Hello,

I've just changed ISPs and the new router doesn't allow port forwarding in the same way as my old router.
I have my Mikrotik router sitting behind my ISP router and until now I forward the necessary ports to my Mikrotik router and from there, DST-NAT them to where they need to go.

On my old router, I could forward port 2022 to 22 to ssh into the Mikrotik itself but on the new one, all I can do is directly forward 2022-2022.
Currently I can't even get the port forwarding to work at all. WIth it set up, nothing is being forwarded to my Mikrotik Router so I currently just have it as a DMZ.
The issue I have is that if I block port 22 on my WAN then ssh is blocked, even if the incoming connection is on port 2022 and being forwarded or redirected to port 22. If I open port 22 on the WAN port then I can connect from outside via ssh on either 22 or 2022.

What I want to accomplish is to leave the actual ssh port as 22 (I have several scripts that run across my network to enable/disable rules via ssh to allow things like certificate renewals (ports 80 and 443 are usually blocked) and block incoming WAN connections on port 22, but still allow access to the router via port 22 as long as the incoming connection actually began on port 2022. I don't want to leave port 22 open to the WAN port but blocking it stops the connection that comes in on port 2022 also because it's still being redirected to port 22

AAAAND as soon as I post I get the idea of how to solve my problem.


I created a mangle rule to mark packets arriving on port 2022 with "ssh-in" and added a filter rule to allow inputs on port 22 from packets marked with ssh-in.

I'll leave this here in case anyone ever finds it useful.

Simpler solution:

Hmm sounds like a twisted pretzel.

Why not simply reset your SSH port on the router itself.
You could set it directly to 2022??
The only thing you would need to change is some scripts as far as I can read into what your saying! Done!

By the way, Its very rare for an ISP router to not be able to redirect, did you ask them, look further into the menus ????

Hmm sounds like a twisted pretzel.

Why not simply reset your SSH port on the router itself.
You could set it directly to 2022??
The only thing you would need to change is some scripts as far as I can read into what your saying! Done!

By the way, Its very rare for an ISP router to not be able to redirect, did you ask them, look further into the menus ????

You can't even port forward from the web UI!


It's Sky in the UK. I've ordered a different provider because I'm not impressed at all.

Port forwarding can be set up from the Android app. I told them I don't want to do it from a phone and their solution was that you can install Android apps on a PC.

Even when setting up port forwarding, it refuses to work. I've had to put my main router as the DMZ device which isn't the end of the world but I like the ISP router sitting there blocking anything that doesn't need to go to my own router.

I THINK the port forwarding should work, but I think the issue is that because I've changed the Mikrtoik Router to a reserved address that's different from the initial assigned address, the Sky router is too dumb to realise the IP address has changed and it's still trying to forward the ports to the old address.
The "Port Forwarding" setup on the app isn't an ip thing, you select the device from a drop down menu and choose which ports to forward. They've literally dumbed down a feature that, by and large, only people who know what they're doing will be using anyway.
DMZ is to an IP address, not a device and that works straight away but NOT if the port has been forwarded. Any port that isn't forwarded gets through ok, but any forwarded ports get sent off into the ether.
I've tried to torch the WAN input port on the Mikrotik router thinking it would give me Wireshark like details but it didn't really tell me very much.

The router is also configurable from the app even when I'm not connected to my network, which makes me a little uncomfortable. I know that technically most consumer routers are going to be accessible at all times by the isp for updates etc anyway but I can configure the wifi and port forwarding settings straight from the Sky app without putting in any credentials. I have to be logged into the Sky app of course, but still, I'd prefer to have to at least be on my own network for that to work.


I could change the port and maybe I'm just showing my OCD but I like all my ssh ports to be 22 and just have them redirected when I'm connecting from outside.

Simpler solution:

Code: Select all

/ip firewall filter
add chain=input protocol=tcp dst-port=22 connection-nat-state=dstnat action=accept

That is a simpler solution, thank you.

I have no idea what SOB has done there LOL.
Boggles my mind, glad you understand it....................
To me the easy fix is to switch the SSH port on the router to 2202 etc...
Truth be told, I always change any default port to something different............ be it SSH, winbox etc........

@anav: Try "complete" example:
What happens when you connect to port 22 and 2022, will there be any difference? (spoiler alert: yes)

I have no idea what SOB has done there LOL.
Boggles my mind, glad you understand it....................
To me the easy fix is to switch the SSH port on the router to 2202 etc...
Truth be told, I always change any default port to something different............ be it SSH, winbox etc........

I didn't really! I tried it and it worked
I kind of get it now, it only allows the WAN connections in on port 22 if they've been dst-natted, and the only way they can become dst-nat to port 22 is by hitting the right port in the first place so it's really no different to any of my other dst-nat forward chain rules.


I probably should have clarified, I already had a filter rule that drops EVERYTHING trying to connect to my router that doesn't originate from my local lan vlans. Primarily that was to stop the iot and guest vlans from accessing the router but it was equally effective at dropping everything on the WAN port too even before my final rule (drop everything from WAN not dst-nated)

I know I can change the default port but I'm lazy. I'd rather do hours of work now to save myself the 3 seconds I'd spend typing -p 2022 for the rest of my life and Sob's solution did just what I wanted - I can block port 22 on the WAN port but still connect on a different port from WAN and port 22 on the LAN

I still dont get it.
Using A service on the router AKA SSH, has nothing to with destination NAT
Thus your SSH server is on the LAN somewhere???

I still dont get it.
Using A service on the router AKA SSH, has nothing to with destination NAT
Thus your SSH server is on the LAN somewhere???

No, I SSH in from the WAN on port 2022 but that gets redirected back to port 22 on the router.
SSH runs on port 22, but I want incoming connections on port 22 from anything other than my local lan to be blocked because the bots scanning for open ports are more likely to hit 22 than 2022.

Port redirection on the ISP router means I can connect in on 2022 and the ISP router can redirect that to port 22 on my own router. My new ISP router doesn't allow that and I still want SSH to be running on port 22 for my internal network, so the solution outlined above by Sob means that if I connect (from the WAN) on port 22 it gets blocked by the filter rule"add chain=input protocol=tcp dst-port=22 action=drop"

If I connect (from the WAN) on port 2022, the router redirects it to port 22 and the preceding filter rule (allow connections from the WAN on port 22 IF they've been dst-nat-ed "add chain=input protocol=tcp dst-port=22 connection-nat-state=dstnat action=accept") lets it through to the SSH service which can then check the certificate.

@anav: Would this be better for you (x.x.x.x = any of router's own addresses)?
It's the same thing, both action=dst-nat and action=redirect are form of dstnat, difference is that redirect picks to-addresses automatically.

That I understand, that is dstnat rule in the proper place LOL

And since "action=dst-nat to-addresses=<router's address>" is equal to "action=redirect" (*), now you understand the whole thing, right?

(*) Not completely true. You get bonus point if you find why.

And since "action=dst-nat to-addresses=<router's address>" is equal to "action=redirect" (*), now you understand the whole thing, right?

(*) Not completely true. You get bonus point if you find why.

Would internal cross vlan/cross subnet traffic just be redirected to the redirect port on the original target?

After sober thought,,,,,,,,,
I disagree with everything as the application is all false.

He is not port forwarding
He is not going to an SSH server to the LAN.

Its a service on the router and the only thing that is valid is the input chain
add chain=input action=accept dst-pot=SSHPORT set on system services protocol=xxx

There is no dstnat etc.........

I better pinch myself to make sure this thread is not a dream.