Jump to content
Калькуляторы

Mikrotik + firewall + ssh access

Добрый день.

 

Есть железка RB1100AHx2

с таким конфигом:

# nov/21/2014 09:58:55 by RouterOS 6.7
# software id = UPCL-YIQ0
#
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
/interface vrrp
add interface=ether1 name=vrrp0 priority=254
/interface ethernet switch
set 0 name=OfficeSwitch
set 1 name=DMZSwitch
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=DHCP-Pool ranges=192.168.0.100-192.168.0.200
/ip dhcp-server
add add-arp=yes address-pool=DHCP-Pool disabled=no interface=vrrp0 lease-time=1h name=router
/port
set 0 name=serial0
set 1 name=serial1
/interface ethernet switch vlan
add independent-learning=no ports=ether9,ether10 switch=DMZSwitch vlan-id=30
/ip address
add address=192.168.0.2/24 comment=OfficeLAN interface=ether1 network=192.168.0.0
add address=192.168.0.1/32 interface=vrrp0 network=192.168.0.1
add address=1.1.1.2/29 interface=ether6 network=1.1.1.0
/ip dhcp-server lease
add address=192.168.0.180 client-id=VD mac-address=60:A4:4C:A9:CC:C1 server=router
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="Allow Ping" protocol=icmp
add chain=forward protocol=icmp
add chain=input comment="Accept established connections" connection-state=established
add chain=forward connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add chain=forward connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input comment="Allow UDP" protocol=udp
add chain=forward protocol=udp
add chain=forward comment="Access to Internet from local network" in-interface=vrrp0 src-address=192.168.0.0/24
add chain=input comment="Access to Mikrotik only from our local network" src-address=192.168.0.0/24
add chain=forward dst-address=192.168.0.180 dst-port=3389 protocol=tcp src-port=""
add chain=input src-address=2.2.2.2
add chain=forward src-address=2.2.2.2
add action=drop chain=input comment="All other drop"
add action=drop chain=forward
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether6 to-addresses=1.1.1.2
add action=dst-nat chain=dstnat dst-address=1.1.1.2 protocol=tcp to-addresses=192.168.0.180 to-ports=3389
/ip firewall service-port
set pptp ports=1723
/ip route
add distance=1 gateway=1.1.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=50022
set www-ssl disabled=no
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name=router
/system logging
add topics=telephony,debug
/system ntp client
set enabled=yes mode=unicast primary-ntp=62.149.0.30 secondary-ntp=209.87.233.51

 

SSH висит на порту 50022. Из внутренней сети я на него попадаю, а вот с адреса 2.2.2.2 - никак.

Может кто-то сможет подсказать, как решить эту элементарную задачку. Вроде бы все правильно делаю.

Edited by Khuman

Share this post


Link to post
Share on other sites

А в дампе пакеты долетают от 2.2.2.2 до вашего Ether6 при попытке соедениться?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this