mikrotik rb1000, 4 interfaces, only 2 in use:
ether1: wan interface, hooked up to the cable modem, dhcp negotiated, let's call it 42.42.42.42 for the purpose of this exercise.
ether2: lan interface, hooked up to a switch, 192.168.1.1, /24 CIDR.
cable modem: it doesn't do any filtering, it just de-encapsulate whatever cable modem protocol there is; and exposes a public ip address to the mikrotik rb1000's ether1 (not a private ip.)
What I would like to do, is allow ip address 88.88.88.88 on the public internet to ssh (22/tcp) to a server (192.168.1.178 22/tcp) on my lan, as simple as that; and that probably means I need to expose 22/tcp on ether1, forward the traffic from ether1's 22/tcp to 192.168.1.178 22/tcp and ensure that only traffic coming from 88.88.88.88 is allowed to connect to this port.
My configuration:
Code: Select all
# sep/05/2022 08:59:48 by RouterOS 6.49.6
# software id = XXXX
#
# model = 1000
# serial number = XXXX
/interface vlan add interface=ether2 name="vlan 10" vlan-id=10
/interface vlan add interface=ether2 name="vlan 20" vlan-id=20
/interface vlan add interface=ether2 name="vlan 30" vlan-id=30
/interface vlan add interface=ether2 name="vlan 40" vlan-id=40
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/system logging action set 3 remote=192.168.1.4
/ip address add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client add disabled=no interface=ether1
/ip firewall filter add action=accept chain=input comment="Necessary for the router to get ntp and upgrades." connection-mark="" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="block all traffic from the internet to ether1" in-interface=ether1
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
/system clock set time-zone-name=America/Los_Angeles
/system identity set name=sea-rou-001
/system logging set 1 action=remote
/system logging set 2 action=remote
/system logging set 3 action=remote
/system ntp client set enabled=yes server-dns-names=time.nist.gov
Extremely straightforward isn't it? I like it this way.
I thought things would be as simple as this (see below) but that didn't work for me:
/ip firewall nat add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp src-address=88.88.88.88 to-addresses=192.168.1.178 to-ports=22
maybe this is wrong and I need a filter accept rule as well, I tried that too but that didn't seem to cut it either.
note: I've tried to insert dst-nat rules from other posts but I couldn't get this to work. Hopefully you can help me.