Set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \ Here are the specs you requested:įlags: X - disabled, I - invalid, D - dynamicĪddress=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=ether2-local-master actual-interface=ether2-local-masterġ D address=67./22 network=67.172.212.0 broadcast=67.172.215.255 interface=ether1-gateway actual-interface=ether1-gatewayįlags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibitĠ ADS dst-address=0.0.0.0/0 gateway=67.172.212.1 gateway-status=67.172.212.1 reachable ether1-gateway distance=1 scope=30 target-scope=10ġ ADC dst-address=67.172.212.0/22 pref-src=67. gateway=ether1-gateway gateway-status=ether1-gateway reachable distance=0 scope=10Ģ ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether2-local-master gateway-status=ether2-local-master reachable distance=0 scope=10įlags: D - dynamic, X - disabled, R - running, S - slave I have made sure that the accept rules I am adding are above this final drop, but I don't think that I have managed to hit any of the rules yet. Watching the activity graphs last night in Winbox it almost seemed to be getting around the filter rules entirely and seemed to be hitting the dst-nat rule while also incrementing the "chain=input action=drop in-interface=ether1-gateway" rule.
I've tried most of the combinations that I could think of, like changing the dst-port to 22 in case the NAT was taking place before the filtering and changing the chain.
I've searched and read, and it all seems to make sense, but when I try and translate for my particular case it doesn't seem to work. Would work, but when I try and connect it never even hits the filter rule for some reason.
Seems like:Īdd chain=forward action=accept protocol=tcp dst-port=12345Īdd chain=dstnat action=dst-nat to-addresses=192.168.0.30 to-ports=22 protocol=tcp in-interface=ether1-gateway dst-port=12345 I'm assuming that I am confused on the packet path. I've tried couple different firewall filter/firewall nat rules and none of them seem to work. I have successfully opened a hole to allow SSH to the RB, but I can't seem to open a hole for port 12345 and pass this to 192.168.0.30 port 12345. I've run port scans and this seems like it leaves things fairly tightly locked down. The default 3 filter rules are still in place. So far, I haven't tweaked much of anything except to configure things for my internal IP range. I want to accept SSH on a non-standard port and forward this to port 22 of a device on my local LAN. I've got a new RB750G sitting behind a cable modem. This seems pretty simplistic, but I'm coming from a PIX, and I'm just not able to wrap my head around it.