dstnat to host on LAN times out

ckonsultor · Fri Mar 29, 2024 9:03 pm

Set up a dstnat rule (one of many) to forward port XXXX from the WAN to port 22 on a specific host on the wLAN. Using an android phone (with Termux) to ssh to the public IP of the MikroTik-gw. Torch and Packet sniffer on this router can see packet arriving with dst port XXXX. Can't find a packet directed to the host after that. Monitored the bridge looking for the IP and any with dst port 22--nothing. Disabled FastTrack f/w rule. Added rules to three chains in attempt to accept packets. Suggestions solicited.
Thanks in advance.
The export file:

# mar/29/2024 14:13:50 by RouterOS 6.49.10
# software id = 52xxx
#
# model = RouterBOARD 952Ui-///
# serial number = 71AF///
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=/// wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=/// wireless-protocol=\
    802.11 wps-mode=disabled
/interface bridge
add admin-mac=B8:69:F4:1D:6B:C0 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=M/// wpa2-pre-shared-key=xxx
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool10 ranges=10.10.10.10-10.10.10.19
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=pool10 disabled=no interface=ether3 name=server10
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf disabled=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether3 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 interface=ether3 network=10.10.10.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.245 mac-address=1C:6F:65:21:95:8C server=defconf
add address=192.168.88.239 client-id=1:14:cb:19:97:d6:ba mac-address=\
    14:CB:19:97:D6:BA server=defconf
add address=10.10.10.10 client-id=1:b8:69:///:aa mac-address=\
    B8:69:F4:47:5D:AA server=server10
add address=192.168.88.228 mac-address=B0:A4:/// server=defconf
add address=192.168.88.249 client-id=1:14:4f:8a:c7:36:a2 mac-address=\
    14:4F:8A:/// server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.10 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept dstnat" \
    connection-nat-state=dstnat in-interface=all-ethernet
add action=accept chain=input comment="accept icmpt" in-interface=\
    all-ethernet protocol=icmp
add action=accept chain=input comment="accept tcp" in-interface=all-ethernet \
    protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=" accept new " connection-state=new
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=output connection-nat-state=dstnat dst-port=22 \
    protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=YYYY protocol=tcp to-addresses=\
    192.168.55.247 to-ports=2222
add action=dst-nat chain=dstnat dst-port=ZZZZ in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.55.228 to-ports=22
/ip route
add distance=1 dst-address=192.168.55.0/24 gateway=10.10.10.10
/ip service
set ssh address=0.0.0.0/0
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTik-gw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=bridge filter-operator-between-entries=and filter-port=\
    ssh

mkx · Fri Mar 29, 2024 9:15 pm

This doesn't seem quite right to me:

/ip dhcp-server lease
add address=10.10.10.10 client-id=1:b8:69:///:aa mac-address=\
B8:69:F4:47:5D:AA server=server10

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.10 netmask=24

I'd say that gateway address in /ip dhcp-server network should be 10.10.10.1 ...

As to the failing DST-NAT: I'll guess that the following rule should be triggered:

add action=dst-nat chain=dstnat dst-port=ZZZZ in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.55.228 to-ports=22

I'd avoid using this ... AFAIK it's an interface-list (not interface) and I'm scared of using anything automatic in ROS, most auto things have tendency to cause trouble.

ckonsultor · Fri Mar 29, 2024 10:47 pm

thanks for the response. When you say

I'd say that gateway address in /ip dhcp-server network should be 10.10.10.1 ...

does that mean that the "gateway" address is always on the near end of the link in the separate subnet?
I'm not clear on what you refer to when you say

I'd avoid using this ... AFAIK it's an interface-list (not interface)

Do you mean not to use "all ethernet" but to specify a specific single interface? That choice was made from the pull-down menu.

ckonsultor · Sat Mar 30, 2024 3:13 am

If this change is made on the IP/Route List

I'd say that gateway address in /ip dhcp-server network should be 10.10.10.1 ...

then the 10.10.10 and 192.168.55.x subnets become unreachable. Using the IP at the far end of the link makes them reachable. (ROS 6.49.10)

mkx · Sat Mar 30, 2024 11:57 am

thanks for the response. When you say
I'd say that gateway address in /ip dhcp-server network should be 10.10.10.1 ...

does that mean that the "gateway" address is always on the near end of the link in the separate subnet?

Gateway setting in DHCP setup informs DHCP client (i.e. the far end) about IP address which it should use for communication outside its own subnet. The config you showed implies that 10.10.10.10 is client IP address and thus not very probable address of a gateway.

But then you know the topology of your networks so you shoukd know how devices in different betworks are supposed to communicate with each other.

I'm not clear on what you refer to when you say
I'd avoid using this ... AFAIK it's an interface-list (not interface)
Do you mean not to use "all ethernet" but to specify a specific single interface? That choice was made from the pull-down menu.

Yes, I was talking about that. I suggest you to read the rest of firewall settings (both NAT and filters) to get an idea about how it all is supposed to work. I guess it'll help you understand the options better.
In particular: even if "all ethernet" really did work as name implies (and, as I already wrote, I have my doubts about that), do you have any particular reason to exclude other interfaces (e.g. wifi interfaces)? It's fine not to set properties and if a property is not set, matcher will not check it ... so not setting in-interface means that in-interface won't be a deciding criteria when ROS decides whether a particular rule needs to be executed or not.

ckonsultor · Sat Mar 30, 2024 4:36 pm

Sorry I didn't mention that the DHCP server on the 10 subnet is in the g/w, which gave 10.10.10.10 to the internal router because that was the lowest number in the range I set in IP/Pool at the g/w.

dstnat to host on LAN times out

dstnat to host on LAN times out

Re: dstnat to host on LAN times out

Re: dstnat to host on LAN times out

Re: dstnat to host on LAN times out

Re: dstnat to host on LAN times out

Re: dstnat to host on LAN times out

Who is online