I'm trying to established a SSH connection with Mikrotik router from outside of my home network.
Mikrotik router is behind my modem and it acquires an IP from it. In the modem I port forwarded a specific port to port 22 and Mikrotik's IP (acquired from the modem) as the LAN Host.
I asked my ISP to remove CG-NAT.
In Mikrotik router I set a NAT rule:
action: dst-nat
to-addresses: (the IP of the Mikrotik acquired by modem)
to-ports: 22
chain: dstnat
Protocol: 6 (TCP)
dst. port: 22
In. Interface list: WAN
With these settings I can't connect through SSH with my Mikrotik router. What else should I do?
Also, when I scan my public port with an online port scanner it's shown as "filtered" but when I scan it I can see the packet counter in the NAT rule to increase by 2.
Does that mean that the packets from WAN successfully reach their destination? If so, why doesn't it work?
Re: SSH to Mikrotik router from WAN
Be carefull .... most external attacks are on the port 22 (SSH), but OK you do a port mapping in the ISP modem.
Therefore there is this default "drop" firewall rule: rejecting all iniated "input" attempts not coming from LAN (interface list members).
You have to make an accept exception rule, before this general rule.
The default NAT masquerade rule for the WAN (interface list members) will be enough
Therefore there is this default "drop" firewall rule: rejecting all iniated "input" attempts not coming from LAN (interface list members).
You have to make an accept exception rule, before this general rule.
The default NAT masquerade rule for the WAN (interface list members) will be enough
Code: Select all
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
Last edited by bpwl on Sat Jan 07, 2023 3:15 am, edited 1 time in total.
Re: SSH to Mikrotik router from WAN
Oh that's why... I disabled that rule and it worked. But I suppose is not safe enough. Is there a safer way?Be carefull .... most external attacks are on the port 22 (SSH)
Therefore there is this default firewall rule:
Code: Select alladd action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
Re: SSH to Mikrotik router from WAN
You have to make an accept exception rule, before this general rule.
This must be very specific, explicit port number, even source IP address (range) or other filter.
This must be very specific, explicit port number, even source IP address (range) or other filter.
Re: SSH to Mikrotik router from WAN
There is nothing specific except from the public (WAN) port which of course is not 22 but just a random one. Is this port filtering safe enough?You have to make an accept exception rule, before this general rule.
This must be very specific, explicit port number, even source IP address (range) or other filter.
Oh, can I use a MAC address?
Re: SSH to Mikrotik router from WAN
By disabling the rule every port on your router is open from the internet. That's absolutely terrible from a security perspective. What is the purpose for this forward in the first place? Do you want to be able to perform admin on the MT?
As mentioned, if (and you really don't!) you want to have SSH available from WAN, you want to only have port 22 available. You might want to add a source address to make this service only available from a specific IP. More safe would be introducing port knocking, search on this forum how that works.
But my only accept rule on the input chain from WAN is VPN (besides the default rules). Everything I have to do on the MT or internal network is through this tunnel.
TLDR
Don't open ports on you MT, use VPN. Any doubts...read the above.
As mentioned, if (and you really don't!) you want to have SSH available from WAN, you want to only have port 22 available. You might want to add a source address to make this service only available from a specific IP. More safe would be introducing port knocking, search on this forum how that works.
But my only accept rule on the input chain from WAN is VPN (besides the default rules). Everything I have to do on the MT or internal network is through this tunnel.
TLDR
Don't open ports on you MT, use VPN. Any doubts...read the above.
Re: SSH to Mikrotik router from WAN
Ok, got it. I'll try to configure the VPN.By disabling the rule every port on your router is open from the internet. That's absolutely terrible from a security perspective. What is the purpose for this forward in the first place? Do you want to be able to perform admin on the MT?
As mentioned, if (and you really don't!) you want to have SSH available from WAN, you want to only have port 22 available. You might want to add a source address to make this service only available from a specific IP. More safe would be introducing port knocking, search on this forum how that works.
But my only accept rule on the input chain from WAN is VPN (besides the default rules). Everything I have to do on the MT or internal network is through this tunnel.
TLDR
Don't open ports on you MT, use VPN. Any doubts...read the above.
Is SSHing with public/private keys safe enough?
Is https equally unsafe as ssh?
Re: SSH to Mikrotik router from WAN
I second @erlinden in this. Use a VPN if you can, it has better username/password/certificate protection, and even then you can use secured SSH in the VPN tunnel.
HTTPS is also encrypted, but port 21,22,80 and 443 are very high on the scan-lists of attacking bots.
(Nobody wants to harm you specificly? But with those ports open the bots try within seconds)
My ISP is blocking 443 just for this reason. I have to explicitly request 443, they advice against this. And I closed the port again, too much unwanted traffic on my line.
Countries have known IP ranges. So one step is to limit the source address to eg your own country only. (http://www.ip2country.net/ip2country/ip ... _list.html)
IP source is spoofed with VPN (like NordVPN), but HTTP can be spoofed also with anonymous proxies.
Just try to be smarter than the intruder (s bot). E.g. any access attempt to public port 22 should put that IP in your blacklist
Shodan knows your port is open, and tells everyone who wants to know open ports .... (https://www.shodan.io/)
HTTPS is also encrypted, but port 21,22,80 and 443 are very high on the scan-lists of attacking bots.
(Nobody wants to harm you specificly? But with those ports open the bots try within seconds)
My ISP is blocking 443 just for this reason. I have to explicitly request 443, they advice against this. And I closed the port again, too much unwanted traffic on my line.
Countries have known IP ranges. So one step is to limit the source address to eg your own country only. (http://www.ip2country.net/ip2country/ip ... _list.html)
IP source is spoofed with VPN (like NordVPN), but HTTP can be spoofed also with anonymous proxies.
Just try to be smarter than the intruder (s bot). E.g. any access attempt to public port 22 should put that IP in your blacklist
Shodan knows your port is open, and tells everyone who wants to know open ports .... (https://www.shodan.io/)
Re: SSH to Mikrotik router from WAN
I'm convinced, I'll try VPN.I second @erlinden in this. Use a VPN if you can, it has better username/password/certificate protection, and even then you can use secured SSH in the VPN tunnel.
HTTPS is also encrypted, but port 21,22,80 and 443 are very high on the scan-lists of attacking bots.
(Nobody wants to harm you specificly? But with those ports open the bots try within seconds)
My ISP is blocking 443 just for this reason. I have to explicitly request 443, they advice against this. And I closed the port again, too much unwanted traffic on my line.
Countries have known IP ranges. So one step is to limit the source address to eg your own country only. (http://www.ip2country.net/ip2country/ip ... _list.html)
IP source is spoofed with VPN (like NordVPN), but HTTP can be spoofed also with anonymous proxies.
Just try to be smarter than the intruder (s bot). E.g. any access attempt to public port 22 should put that IP in your blacklist
Shodan knows your port is open, and tells everyone who wants to know open ports .... (https://www.shodan.io/)
If there is already a post on this forum about setting up the VPN, please post it. Thank you both for your time and knowledge. RouterOS is a big school.
Re: SSH to Mikrotik router from WAN
See tutorials, like https://www.youtube.com/watch?v=QWLY5vdKV4c
It's "matching VPN client and server" when eg the client is on your laptop/tablet/smartphone/smartwatch/car/ ..... . The server side on MKT is in the PPP menu.
But there is also Wireguard, Zerotier etc now.
I use a mAP Lite as travel companion, which creates the tunnel for my above client devices.
It's "matching VPN client and server" when eg the client is on your laptop/tablet/smartphone/smartwatch/car/ ..... . The server side on MKT is in the PPP menu.
But there is also Wireguard, Zerotier etc now.
I use a mAP Lite as travel companion, which creates the tunnel for my above client devices.
Re: SSH to Mikrotik router from WAN
I have some questions though, why the VPN service has different IP address from the local IP address of the Mikrotik? and what is the role of the VPN address? I suppose the only public address I need to get to my router is the one of my modem (acquired by DDNS), right?See tutorials, like https://www.youtube.com/watch?v=QWLY5vdKV4c
It's "matching VPN client and server" when eg the client is on your laptop/tablet/smartphone/smartwatch/car/ ..... . The server side on MKT is in the PPP menu.
But there is also Wireguard, Zerotier etc now.
I use a mAP Lite as travel companion, which creates the tunnel for my above client devices.
Re: SSH to Mikrotik router from WAN
IP addresses of VPN can be very confusing in a LAN to LAN connection. It is simple in a single client to LAN connection.
If the VPN makes a tunnel with a routed connection (LAN to LAN) , then that inner VPN network and remote LAN, are in a different subnet range than the local LAN (or routing would not work)
The outer IP address of the VPN is in the WAN world (in the "connect to" field), while the inner IP address (the one of the VPN interfaces) is normally in the LAN world.
To complicate it even more. There is one global WAN world, but both sides of the VPN tunnel can have their own LAN world, so you can even have NAT between those LAN worlds if routing rules cannot be setup.
It can get as strange looking as this (VPN hub/server, allowing roaming mAP Lite devices (.184,.185) and their LAN clients to connect to another complex LAN environment (192.168.0.0/16), complex LAN that has no path to those mAP devices LAN, but find it's way back through multiple masqerade)
Sorry for this complicated exemple, but it's just one of my setups.
The proxy is not really needed but speeds up communication. The incoming connection from the complex LAN is redundant ('MT DDNS' and 'no-ip DDNS')
The inner LAN can be just one LAN (no routing or NAT) when using L2 connections (EoIP, MPLS/VPLS, BCP, L2TP, VXLAN, Zerotier, ....)
If the VPN makes a tunnel with a routed connection (LAN to LAN) , then that inner VPN network and remote LAN, are in a different subnet range than the local LAN (or routing would not work)
The outer IP address of the VPN is in the WAN world (in the "connect to" field), while the inner IP address (the one of the VPN interfaces) is normally in the LAN world.
To complicate it even more. There is one global WAN world, but both sides of the VPN tunnel can have their own LAN world, so you can even have NAT between those LAN worlds if routing rules cannot be setup.
It can get as strange looking as this (VPN hub/server, allowing roaming mAP Lite devices (.184,.185) and their LAN clients to connect to another complex LAN environment (192.168.0.0/16), complex LAN that has no path to those mAP devices LAN, but find it's way back through multiple masqerade)
Sorry for this complicated exemple, but it's just one of my setups.
The proxy is not really needed but speeds up communication. The incoming connection from the complex LAN is redundant ('MT DDNS' and 'no-ip DDNS')
The inner LAN can be just one LAN (no routing or NAT) when using L2 connections (EoIP, MPLS/VPLS, BCP, L2TP, VXLAN, Zerotier, ....)
You do not have the required permissions to view the files attached to this post.
Re: SSH to Mikrotik router from WAN
The problem is that the approach at least on the first posts were wrong.
If you are going to SSH to the router itself, that has nothing to do with port forwarding, its only an input chain process connecting to a service the router provides.
However if you meant connecting to an an SSH server on the LAN subnets, then that would require port forwarding and as bpwl says, it can be a security risk if not done correctly
Another reason I asked MT to provide Zero Tunnel Cloudflare for all MT devices not just ARM devices (via complex containers), because most posters are running a server and by using Zerotier to connect to a LAN device could be done without exposing the WANIP and is much more secure. But MT doesnt think thats of significant enough value, pooh pooh on such backwards thinking. Shame.
If you are going to SSH to the router itself, that has nothing to do with port forwarding, its only an input chain process connecting to a service the router provides.
However if you meant connecting to an an SSH server on the LAN subnets, then that would require port forwarding and as bpwl says, it can be a security risk if not done correctly
Another reason I asked MT to provide Zero Tunnel Cloudflare for all MT devices not just ARM devices (via complex containers), because most posters are running a server and by using Zerotier to connect to a LAN device could be done without exposing the WANIP and is much more secure. But MT doesnt think thats of significant enough value, pooh pooh on such backwards thinking. Shame.
Re: SSH to Mikrotik router from WAN
Oh, really? Your statement a little bit pedantic, do not you think so?By disabling the rule every port on your router is open from the internet.
Code: Select all
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-23 17:02 MSK
...
Not shown: 2996 closed ports
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1723/tcp open pptp
2000/tcp open cisco-sccp
Too much panic about the safety.
More, I cannot to forward 22 port to my local PC from external IP address by 22211 port with SSH forwarding enabled for "both" and, again, with the firewall disabled. I just getting: "... port 22211: Connection refused". Too much security, although it is not in vain.
Re: SSH to Mikrotik router from WAN
Huh, I am successfully forwarded the SSH!Oh, really? Your statement a little bit pedantic, do not you think so?By disabling the rule every port on your router is open from the internet.
I have got this output without all the firewall's rules enabled in MikroTik RouterOS 6.49.1.Code: Select allStarting Nmap 7.80 ( https://nmap.org ) at 2023-11-23 17:02 MSK ... Not shown: 2996 closed ports PORT STATE SERVICE 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1723/tcp open pptp 2000/tcp open cisco-sccp
Too much panic about the safety.
More, I cannot to forward 22 port to my local PC from external IP address by 22211 port with SSH forwarding enabled for "both" and, again, with the firewall disabled. I just getting: "... port 22211: Connection refused". Too much security, although it is not in vain.
(For a note: the "dst-nat" rule will work only from OUTSIDE the subnetwork)
Nevertheless, erlinden, a lot of panic.
Who is online
Users browsing this forum: No registered users and 15 guests