Community discussions

MikroTik App
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Forward IP to internal

Mon Sep 05, 2022 7:24 pm

This is my setup, very simple home router:

mikrotik rb1000, 4 interfaces, only 2 in use:
ether1: wan interface, hooked up to the cable modem, dhcp negotiated, let's call it 42.42.42.42 for the purpose of this exercise.
ether2: lan interface, hooked up to a switch, 192.168.1.1, /24 CIDR.

cable modem: it doesn't do any filtering, it just de-encapsulate whatever cable modem protocol there is; and exposes a public ip address to the mikrotik rb1000's ether1 (not a private ip.)

What I would like to do, is allow ip address 88.88.88.88 on the public internet to ssh (22/tcp) to a server (192.168.1.178 22/tcp) on my lan, as simple as that; and that probably means I need to expose 22/tcp on ether1, forward the traffic from ether1's 22/tcp to 192.168.1.178 22/tcp and ensure that only traffic coming from 88.88.88.88 is allowed to connect to this port.

My configuration:
# sep/05/2022 08:59:48 by RouterOS 6.49.6
# software id = XXXX
#
# model = 1000
# serial number = XXXX
/interface vlan add interface=ether2 name="vlan 10" vlan-id=10
/interface vlan add interface=ether2 name="vlan 20" vlan-id=20
/interface vlan add interface=ether2 name="vlan 30" vlan-id=30
/interface vlan add interface=ether2 name="vlan 40" vlan-id=40
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/system logging action set 3 remote=192.168.1.4
/ip address add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client add disabled=no interface=ether1
/ip firewall filter add action=accept chain=input comment="Necessary for the router to get ntp and upgrades." connection-mark="" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="block all traffic from the internet to ether1" in-interface=ether1
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
/system clock set time-zone-name=America/Los_Angeles
/system identity set name=sea-rou-001
/system logging set 1 action=remote
/system logging set 2 action=remote
/system logging set 3 action=remote
/system ntp client set enabled=yes server-dns-names=time.nist.gov

Extremely straightforward isn't it? I like it this way.

I thought things would be as simple as this (see below) but that didn't work for me:
/ip firewall nat add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp src-address=88.88.88.88 to-addresses=192.168.1.178 to-ports=22
maybe this is wrong and I need a filter accept rule as well, I tried that too but that didn't seem to cut it either.

note: I've tried to insert dst-nat rules from other posts but I couldn't get this to work. Hopefully you can help me.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: Forward IP to internal

Mon Sep 05, 2022 7:52 pm

Since you don't have any firewall filter rule for chain=forward (and implicit last, or in your case only, rule is action=accept), simply adding the dst-nat rule you posted should do.

If you add the dst-nat rule, does counter increment when you try to connect from remote? Are you sure that ISP doesn't filter anything?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward IP to internal

Mon Sep 05, 2022 8:06 pm

Its either a very unique setup or a very incomplete setup.
Since mkx has not stated otherwise, it must be unique and okay and thus past my knowledge, ur in good hands with mk

(personally I barfed when I saw it, but one mans barf, is another mans(mkx) pleasure ;-P )
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: Forward IP to internal

Mon Sep 05, 2022 10:19 pm

I found the problem, the ssh server sees the client as 88.88.88.88 while I would have thought it'd see it as 192.168.1.1 (which is ether2); thereby not allowing the traffic to it (it denies ssh connections where src is not 192.168.1.0/24); is it possible to make the ssh server see the traffic as the router's ether2's ip address?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: Forward IP to internal

Tue Sep 06, 2022 3:09 pm

is it possible to make the ssh server see the traffic as the router's ether2's ip address?

Sure ... add appropriate src-nat rule, e.g.
/ip firewall nat
add action=src-nat chain=srcnat protocol=tcp dst-port=22 dst-address=192.168.1.178 to-addresses=192.168.1.1

This is not what administrators (at least vast majority of them) want to do, more customary is to adjust firewall rule on (ssh) server.
Because it's confusing for person who only looks at (ssh) server logs and sees connections coming from router. It gets even more confusing if at certain time in future you decide to allow inbound ssh connections from multiple remote IP addresses ... in which case looking at (ss) server logs alone doesn't tell you where the connection came from, one has to correlate it with router logs.

The only real reason for adding src-nat rule as above is if (ssh) server doesn't know how to use NAT device as gateway for return traffic. That can happen for a few reasons, one is if it is not possible to set default gateway on such device. Another reason is if device uses default gateway other than NAT device and default gateway doesn't know that it needs to use NAT device as next hop (for certain traffic).

Who is online

Users browsing this forum: Adephx, Ahrefs [Bot], Amijani, stanisljevic and 43 guests