Mikrotik + firewall + ssh access

[Khuman]

Добрый день.

 

Есть железка RB1100AHx2

с таким конфигом:

# nov/21/2014 09:58:55 by RouterOS 6.7
# software id = UPCL-YIQ0
#
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
/interface vrrp
add interface=ether1 name=vrrp0 priority=254
/interface ethernet switch
set 0 name=OfficeSwitch
set 1 name=DMZSwitch
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=DHCP-Pool ranges=192.168.0.100-192.168.0.200
/ip dhcp-server
add add-arp=yes address-pool=DHCP-Pool disabled=no interface=vrrp0 lease-time=1h name=router
/port
set 0 name=serial0
set 1 name=serial1
/interface ethernet switch vlan
add independent-learning=no ports=ether9,ether10 switch=DMZSwitch vlan-id=30
/ip address
add address=192.168.0.2/24 comment=OfficeLAN interface=ether1 network=192.168.0.0
add address=192.168.0.1/32 interface=vrrp0 network=192.168.0.1
add address=1.1.1.2/29 interface=ether6 network=1.1.1.0
/ip dhcp-server lease
add address=192.168.0.180 client-id=VD mac-address=60:A4:4C:A9:CC:C1 server=router
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="Allow Ping" protocol=icmp
add chain=forward protocol=icmp
add chain=input comment="Accept established connections" connection-state=established
add chain=forward connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add chain=forward connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input comment="Allow UDP" protocol=udp
add chain=forward protocol=udp
add chain=forward comment="Access to Internet from local network" in-interface=vrrp0 src-address=192.168.0.0/24
add chain=input comment="Access to Mikrotik only from our local network" src-address=192.168.0.0/24
add chain=forward dst-address=192.168.0.180 dst-port=3389 protocol=tcp src-port=""
add chain=input src-address=2.2.2.2
add chain=forward src-address=2.2.2.2
add action=drop chain=input comment="All other drop"
add action=drop chain=forward
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether6 to-addresses=1.1.1.2
add action=dst-nat chain=dstnat dst-address=1.1.1.2 protocol=tcp to-addresses=192.168.0.180 to-ports=3389
/ip firewall service-port
set pptp ports=1723
/ip route
add distance=1 gateway=1.1.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=50022
set www-ssl disabled=no
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name=router
/system logging
add topics=telephony,debug
/system ntp client
set enabled=yes mode=unicast primary-ntp=62.149.0.30 secondary-ntp=209.87.233.51

 

SSH висит на порту 50022. Из внутренней сети я на него попадаю, а вот с адреса 2.2.2.2 - никак.

Может кто-то сможет подсказать, как решить эту элементарную задачку. Вроде бы все правильно делаю.

Edited November 26, 2014 by Khuman

[Khuman]

Что и никто не может помочь...

[a-zazell]

А в дампе пакеты долетают от 2.2.2.2 до вашего Ether6 при попытке соедениться?