Hello world,

I've got a server at work behind a firewall which hosts a number of different services (web, ssh, ftp, etc). Server has access to the internet but it's not accesible from the internet. So I'm trying to SSH from the server to my Mikrotik at home, and open a port remotely so I can access the internal/firewalled services through the SSH tunnel between the mikrotik at home and the server behind the firewall.

I'm perfectly able to establish the SSH connection by running this command on the internal server:

So above command is trying to connect via ssh to the MK listening on port 22, remotely open port 8080 on the MK and listen locally on port 80, allowing me to access the server's web-server by connecting with a browser to <mikrotik_ip>:8080 from any other internet location. Of course <mikrotik_ip> is the public IP addres the MK got on its WAN (ether1).

This is nothing but a classic workaround for such an scenario, and it's known working using a linux server instead of a mikrotik router. I've tested it myself several times on several different Linux distributions, platforms and architectures.

The problem I'm experiencing with the MK as the SSH server is that the connection is established correctly, but when I get the CLI prompt showing the welcome banner, the following warning is shown:

I tried opening port 8080 on the MK's firewall and still not working.

I also enabled forwarding per the manual https://wiki.mikrotik.com/wiki/Manual:IP/SSH but it's still not working.

Searched the forum and found tons of examples and other issues related to LOCAL (ssh -L) port forwarding but nothing for REMOTE (ssh -R). I did test the exact same command above, but with the "-L" like this:

and it works perfectly. i.e: the other way, when I access <localhost>:8080 from the server I get the MK's web GUI.

-------------------------
Here is my platform:

Server from which I'm running the SSHs is an Ubuntu server 16.04 LTS.

Am I missing anything for REMOTE SSH port forwarding or is it just not supported?

Hope someone could help!

Thank you!
Nico

Very disappointing that you haven't got an answer on this. Its probably been superseded by openvpn in terms of Mikrotik development effort but its still a great and simple way to maintain access to resources behind stateful firewalls. Could you be so kind as to describe whether you got this working and if so how?

thanks,

Paula

I think it's a case of "PEBKAC", wrong usage.

See https://linux.die.net/man/1/ssh and https://wiki.mikrotik.com/wiki/Manual:IP/SSH

Compare
as used: ssh admin@<mikrotik_ip> -R 8080:localhost:80
manual: ssh reamoteuser@remotehost -L port:remotehost:remoteport

First: attaches to remote socket / port and forwards to this computer
Second: forwards local port to remote

So "-L" != "-R"

I'm perfectly able to establish the SSH connection by running this command on the internal server:

Code: Select all

ssh admin@<mikrotik_ip> -R 8080:localhost:80

Code: Select all

Warning: remote port forwarding failed for listen port 8080

I tried opening port 8080 on the MK's firewall and still not working.
Nico

You have to specify ssh bind remote IP address, otherwise ssh accepts only communication from loopback address and does not allow remote connections.
Try:
ssh admin@<mikrotik_ip> -R 0.0.0.0:8080:localhost:80
Jiri

Hey Nico, were you able to figure this one out?
If I understand correctly, you're trying to run ssh -R from the mikrotik router itself, so you can reverse SSH into it from the remote host?
That's what I'm trying to do, but I'm unable because I don't know how to ssh -R from the mikrotik itself, but it works fine If I do it between 2 linux servers.
I tried using the "command" argument as a last resource but no luck Anyone else is able to achieve this FROM the mikrotik?

I tried using the "command" argument

That establishes a listener on the remote host via a different SSH tunnel than the one you used to get to the remote server, so it won't tunnel back through your firewall.

RouterOS does support tunneling, both directions, though it's disabled by default. You have to say "/ip/ssh set forwarding-enabled=both". (Or just "local", or just "remote".) What it can't do is establish those tunnels itself. Those settings apply to incoming SSH connections: you have to originate the tunnel with OpenSSH on another machine.

If you have an ARM-based router, one possibility is to put OpenSSH into a RouterOS container, then arrange for that container to start with the "ssh -R" command you need.

If it were me, I wouldn't involve the router at all. Given a remote system that can accept SSH connections, I'd establish the reverse tunnel via a machine running OpenSSH, rather than the stripped-down SSH implementation in RouterOS. That can even be a Windows 10+ box, ever since Microsoft added OpenSSH to Windows, albeit as an optional component.