- Location: Netherlands
Re: Outgoing SSH traffic is blocked
Please update your router first, following the steps in this document: https://blog.mikrotik.com/security/winb ... ility.html
Update, change pwd, check config. For your ssh problem, you may be blocking ssh connections in firewall.
After update, export config ( /export hide-sensitive ) and paste here in code blocks for further review.
Update, change pwd, check config. For your ssh problem, you may be blocking ssh connections in firewall.
After update, export config ( /export hide-sensitive ) and paste here in code blocks for further review.
Re: Outgoing SSH traffic is blocked
How strange.
I have just come across this problem myself. I am port forwarding from a specific remote IP back into my network and using torch I can see the LAN device trying to get back to it with dst IP but it simply isn't available.
I have just come across this problem myself. I am port forwarding from a specific remote IP back into my network and using torch I can see the LAN device trying to get back to it with dst IP but it simply isn't available.
Re: Outgoing SSH traffic is blocked
*Fixed*
Don't think my problem was related. I have a route policy on site that tells it to send certain devices up a VPN. I managed to go "to" the device down the WAN and then it was trying to respond back up the VPN hence firewalls blocking packets from unexpected sources.
Good luck to the OP.
Don't think my problem was related. I have a route policy on site that tells it to send certain devices up a VPN. I managed to go "to" the device down the WAN and then it was trying to respond back up the VPN hence firewalls blocking packets from unexpected sources.
Good luck to the OP.
Re: Outgoing SSH traffic is blocked
I now had the same problem: blocked SSH packages.
With deep analysis of logfiles it was clear that authentication worked well, but afterwards all packaed had been droped.
The problem only appeared with Linux and macOS machines, it worked fine with Windows 10 build-in ssh.
Exen disabling of all drop-rules in firewall didn't help.
After upgrade firmware from 7.1beta2 to newest 7.1beta4 the problem was solved.
With deep analysis of logfiles it was clear that authentication worked well, but afterwards all packaed had been droped.
The problem only appeared with Linux and macOS machines, it worked fine with Windows 10 build-in ssh.
Exen disabling of all drop-rules in firewall didn't help.
After upgrade firmware from 7.1beta2 to newest 7.1beta4 the problem was solved.
Re: Outgoing SSH traffic is blocked
Beta issues should be discussed in beta threads!I now had the same problem: blocked SSH packages.
With deep analysis of logfiles it was clear that authentication worked well, but afterwards all packaed had been droped.
The problem only appeared with Linux and macOS machines, it worked fine with Windows 10 build-in ssh.
Exen disabling of all drop-rules in firewall didn't help.
After upgrade firmware from 7.1beta2 to newest 7.1beta4 the problem was solved.
-
-
brennanbabb
just joined
- Posts: 1
- Joined:
Re: Outgoing SSH traffic is blocked
Hi guys as mentioned in this thread I have the same problem
I can not SSH from within my network out to outside SSH servers
It works via mobile network but not via my mikrotik
Any advice or changes would be greatly appreciated
-Brennan
Here is the export
# jan/12/2024 11:03:52 by RouterOS 6.45.9
# software id = FNT7-EZ2A
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE09E04596
/interface bridge
add comment="\"Lan Bridge\"" name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="\"WAN Interface\""
set [ find default-name=ether2 ] comment="\"LAN Interface\""
set [ find default-name=ether3 ] comment="\"LAN Interface\""
set [ find default-name=ether4 ] comment="\"LAN Interface\""
set [ find default-name=ether5 ] comment="\"LAN Interface\""
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether1 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-VOX use-peer-dns=yes user=vox889280@vox.co.za
/interface wireless
set [ find default-name=wlan1 ] country="south africa" disabled=no installation=indoor mode=ap-bridge ssid="Boombastic [2Ghz]"
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n channel-width=20/40mhz-eC country="south africa" disabled=no frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=\
"Boombastic [5Ghz]" wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:2A:65:0E master-interface=wlan1 mode=station multicast-buffering=disabled name="wlan test" ssid="Wlan test" wds-cost-range=0-4294967295 \
wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
/interface list
add name=WAN
add name=LAN
add name=only-LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
add comment="mining pool" name=tftppool ranges=192.168.1.100-192.168.1.120
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes bootp-support=dynamic disabled=no interface=bridge lease-time=22h name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/snmp community
set [ find default=yes ] addresses=41.193.0.0/16 name=v0xt3l3c0m
/system logging action
add bsd-syslog=yes name=Syslog remote=41.193.20.41 syslog-facility=local6 target=remote
/user group
add name=Web policy=local,telnet,ftp,read,write,test,web,sensitive,!ssh,!reboot,!policy,!winbox,!password,!sniff,!api,!romon,!dude,!tikapp skin=Vox_Support
add name=Customer_superuser policy=local,telnet,reboot,read,write,test,web,!ssh,!ftp,!policy,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp skin=Customer_superuser
#error exporting /interface bridge calea
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=pppoe-VOX list=WAN
add interface=bridge list=LAN
add interface=bridge list=only-LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip arp
add address=192.168.1.83 interface=bridge mac-address=00:72:63:23:A6:C4
add address=192.168.1.84 interface=bridge mac-address=00:72:63:23:A6:C4
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.1.18 client-id=1:c8:69
3c:b6:2 comment="Apple TV 4 MAin Bedroom" mac-address=C8:69:CD:3C:B6:02 server=dhcp1
add address=192.168.1.17 client-id=1:d4:a3:3d:5d:cf:7f comment="Homepod Landing" mac-address=D4:A3:3D:5D:CF:7F server=dhcp1
add address=192.168.1.15 client-id=1:0:1c:2a:2:55:f0 comment="Alarm system link" mac-address=00:1C:2A:02:55:F0 server=dhcp1
add address=192.168.1.52 client-id=1:74:81:14:84:a3:21 comment="Brennan Ipad Air" mac-address=74:81:14:84:A3:21 server=dhcp1
add address=192.168.1.11 client-id=1:2:e0:20:9:53:f4 comment="Wireless N repeater 1\
\n" mac-address=02:E0:20:09:53:F4 server=dhcp1
add address=192.168.1.26 client-id=1:c8:6936:5:3b comment="appletv Lounge\
\n" mac-address=C8:69:CD:36:05:3B
add address=192.168.1.43 client-id=1:58:55:ca:60:3c:1 comment="Apple TV 2 Living room\
\n" mac-address=58:55:CA:60:3C:01 server=dhcp1
add address=192.168.1.41 client-id=1:e0:b9:4d:49:84:4f comment="360 eye security" mac-address=E0:B9:4D:49:84:4F server=dhcp1
add address=192.168.1.132 client-id=1:b8:27:eb:b9:47:55 comment="Raspberry PI3 -homebridge" mac-address=B8:27:EB:B9:47:55 server=dhcp1
add address=192.168.1.37 comment="sonoff mini kitchen" mac-address=C8:2B:96:60:B9:59 server=dhcp1
add address=192.168.1.38 client-id=1:ce:e8:3c:f2:42:e8 comment="ipad air" mac-address=CE:E8:3C:F2:42:E8 server=dhcp1
add address=192.168.1.69 client-id=1:18:28:61:f0:65:dc comment="Airties lounge" mac-address=18:28:61:F0:65:DC server=dhcp1
add address=192.168.1.63 client-id=1:90:b9:31:3:cb:ea comment="Trentons phone" mac-address=90:B9:31:03:CB:EA server=dhcp1
add address=192.168.1.68 client-id=1:3a:ca:6e:80:b0:72 mac-address=3A:CA:6E:80:B0:72 server=dhcp1
add address=192.168.1.36 client-id=1:0:535:95:f5 comment="denon amp" mac-address=00:05:CD:35:95:F5 server=dhcp1
add address=192.168.1.32 comment="sonoff mini 2" mac-address=C4:4F:33:C3:F2:97 server=dhcp1
add address=192.168.1.66 client-id=1:9e:8d:49:e:39:e4 comment="security camera system" mac-address=9E:8D:49:0E:39:E4 server=dhcp1
add address=192.168.1.90 client-id=1:e8:51:77:93:c7:fe comment="Hisense TV" mac-address=E8:51:77:93:C7:FE server=dhcp1
add address=192.168.1.29 comment="Geyser DB switch" mac-address=3C:61:05:82:9D:E2 server=dhcp1
add address=192.168.1.57 comment="Zane Router" mac-address=D8:1F:12:27:68:7C server=dhcp1
add address=192.168.1.54 client-id=1:ec:35:86:2f:41:7c comment="Zane Imac" mac-address=EC:35:86:2F:41:7C server=dhcp1
add address=192.168.1.22 comment="Pool DB Switch" mac-address=70:03:9F:76:D1:B4 server=dhcp1
add address=192.168.1.23 client-id=1:9c:20:7b:7c:11:74 comment="Apple TV guest room" mac-address=9C:20:7B:7C:11:74 server=dhcp1
add address=192.168.1.61 client-id=1:c4:4:15:6f:4c:9d comment="raspberry pi gate" mac-address=C4:04:15:6F:4C:9D server=dhcp1
add address=192.168.1.58 always-broadcast=yes client-id=1:a4:cf:99:65:1d:44 comment="Brennan macbook pro m2" mac-address=A4:CF:99:65:1D:44 server=dhcp1
add address=192.168.1.59 client-id=1:0:45:e2:a6:22:fd comment="robert laptop" mac-address=00:45:E2:A6:22:FD server=dhcp1
add address=192.168.1.79 client-id=1:0:db:df:a1:9b:b8 comment="Zane phil laptop" mac-address=00:DB:DF:A1:9B:B8 server=dhcp1
add address=192.168.1.133 comment=m5stack mac-address=30:C6:F7:24:B4:A8 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall address-list
add address=41.193.20.40/29 comment="Platform Environment" list=SAFE_ZONE
add address=10.0.0.0/8 comment=LAN_10 list=LAN_RANGE
add address=172.16.0.0/12 comment=LAN_172 list=LAN_RANGE
add address=192.168.0.0/16 comment=LAN_192 list=LAN_RANGE
add address=196.41.221.26 comment=GiLA_Environment list=SAFE_ZONE
add address=196.41.221.30 comment=GiLA_Environment list=SAFE_ZONE
add address=smtp.voxtelecom.co.za list=Vox_SMTP
add address=41.193.2.152/29 comment=IRIS list=SAFE_ZONE
add address=41.193.9.240/29 comment="Vox Corporate FW" list=SAFE_ZONE
add address=196.22.238.120/29 comment=90Snakes list=SAFE_ZONE
add address=196.41.30.96/28 comment=90Snakes list=SAFE_ZONE
add address=196.41.0.22 comment=90Snakes list=SAFE_ZONE
add address=209.203.50.219 comment="Platform Environment" list=SAFE_ZONE
add address=209.203.50.218 comment="Platform Environment" list=SAFE_ZONE
add address=196.22.204.80/29 comment=IRIS list=SAFE_ZONE
add address=41.193.52.24/29 comment=IRIS list=SAFE_ZONE
add address=41.193.185.88/29 comment=IRIS list=SAFE_ZONE
add address=41.193.9.136/29 comment=IRIS list=SAFE_ZONE
add address=41.193.14.104/29 comment=IRIS list=SAFE_ZONE
add address=41.193.2.144/29 comment=IRIS list=SAFE_ZONE
add address=196.41.212.2 comment="Vox Corporate FW" list=SAFE_ZONE
add address=196.41.17.10 comment="Vox Corporate FW" list=SAFE_ZONE
add address=209.203.49.80/29 comment=90Snakes list=SAFE_ZONE
add address=10.17.230.242 comment=90Snakes list=SAFE_ZONE
#error exporting /ip firewall calea
/ip firewall filter
add action=drop chain=forward dst-address-list=!Vox_SMTP dst-port=25 protocol=tcp
add action=drop chain=forward dst-address-list=!Vox_SMTP dst-port=25 protocol=udp
add action=fasttrack-connection chain=forward src-address-list=LAN_RANGE
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward src-address-list=LAN_RANGE
add action=accept chain=forward dst-port=2020 protocol=tcp
add action=accept chain=forward comment=homebridge dst-port=8080 protocol=tcp
add action=accept chain=forward dst-port=22 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=LAN_RANGE
add action=dst-nat chain=dstnat dst-address-type="" dst-port=5900 protocol=tcp to-addresses=192.168.1.111 to-ports=5900
add action=dst-nat chain=dstnat dst-port=22 protocol=tcp to-addresses=192.168.1.132 to-ports=22
add action=dst-nat chain=dstnat dst-port=2020 in-interface=pppoe-VOX protocol=tcp to-addresses=192.168.1.132 to-ports=2020
add action=dst-nat chain=dstnat comment="homebridge admin" dst-port=8080 protocol=tcp to-addresses=192.168.1.132 to-ports=8080
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=homeassitant dst-port=8123 protocol=tcp to-addresses=192.168.1.81 to-ports=8123
/ip service
set telnet port=2323
set ftp port=2101
set www port=8081
set ssh port=2202
/ip smb
set domain=Babb enabled=yes
/ip smb shares
add directory=/disk1 name=share
/ip upnp
set enabled=yes
/ppp secret
add name=vpn
/radius
add address=41.193.20.41 realm=vox-mikrotik service=ppp,login
/snmp
set contact=VoxCore enabled=yes trap-version=2
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=8FDE09E04596
/system logging
add action=Syslog topics=event,!route
add action=Syslog topics=info,!dhcp,!wireless
add action=Syslog topics=system
add action=Syslog topics=warning
add action=Syslog topics=error
add action=Syslog topics=critical
/system note
set note=4.0
/system ntp client
set enabled=yes primary-ntp=196.4.160.4 secondary-ntp=146.64.58.41 server-dns-names=ntp.voxtelecom.co.za,ntp2.voxtelecom.co.za
/system package update
set channel=long-term
/system scheduler
add interval=10m name=configCheck on-event=configureMe policy=read,write,test start-time=startup
add interval=1m name=periodicIPcheck on-event=pppoeMonitor policy=read,write,policy,test,sensitive start-time=startup
/system script
add dont-require-permissions=no name=configureMe owner=admin policy=read,test source=":local configVersion [/system note get note];\
\n:local serialNo [system routerboard get serial-number];\
\n\
\n:if (\$configVersion = \"0.0\") do={\
\n /tool fetch mode=http address=mikrotik.voxtelecom.co.za port=80 src-path=\"/configureMe/\$serialNo\"\
\n}"
add comment="\"Phone Home\"" dont-require-permissions=no name=pingHome owner=admin policy=read,test source="\
\n :local serialNo [system routerboard get serial-number];\r\
\n :local verROS [/system package update get installed-version];\r\
\n :local upTime [/system resource get uptime];\r\
\n :do {\r\
\n # Run the API call for the Token Ping request\r\
\n /tool fetch mode=https address=mikrotik.voxtelecom.co.za port=443 keep-result=no src-path=\"/ping/token/\$serialNo/\$verROS/\$upTime\" http-header-field=\"vsl_token: gAAAAABlBFT-0w4x65X5pxBn\
-7sCFtgE2EyBLE-MxH4n_5doRli6S5GRyGiSmu0F4PwxBmxveOGrQwsY8Ralt5QIypA6iALBhQ==\"\r\
\n /system scheduler set interval=\"1m\" [find name=\"periodicIPcheck\"]\r\
\n /system script environment remove [find name=\"backOffNumber\"]\r\
\n } on-error={\r\
\n # An error occurred with the call to the API\r\
\n # This will now create a backoff for the Scheduler\r\
\n :global backOffNumber;\r\
\n if (\$backOffNumber > 0) do={\r\
\n :put \"Trigger\";\r\
\n if (\$backOffNumber <
do={\r\
\n :set \$backOffNumber (\$backOffNumber + 1);\r\
\n }\r\
\n } else {\r\
\n :set \$backOffNumber 1;\r\
\n }\r\
\n :local scheduleInterval \"\";\r\
\n :set \$scheduleInterval (\$backOffNumber * \$backOffNumber + 1);\r\
\n :set \$scheduleInterval [:tostr \"\$scheduleInterval m\"];\r\
\n /system scheduler set interval=\$scheduleInterval [find name=\"periodicIPcheck\"]\r\
\n };\r\
\n "
add comment="\"Monitor pppoe ip change\"" dont-require-permissions=no name=pppoeMonitor owner=admin policy=read,write,policy,test,sensitive source=":global ipadd\
\n:local thisip [/ip address get [find where interface=pppoe-VOX] address]\
\n:global backOffNumber;\r\
\n if ((\$ipadd != \$thisip) or (\$backOffNumber > 0)) do={\r\
\n \t/system script run pingHome\r\
\n \tset ipadd \$thisip\r\
\n }\r\
\n "
/tool bandwidth-server
set max-sessions=1
/user aaa
set default-group=full use-radius=yes
I can not SSH from within my network out to outside SSH servers
It works via mobile network but not via my mikrotik
Any advice or changes would be greatly appreciated
-Brennan
Here is the export
# jan/12/2024 11:03:52 by RouterOS 6.45.9
# software id = FNT7-EZ2A
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE09E04596
/interface bridge
add comment="\"Lan Bridge\"" name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="\"WAN Interface\""
set [ find default-name=ether2 ] comment="\"LAN Interface\""
set [ find default-name=ether3 ] comment="\"LAN Interface\""
set [ find default-name=ether4 ] comment="\"LAN Interface\""
set [ find default-name=ether5 ] comment="\"LAN Interface\""
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether1 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-VOX use-peer-dns=yes user=vox889280@vox.co.za
/interface wireless
set [ find default-name=wlan1 ] country="south africa" disabled=no installation=indoor mode=ap-bridge ssid="Boombastic [2Ghz]"
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n channel-width=20/40mhz-eC country="south africa" disabled=no frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=\
"Boombastic [5Ghz]" wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:2A:65:0E master-interface=wlan1 mode=station multicast-buffering=disabled name="wlan test" ssid="Wlan test" wds-cost-range=0-4294967295 \
wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
/interface list
add name=WAN
add name=LAN
add name=only-LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
add comment="mining pool" name=tftppool ranges=192.168.1.100-192.168.1.120
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes bootp-support=dynamic disabled=no interface=bridge lease-time=22h name=dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/snmp community
set [ find default=yes ] addresses=41.193.0.0/16 name=v0xt3l3c0m
/system logging action
add bsd-syslog=yes name=Syslog remote=41.193.20.41 syslog-facility=local6 target=remote
/user group
add name=Web policy=local,telnet,ftp,read,write,test,web,sensitive,!ssh,!reboot,!policy,!winbox,!password,!sniff,!api,!romon,!dude,!tikapp skin=Vox_Support
add name=Customer_superuser policy=local,telnet,reboot,read,write,test,web,!ssh,!ftp,!policy,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp skin=Customer_superuser
#error exporting /interface bridge calea
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=pppoe-VOX list=WAN
add interface=bridge list=LAN
add interface=bridge list=only-LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip arp
add address=192.168.1.83 interface=bridge mac-address=00:72:63:23:A6:C4
add address=192.168.1.84 interface=bridge mac-address=00:72:63:23:A6:C4
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.1.18 client-id=1:c8:69
3c:b6:2 comment="Apple TV 4 MAin Bedroom" mac-address=C8:69:CD:3C:B6:02 server=dhcp1add address=192.168.1.17 client-id=1:d4:a3:3d:5d:cf:7f comment="Homepod Landing" mac-address=D4:A3:3D:5D:CF:7F server=dhcp1
add address=192.168.1.15 client-id=1:0:1c:2a:2:55:f0 comment="Alarm system link" mac-address=00:1C:2A:02:55:F0 server=dhcp1
add address=192.168.1.52 client-id=1:74:81:14:84:a3:21 comment="Brennan Ipad Air" mac-address=74:81:14:84:A3:21 server=dhcp1
add address=192.168.1.11 client-id=1:2:e0:20:9:53:f4 comment="Wireless N repeater 1\
\n" mac-address=02:E0:20:09:53:F4 server=dhcp1
add address=192.168.1.26 client-id=1:c8:69
36:5:3b comment="appletv Lounge\\n" mac-address=C8:69:CD:36:05:3B
add address=192.168.1.43 client-id=1:58:55:ca:60:3c:1 comment="Apple TV 2 Living room\
\n" mac-address=58:55:CA:60:3C:01 server=dhcp1
add address=192.168.1.41 client-id=1:e0:b9:4d:49:84:4f comment="360 eye security" mac-address=E0:B9:4D:49:84:4F server=dhcp1
add address=192.168.1.132 client-id=1:b8:27:eb:b9:47:55 comment="Raspberry PI3 -homebridge" mac-address=B8:27:EB:B9:47:55 server=dhcp1
add address=192.168.1.37 comment="sonoff mini kitchen" mac-address=C8:2B:96:60:B9:59 server=dhcp1
add address=192.168.1.38 client-id=1:ce:e8:3c:f2:42:e8 comment="ipad air" mac-address=CE:E8:3C:F2:42:E8 server=dhcp1
add address=192.168.1.69 client-id=1:18:28:61:f0:65:dc comment="Airties lounge" mac-address=18:28:61:F0:65:DC server=dhcp1
add address=192.168.1.63 client-id=1:90:b9:31:3:cb:ea comment="Trentons phone" mac-address=90:B9:31:03:CB:EA server=dhcp1
add address=192.168.1.68 client-id=1:3a:ca:6e:80:b0:72 mac-address=3A:CA:6E:80:B0:72 server=dhcp1
add address=192.168.1.36 client-id=1:0:5
35:95:f5 comment="denon amp" mac-address=00:05:CD:35:95:F5 server=dhcp1add address=192.168.1.32 comment="sonoff mini 2" mac-address=C4:4F:33:C3:F2:97 server=dhcp1
add address=192.168.1.66 client-id=1:9e:8d:49:e:39:e4 comment="security camera system" mac-address=9E:8D:49:0E:39:E4 server=dhcp1
add address=192.168.1.90 client-id=1:e8:51:77:93:c7:fe comment="Hisense TV" mac-address=E8:51:77:93:C7:FE server=dhcp1
add address=192.168.1.29 comment="Geyser DB switch" mac-address=3C:61:05:82:9D:E2 server=dhcp1
add address=192.168.1.57 comment="Zane Router" mac-address=D8:1F:12:27:68:7C server=dhcp1
add address=192.168.1.54 client-id=1:ec:35:86:2f:41:7c comment="Zane Imac" mac-address=EC:35:86:2F:41:7C server=dhcp1
add address=192.168.1.22 comment="Pool DB Switch" mac-address=70:03:9F:76:D1:B4 server=dhcp1
add address=192.168.1.23 client-id=1:9c:20:7b:7c:11:74 comment="Apple TV guest room" mac-address=9C:20:7B:7C:11:74 server=dhcp1
add address=192.168.1.61 client-id=1:c4:4:15:6f:4c:9d comment="raspberry pi gate" mac-address=C4:04:15:6F:4C:9D server=dhcp1
add address=192.168.1.58 always-broadcast=yes client-id=1:a4:cf:99:65:1d:44 comment="Brennan macbook pro m2" mac-address=A4:CF:99:65:1D:44 server=dhcp1
add address=192.168.1.59 client-id=1:0:45:e2:a6:22:fd comment="robert laptop" mac-address=00:45:E2:A6:22:FD server=dhcp1
add address=192.168.1.79 client-id=1:0:db:df:a1:9b:b8 comment="Zane phil laptop" mac-address=00:DB:DF:A1:9B:B8 server=dhcp1
add address=192.168.1.133 comment=m5stack mac-address=30:C6:F7:24:B4:A8 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall address-list
add address=41.193.20.40/29 comment="Platform Environment" list=SAFE_ZONE
add address=10.0.0.0/8 comment=LAN_10 list=LAN_RANGE
add address=172.16.0.0/12 comment=LAN_172 list=LAN_RANGE
add address=192.168.0.0/16 comment=LAN_192 list=LAN_RANGE
add address=196.41.221.26 comment=GiLA_Environment list=SAFE_ZONE
add address=196.41.221.30 comment=GiLA_Environment list=SAFE_ZONE
add address=smtp.voxtelecom.co.za list=Vox_SMTP
add address=41.193.2.152/29 comment=IRIS list=SAFE_ZONE
add address=41.193.9.240/29 comment="Vox Corporate FW" list=SAFE_ZONE
add address=196.22.238.120/29 comment=90Snakes list=SAFE_ZONE
add address=196.41.30.96/28 comment=90Snakes list=SAFE_ZONE
add address=196.41.0.22 comment=90Snakes list=SAFE_ZONE
add address=209.203.50.219 comment="Platform Environment" list=SAFE_ZONE
add address=209.203.50.218 comment="Platform Environment" list=SAFE_ZONE
add address=196.22.204.80/29 comment=IRIS list=SAFE_ZONE
add address=41.193.52.24/29 comment=IRIS list=SAFE_ZONE
add address=41.193.185.88/29 comment=IRIS list=SAFE_ZONE
add address=41.193.9.136/29 comment=IRIS list=SAFE_ZONE
add address=41.193.14.104/29 comment=IRIS list=SAFE_ZONE
add address=41.193.2.144/29 comment=IRIS list=SAFE_ZONE
add address=196.41.212.2 comment="Vox Corporate FW" list=SAFE_ZONE
add address=196.41.17.10 comment="Vox Corporate FW" list=SAFE_ZONE
add address=209.203.49.80/29 comment=90Snakes list=SAFE_ZONE
add address=10.17.230.242 comment=90Snakes list=SAFE_ZONE
#error exporting /ip firewall calea
/ip firewall filter
add action=drop chain=forward dst-address-list=!Vox_SMTP dst-port=25 protocol=tcp
add action=drop chain=forward dst-address-list=!Vox_SMTP dst-port=25 protocol=udp
add action=fasttrack-connection chain=forward src-address-list=LAN_RANGE
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward src-address-list=LAN_RANGE
add action=accept chain=forward dst-port=2020 protocol=tcp
add action=accept chain=forward comment=homebridge dst-port=8080 protocol=tcp
add action=accept chain=forward dst-port=22 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=LAN_RANGE
add action=dst-nat chain=dstnat dst-address-type="" dst-port=5900 protocol=tcp to-addresses=192.168.1.111 to-ports=5900
add action=dst-nat chain=dstnat dst-port=22 protocol=tcp to-addresses=192.168.1.132 to-ports=22
add action=dst-nat chain=dstnat dst-port=2020 in-interface=pppoe-VOX protocol=tcp to-addresses=192.168.1.132 to-ports=2020
add action=dst-nat chain=dstnat comment="homebridge admin" dst-port=8080 protocol=tcp to-addresses=192.168.1.132 to-ports=8080
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=homeassitant dst-port=8123 protocol=tcp to-addresses=192.168.1.81 to-ports=8123
/ip service
set telnet port=2323
set ftp port=2101
set www port=8081
set ssh port=2202
/ip smb
set domain=Babb enabled=yes
/ip smb shares
add directory=/disk1 name=share
/ip upnp
set enabled=yes
/ppp secret
add name=vpn
/radius
add address=41.193.20.41 realm=vox-mikrotik service=ppp,login
/snmp
set contact=VoxCore enabled=yes trap-version=2
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=8FDE09E04596
/system logging
add action=Syslog topics=event,!route
add action=Syslog topics=info,!dhcp,!wireless
add action=Syslog topics=system
add action=Syslog topics=warning
add action=Syslog topics=error
add action=Syslog topics=critical
/system note
set note=4.0
/system ntp client
set enabled=yes primary-ntp=196.4.160.4 secondary-ntp=146.64.58.41 server-dns-names=ntp.voxtelecom.co.za,ntp2.voxtelecom.co.za
/system package update
set channel=long-term
/system scheduler
add interval=10m name=configCheck on-event=configureMe policy=read,write,test start-time=startup
add interval=1m name=periodicIPcheck on-event=pppoeMonitor policy=read,write,policy,test,sensitive start-time=startup
/system script
add dont-require-permissions=no name=configureMe owner=admin policy=read,test source=":local configVersion [/system note get note];\
\n:local serialNo [system routerboard get serial-number];\
\n\
\n:if (\$configVersion = \"0.0\") do={\
\n /tool fetch mode=http address=mikrotik.voxtelecom.co.za port=80 src-path=\"/configureMe/\$serialNo\"\
\n}"
add comment="\"Phone Home\"" dont-require-permissions=no name=pingHome owner=admin policy=read,test source="\
\n :local serialNo [system routerboard get serial-number];\r\
\n :local verROS [/system package update get installed-version];\r\
\n :local upTime [/system resource get uptime];\r\
\n :do {\r\
\n # Run the API call for the Token Ping request\r\
\n /tool fetch mode=https address=mikrotik.voxtelecom.co.za port=443 keep-result=no src-path=\"/ping/token/\$serialNo/\$verROS/\$upTime\" http-header-field=\"vsl_token: gAAAAABlBFT-0w4x65X5pxBn\
-7sCFtgE2EyBLE-MxH4n_5doRli6S5GRyGiSmu0F4PwxBmxveOGrQwsY8Ralt5QIypA6iALBhQ==\"\r\
\n /system scheduler set interval=\"1m\" [find name=\"periodicIPcheck\"]\r\
\n /system script environment remove [find name=\"backOffNumber\"]\r\
\n } on-error={\r\
\n # An error occurred with the call to the API\r\
\n # This will now create a backoff for the Scheduler\r\
\n :global backOffNumber;\r\
\n if (\$backOffNumber > 0) do={\r\
\n :put \"Trigger\";\r\
\n if (\$backOffNumber <
do={\r\\n :set \$backOffNumber (\$backOffNumber + 1);\r\
\n }\r\
\n } else {\r\
\n :set \$backOffNumber 1;\r\
\n }\r\
\n :local scheduleInterval \"\";\r\
\n :set \$scheduleInterval (\$backOffNumber * \$backOffNumber + 1);\r\
\n :set \$scheduleInterval [:tostr \"\$scheduleInterval m\"];\r\
\n /system scheduler set interval=\$scheduleInterval [find name=\"periodicIPcheck\"]\r\
\n };\r\
\n "
add comment="\"Monitor pppoe ip change\"" dont-require-permissions=no name=pppoeMonitor owner=admin policy=read,write,policy,test,sensitive source=":global ipadd\
\n:local thisip [/ip address get [find where interface=pppoe-VOX] address]\
\n:global backOffNumber;\r\
\n if ((\$ipadd != \$thisip) or (\$backOffNumber > 0)) do={\r\
\n \t/system script run pingHome\r\
\n \tset ipadd \$thisip\r\
\n }\r\
\n "
/tool bandwidth-server
set max-sessions=1
/user aaa
set default-group=full use-radius=yes
Re: Outgoing SSH traffic is blocked
I can not SSH from within my network out to outside SSH servers
Your firewall is garbage and doesn't offer any protection worth mentioning. And this includes both router itself and (to a lesser degree) LAN behind the router.
The config which breaks ssh is an example for the above claim:
This DST-NAT rule grabs every connection with destination port 22 and redirects it to some LAN machine. And that includes internet-bound connections./ip firewall nat
add action=dst-nat chain=dstnat dst-port=22 protocol=tcp to-addresses=192.168.1.132 to-ports=22
Your router is running awfully old ROS version, if you want to stay on legacy ROS v6, you should upgrade to latest v6 version (6.49.11 at the moment of posting this). While v7 is newer and brings some new functionality, it requires more flash storage and gAP ac2 with its tiny 16MB can get into trouble due to flash storage exhaustion.
I strongly recommend you to netinstall the device, reset config to defaults and then make only minor changes (e.g. configure PPPoE and wireless).
Who is online
Users browsing this forum: Google [Bot] and 79 guests