Static routing uses dst-nat in both routers. Attempts to SSH from the Internet (eth1) result in either a timeout (usually) or a peer reset of the connection (if connecting via VPN). I have been thinking that the same firewall rules govern both paths of access so both should work--but they behave differently. The exported config of the g/w is:
Code: Select all
# apr/21/2024 11:45:07 by RouterOS 6.49.10
# software id = 52AR-8NVD
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 71AF0xxx
/interface wireless
xxx
/interface bridge
add admin-mac=B8:69:xxx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=xxx
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool10 ranges=10.10.10.10-10.10.10.19
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=pool10 disabled=no interface=ether3 name=server10
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf disabled=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip firewall connection tracking
set tcp-syn-received-timeout=10s tcp-syn-sent-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether3 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1/24 interface=ether3 network=10.10.10.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.245 mac-address=1C:6F:xxx server=defconf
add address=192.168.88.239 client-id=1:14:cb:xxx mac-address=\
14:CB:19:xxx server=defconf
add address=10.10.10.10 client-id=1:b8:69::xxx mac-address=\
B8:69:F4:xxx server=server10
add address=192.168.88.228 mac-address=B0:A4:xxx server=defconf
add address=192.168.88.249 client-id=1:14::xxx mac-address=\
14:4F::xxx server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.10 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept dstnat" \
connection-nat-state=dstnat in-interface=all-ethernet
add action=drop chain=input comment="drop icmp from eth1" disabled=yes \
in-interface=ether1 protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop telnet 23 from wan" \
dst-port=23 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="defconf: drop ssh 22 from wan" dst-port=\
22 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="accept tcp" disabled=yes in-interface=\
all-ethernet protocol=tcp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop sshy 22 from wan" \
dst-port=23 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=" accept new " connection-state=new \
disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=output connection-nat-state=dstnat dst-port=22 \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=xxxxx02 protocol=tcp to-addresses=\
192.168.55.247 to-ports=xxx2
add action=dst-nat chain=dstnat dst-port=xxxxx03 protocol=tcp to-addresses=\
192.168.55.247 to-ports=xxx2
add action=dst-nat chain=dstnat dst-port=xxxxx49 protocol=tcp to-addresses=\
192.168.55.249 to-ports=xxx9
add action=dst-nat chain=dstnat dst-port=xxxxx50 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.55.228 to-ports=22
add action=dst-nat chain=dstnat dst-port=xxxxx80 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.88.1 to-ports=80
add action=dst-nat chain=dstnat dst-port=xxxxx30 protocol=tcp to-addresses=\
192.168.88.1 to-ports=22
/ip route
add distance=1 dst-address=192.168.55.0/24 gateway=10.10.10.10
/ip service
set ssh address=0.0.0.0/0
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTik-gw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=bridge filter-operator-between-entries=and filter-port=\
ssh