ssh -L 8291:localhost:8291 admin@my-mikrotik;
Similar with
ssh -L 2222:OtherMikrotik:22 admin@my-mikrotik;
ssh -L 8291:localhost:8291 admin@my-mikrotik;
ssh -L 2222:OtherMikrotik:22 admin@my-mikrotik;
From personal experience (IPv6 over PPPoE), I know how frustrating it is when features you rely on are removed with no notice and no apology, however, there is no justification for abuse at all - it doesn't help things, it just upsets the people who you really don't want to upset. What happens the next time you have a query? Why should they bother replying to somebody who abuses them? As I have found with the IPv6/PPPoE issue, Mikrotik simply ignore any topics in which they have been (mildly in this case) abused....because you bastards won't give it to us!
That may well be the case, but it wasn't the point I was making.Nick, over 50% of all technical support email question are fixed by simple upgrade. If people would just use the latest version, we would solve a lot of delays in email responses.
Understood, but given that other products support IPv6/PPPoE, that there is at least one RFC stating how it should work and that it did work (your point on encryption is also understood), I think it is fair to assume that it was a feature of RouterOS. Simply removing it and then writing everything which was said in the thread (I'll not rehash it here) was, in my opinion, out of order.again - just so everyone knows, ipv6 over pppoe was NOT a feature. It just so happened it worked.
Anyway, if you want to be paranoid about security, make it disabled by default, but configurable.
We are making a new SSH package right now, where this feature will be integrated, and will be configurable (ie. you will be able to turn it on if you want).
2009-10-13 11:48:19 Opening forwarded connection to localhost:8291
2009-10-13 11:48:19 Forwarded connection refused by server: Administratively prohibited [bla bla]
Hello,
that feature wont be added back as it is grate security risk to your network.
Instead you should create dst-nat rules to forward ports and then you will be
aware that nat for that prot+host exists and you have to secure it. That Also
gives more power to create different policies using firewall filter, and thus,
results in more secure and safe network.
ip firewall filter
add action=accept chain=input comment="change src-address or duplicate for additional subnet to allow local lan admin" disabled=no dst-port=21-23 protocol=tcp src-address=192.168.0.0/16
add action=reject chain=input comment="disable to allow ssh/ftp/telnet from internet" disabled=no dst-port=21-23 protocol=tcp reject-with=icmp-network-unreachable src-address=0.0.0.0/0
omg... who's author? O_oMikrotik replied in a email about this issue:
Dear Mikrotik,Hello,
that feature wont be added back as it is grate security risk to your network.
Instead you should create dst-nat rules to forward ports and then you will be
aware that nat for that prot+host exists and you have to secure it. That Also
gives more power to create different policies using firewall filter, and thus,
results in more secure and safe network.
That would be fine, disabled for unaware, enableable for ones who need it.This feature was disabled because it posed a security risk to those, who didn't know about it. We are making a new SSH package right now, where this feature will be integrated, and will be configurable (ie. you will be able to turn it on if you want).
Think what you want I suppose. Fact is, it's not going to be added back in.omg... who's author? O_oMikrotik replied in a email about this issue:
So SSH port forwarding is planned to be added back in a future version of RouterOS? I wasn't wrong then, I was simply posting exactly what I was told from a Mikrotik support person.I removed your posted mails, I have talked to Janis K, he was misinformed.
in that case, you need src-nat, not dstIt is also valuable to reach equipment behind a NAT that doesn't have a default gateway configured on it (this is for equipment that we did not install, but took over the management of it). In that situation dst-nat won't work. SSH tunnel is the only way.
[admin@MikroTik] > channel 3: open failed: administratively prohibited: bla bla
btw, upgrade to v4 is free for any v3 ownersAnd i also hope you will release ssh package for 3.30 as i want back my functionality without need to buy new license.
It's a security risk only if you don't know that this feature exists (it wasn't documented and configurable). We are working on a new SSH package that will have this feature, you will be able to turn it on if you need it.
Hats off to you, I've never ever heard this before! People actually wanting "bugs", lol, Mikrotik, market things a bit better. You probably didn't invent the SSH package, and just about every single install of SSH on any server in the world supports tunneling. Given that, I don't think it's appropriate to call it a bug. Think of all the hard work the ssh team spent trying to implement ssh tunneling that is so widely used today, just for another company to call it a bug....almost all Vendors say the sentence about bug and feature in the opossite way-)...
Could you help me please, finding previous bug versions? I really need this bug for lot of our routers... Any suggestions for downgrading please?
Thank you
J.
http://66.228.113.58/all_packages-mipsbe-3.24.zipplease, is there anybody, who could tell me, where I can download version 3.24 and the right way how to downgrade???
THanks a lot!!! I downloaded PPC package as well-)http://66.228.113.58/all_packages-mipsbe-3.24.zipplease, is there anybody, who could tell me, where I can download version 3.24 and the right way how to downgrade???
Copy to 'files' then under 'system, packages' hit the downgrade button. Should work.
i just left the filter / nat rules as they were before upgrade...the new SSH package is not yet released. Not sure why and how it works for some of you, we will check.
In v3.27 is not working ssh port forwarding functionality (or not allowed in ssh service), experienced on RB433AH. By ssh port forwarding I mean tunneling TCP connection trough SSH session to Mikrotik router. For example (in terminal on Linux desktop):After that trying winbox on localhost:8291 will not work and on ssh console is printed "channel 3: open failed: administratively prohibited: bla bla".Code: Select allssh -L 8291:localhost:8291 admin@my-mikrotik;
Similar withSsh port forwarding is working in v3.22 and previous versions (did not try version between v3.22-v3.27). CHANGELOG_3 does not show any record about changing this feature -> looks like a bug.Code: Select allssh -L 2222:OtherMikrotik:22 admin@my-mikrotik;
This is the exact RouterOS error message!!!"bla bla" eats my brain %)
It looks like not. Latest version is 4.6, but we don't have it installed anywhere. I tested it on 4.5 - not working. I tried to find any "config option" for switch on of "ssh port forwarding funcionality" (as some people from Mikrotik mentioned above), unsuccessful. Changelog does not have any info about it (unfortunately, they do not write there this type of regression/fix).Anybody has any idea if newer versions of RouterOS have the SSH port forwarding functionality back in place?
Have same feeling.I guess Mikrotik engineering staff does not really do any real admin work on live networks.
you need to follow up on MikroTik's announcementsIt is march 2010 and still no official --or unofficial, for that matter-- stance about this.
If you're using a RouterOS version between 3.27 and 5beta you cannot do SSH port forwarding.From reading these posts it seems that the versions newer than 3.27 won't allow forwarding of ssh on port 22 to an inside host. I am having trouble trying to do just that. It may be something that I am not getting right. I can post specifics, but would like to know if it is still possible. :?
[admin@Mikrotik] > /system ssh address=<ip> user=<user> password=<password> command=<command>
and
[admin@Mikrotik] > /system ssh address=<ip> user=<user> ssh-key=<dsa key in /certificates> command=<command>
new features go into v5 beta, don't expect it in v4.v4.8 - and it's still not there, sigh...
except it isn't a new feature, it is a regression that is fixed as the feature existed in version prior to 3.27.new features go into v5 beta, don't expect it in v4.v4.8 - and it's still not there, sigh...