And since "action=dst-nat to-addresses=<router's address>" is equal to "action=redirect" (*), now you understand the whole thing, right? (*) Not completely true. You get bonus point if you find why. Would internal cross vlan/cross subnet traffic just be redirected to the redirec...

I still dont get it. Using A service on the router AKA SSH, has nothing to with destination NAT Thus your SSH server is on the LAN somewhere??? No, I SSH in from the WAN on port 2022 but that gets redirected back to port 22 on the router. SSH runs on port 22, but I want incoming connections on port...

I have no idea what SOB has done there LOL. Boggles my mind, glad you understand it.................... To me the easy fix is to switch the SSH port on the router to 2202 etc... Truth be told, I always change any default port to something different............ be it SSH, winbox etc........ I didn't...

Simpler solution:

Code: Select all

/ip firewall filter
add chain=input protocol=tcp dst-port=22 connection-nat-state=dstnat action=accept

That is a simpler solution, thank you.

Hmm sounds like a twisted pretzel. Why not simply reset your SSH port on the router itself. You could set it directly to 2022?? The only thing you would need to change is some scripts as far as I can read into what your saying! Done! By the way, Its very rare for an ISP router to not be able to red...

AAAAND as soon as I post I get the idea of how to solve my problem.


I created a mangle rule to mark packets arriving on port 2022 with "ssh-in" and added a filter rule to allow inputs on port 22 from packets marked with ssh-in.

I'll leave this here in case anyone ever finds it useful.

Hello, I've just changed ISPs and the new router doesn't allow port forwarding in the same way as my old router. I have my Mikrotik router sitting behind my ISP router and until now I forward the necessary ports to my Mikrotik router and from there, DST-NAT them to where they need to go. On my old r...

I'm confused regarding the vlans of the switching equipment themselves. I get the whole concept of trunk ports, access ports, hybrid ports and currently have my network running from my router itself but I'll soon be expanding it to have at least one more switch. Hypothetical scenario. Router with po...

The reason I said I didn't understand what you meant by IP based vlan, is that a switch (unless it is a layer 3 switch, and those are in a different category) has no concept of IP addresses. The only thing in a managed switch that is aware of ip addresses is the built in "host" that is us...

Horribly explained, dont ask a requirement question based on config changes.
State the requirement in terms of traffic flow required by users...........

Once understood a config plan/design can be formulated.

Thanks chief.

Unless you intend to have all devices in the same vlan, using a dumb switch isn't recommended, because a dumb switch offers no real separation of devices. Also, to use mac or protocol based vlans requires a managed switch above the "smart switch" variety, that are usually vlan aware but n...

I've been running routeros for a few years now and have my network segregated into vlans for lan/security devices (cameras, intruder alarm etc)/guest/home automation through using different physical or virtual (different wlans) interfaces, all running smoothly. I do have one trunk port, connected to...

Posted this on the Scripting Forum but it wasn't approved so I'm guessing because it wasn't strictly Scripting related it should go here instead. I set up a Pi Hole this week as my network DNS resolver. I've also set up some NAT rules to forward anything trying to exit the network on port 53 to be r...