Pre-story:

I was going crazy trying to figure out why when I was setting up port forwarding just like the wiki was showing that I could sometimes remote ssh in and other times the connection was refused until on a whim I decided to look at my fail2ban log.

I use fail2ban on the only computer I allow external ssh connections to and I noticed that all the connection attempts were coming from 192.168.0.1 which is the IP assigned to my CRS125 but I'm pretty sure the are break-in attemps from external IP's.

Well no WONDER I had intermittent problems remoting in. The question is why?!?!

RouterOS 6.31
Thanks,
Richard

Quite simply because you are using port forwarding. Your router is translating the IP address of the host that's trying to connect to your SSH server to it's own internal LAN ip address. And since your firewall rule allows connections from any IP on the internet to IP addresses in the range 75.64.26.1 - 75.64.27.254, I see no reason for the firewall on your router to put any restrictions whatsoever on the IP address of the host that's initiating the connection.

Ok, I guess it's worth braking this down into two issues:

1. How do I get it to act like a regular stand alone router so the originating IP get's passed to the internal server.

2. The 75.64.26.0/23 destination setting is my attempt to not have to worry about Comcast changing my IP and not having to use a script to keep it updated. Without this, all my OUTGOING ssh sessions break, although that could be a problem with the RouterOS 6.31 update.

Dstnat only changes destination address and srcnat changes source address. If you have just those two NAT rules you posted and no others, source address will be changed only if packet goes out through ether1-master-local. But from your dstnat rule, ether1-master-local looks more like WAN, so packet going to LAN would go somewhere else. Unless you have some kind of one interface setup.

Btw, there's also very useful dst-address-type=local, which matches any address assigned to router. That might be better replacement for dst-address=75.64.26.0/23.

Dstnat only changes destination address and srcnat changes source address. If you have just those two NAT rules you posted and no others, source address will be changed only if packet goes out through ether1-master-local. But from your dstnat rule, ether1-master-local looks more like WAN, so packet going to LAN would go somewhere else. Unless you have some kind of one interface setup.

I am using the default setup that came with my CRS125, ether1-master-local is the WAN port and all others are slaves to it. Limiting to an in-interface was one of my attempts to fix the problem but there's no behavior changes as far as I can tell with our without that set.

Btw, there's also very useful dst-address-type=local, which matches any address assigned to router. That might be better replacement for dst-address=75.64.26.0/23.

I specifically want it to match my WAN IP, not the LAN IP, should that work for my setup?
Again, I'm thinking I might be running into a bug with 6.31... Since it's setup as dstnat I don't know why it would affect outgoing SSH connections but it did. If I leave the the dstnat dst-address blank then all of my OUTGOING SSH connections fail.

Thanks,
Richard

Ok, I think I'm starting to understand the problem but don't want to experiment with changing settings until I understand.

My assumption (which may very well be bad) is that QuickSet at least knows what it's doing. I used it to get an IP from my Comcast cable modem and set the internal address to 192.168.0.1.

This added both IP's to ether1-master-local, which sounds like that's part of the problem so my WAN port is switched with all the other ports.

I think I need to set ether2-slave-local as a master port and slave all the other ports to it. The question I have is after I do that, what ensures that outbound traffic from the local network makes it to the internet (WAN port)?

Do the routes take care of that? Do I need to setup a bridge interface?

Thanks,
Richard

Lets say your setup is a little unusual. As a quick hotfix, you can add dst-address=!192.168.0.0/24 to srcnat rule. That way source NAT will be applied only to connections going somewhere else.

But I recommend to change configuration to something more proper, because now your internal network is wide open to your ISP. They probably have better things to do than sniffing in your network. But it's still wrong. The usual setup involves two separate WAN and LAN interfaces. Simply remove one port from switch (it doesn't have to be ether1) and use it as WAN.

Do I need to setup a bridge interface?

No bridge. Bridge does the same thing as switch. Keep the WAN interface completely separate. It's a router, routing is its life, it will work.

Ok, that makes me feel a bit better.

Now, if I keep ether1 as master then I have to change ether2 to none and then have 3-24 master off of ether2. Is there a shorthand way of doing this through the CLI?

Or I can move the WAN connection to port 24 like I was planning on before I found out it defaulted to port 1...

Thanks,
Richard

Ok, just got back from a 3 day canoe trip so I could implement your suggestion.

I went ahead and made port 24 "ether24-wan" so I didn't have to change the master port. Swapped the DNS client to that interface and change the Firewall NAT masquerade to that interface an now everything seems to be working properly!

Including incoming connections showing as form their originating IP!

Thanks!
RIchard