Community discussions

MikroTik App
  4. RouterOS
  5. General

SSH into LAN over external IP from a L2TP tunnel

Post Reply
 
User avatar
r0berts
newbie
Topic Author
Posts: 49
Joined: Mon Jul 30, 2018 3:29 pm

SSH into LAN over external IP from a L2TP tunnel

Tue Jun 27, 2023 3:08 pm

Hi all,

I need to ssh into my home debian server (IP 192.168.89.200) that is behind a Mikrotik Chateau lte router. I have successfully set up a L2TP client connection to an ISP giving me an interface lt2tp-client with address (let's refer to it as) X.Y.Z.Z. This L2TP tunnel is needed so that I can have a fixed IP address because my LTE connection is behind CGNAT, therefore dynamic-dns wouldn't work. I have set up DNAT port forwarding on Chateau to my debian server so that:

- packets with dst address X.Y.Z.Z destined for port 55533
- get forwarded to 192.168.89.200 to port 22

The connection works one way because I can see packets coming into the debian server with tcpdump:
Code: Select all
 tcpdump  -i enp3s0 -n 'port 22'
However connection back is not made. Client keeps sending SYN packets, but never receives SYNACK [S.}, therefore never sends ACK [.] and tcp connection never happens. I tested with local clients - the three-way handshake sequence works and I get login prompt immediately. When I try to connect from internet to address X.Y.Z.Z - handshake does not happen; ssh client times out.

I think this is probably to do with the fact that I do not want normal LAN traffic to go through the L2TP link and packets sent back travel through default route via lte1 interface and probably never make it back. But at this point it gets too confusing for me. Should I put in a firewall filter rule, a route, or a source nat rule? How can I make this work?

The problem should not have to do with my firewall rules as I disabled all but the defconf ones and that makes no difference to tcpdump. Packets to X.Y.Z.Z:55533 keep arriving to 192.168.89.200:22 with all rules enabled or not.

I added a schematic picture of the setup showing that normal traffic (N) should continue going over the main connection and the L2TP tunnel only used for SSH:

Image

Many thanks for your help!
Top
 
wiseroute
Member
Member
Posts: 425
Joined: Sun Feb 05, 2023 11:06 am

Re: SSH into LAN over external IP from a L2TP tunnel

Tue Jun 27, 2023 3:52 pm

hello ruberts,
The connection works one way because I can see packets coming into the debian server with tcpdump:
ok. assuming that your tcpdump out was correct - which is your debian server sees your home client ssh connection - now all you have to do is routing back your server reply via that l2tp tunnel.

you need a new routing table other than main.

MT wiki help page has very nice detailed examples on how to do pcc for your ssh.

https://wiki.mikrotik.com/wiki/ECMP_loa ... masquerade

don't overlook at the load balancing topic - but just read how to do connection marking to route back to the tunnel.

feel free to read it first 👍🏻
Top
 
User avatar
r0berts
newbie
Topic Author
Posts: 49
Joined: Mon Jul 30, 2018 3:29 pm

Re: SSH into LAN over external IP from a L2TP tunnel

Tue Jun 27, 2023 4:08 pm

Great, that makes sense, just what I needed. I will read during the day and try in the evening. I will write results up more properly
Top
 
User avatar
r0berts
newbie
Topic Author
Posts: 49
Joined: Mon Jul 30, 2018 3:29 pm

Re: SSH into LAN over external IP from a L2TP tunnel

Wed Jun 28, 2023 10:29 am

Sorry, I got stuck, could not quite understand the examples as I am not experienced and they are somewhat different to my scenario. So the questions that I have (ROS v 7.10 stable)

1. I have to mark new connection coming in through l2tp connection. Mangle rule on input chain with In-Interface l2tp sets mark L2TP_CONN. Because that is a connection then packets coming back and belonging to this connection should be bearing the same mark.
2. I then have to create a mangle rule to add routing mark L2TP_RMARK to the packets bearing the connection mark L2TP_CONN. This rule should be on output chain.
3. I also need to create a routing table l2tp-table
4. That table should contain a routing rule to say pakets marked with L2TP_RMARK should use lookup only in the table called l2tp-table
5. A default route in that table should say gateway is the l2tp ip address assigned by the l2tp operator (that would be my static IP)

But that does not seem to work. Anything that I understood wrong? Should I post any particular part of the config?
Top
 
tdw
Forum Guru
Forum Guru
Posts: 2118
Joined: Sat May 05, 2018 11:55 am

Re: SSH into LAN over external IP from a L2TP tunnel

Wed Jun 28, 2023 1:18 pm

Not quite. #1 & #2 only handle traffic to the Mikrotik itself.

The traffic to your SSH server requires connection marks in the forward chain plus routing marks in the prerouting chain. You have to make sure that the prerouting mark only applies to outbound traffic (hint: consider what happens if the inbound traffic gets looked up in the additional routing table if it only contains the L2TP default route). Also note that mangle and fasttrack are not compatible with each other.

The general advice is to post complete configurations with sensitive and personal information removed, e.g. serial number plus public IP addresses, credentials in scripts, etc. which hide-sensitive (default option on /export in v7) is unable to spot automatically as you may not be aware of how different sections of a configuration interact with each other and omit something important.
Top
 
wiseroute
Member
Member
Posts: 425
Joined: Sun Feb 05, 2023 11:06 am

Re: SSH into LAN over external IP from a L2TP tunnel

Wed Jun 28, 2023 2:34 pm

@ ruberts,

maybe this one has better example:

https://wiki.mikrotik.com/wiki/Manual:PCC
Top
 
User avatar
r0berts
newbie
Topic Author
Posts: 49
Joined: Mon Jul 30, 2018 3:29 pm

Re: SSH into LAN over external IP from a L2TP tunnel

Wed Jun 28, 2023 7:17 pm

Thanks wiseroute and tdw! I think I did get seriously stuck. The goal seems so close, but yet I misunderstand something. Connection can be seen for a few seconds in the connection table marked with connection mark L2TP_CONN with state "syn-received" for a few seconds, then it disappears as TCP handshake never happens.

Here is my configuration, sanitised for public IPs. If someone could point where I am going wrong, and what to do to make this scenario work it would be much appreciated.
Code: Select all
/export
# 2023-06-28 17:03:18 by RouterOS 7.10
#
/interface bridge
add admin-mac=48:8F:5A:17:4B:44 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=G-ciems2 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=6 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=G-ciems5 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] use-peer-dns=no
add apn=wap.telephony.com authentication=pap name="Telephony provider internet" use-peer-dns=no user=web
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles="Telephony provider internet" band=""
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/interface l2tp-client
add allow=chap,mschap1,mschap2 connect-to=100.100.100.1 disabled=no name=l2tp-client profile=default user=l2tp-user@a
add allow=mschap2 connect-to=100.100.100.1 name=l2tpaa profile=default user=l2tp-user@a
/routing table
add fib name=l2tp-table
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add comment=myconf interface=l2tp1 list=WAN
/interface lte settings
set external-antenna=auto
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-relay
add dhcp-server=192.168.88.27 interface=ether1 name=dhcp-relay1
/ip dns
set allow-remote-requests=yes servers=192.168.88.27
/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=192.168.0.0/16 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/3 list=BOGONS
/ip firewall filter
add action=drop chain=forward comment="Drop incoming Bogon source addresses" in-interface-list=WAN src-address-list=BOGONS
add action=jump chain=forward comment="Create chain for allowing specific ICMP types" jump-target=ICMP-chain protocol=icmp
add action=add-src-to-address-list address-list=port-scan address-list-timeout=1d chain=forward comment="port scan src-addr list making with PSD" log=yes log-prefix=psd- protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list=port-scan address-list-timeout=1d chain=input comment="port scan src-addr list making with PSD for input" log=yes log-prefix=psd- protocol=tcp psd=\
    21,3s,3,1
add action=drop chain=forward src-address-list=port-scan
add action=drop chain=input src-address-list=port-scan
add action=add-src-to-address-list address-list=TCP-2-L2TP address-list-timeout=1d chain=input comment="not in use XT tarpitting list (connection attempts to NOT ext firewall ingress port)" \
    disabled=yes dst-address=200.200.200.10 dst-port=!55554 in-interface=l2tp1 log=yes log-prefix=TARL-XT-CONN protocol=tcp
add action=add-src-to-address-list address-list=TCP-2-L2TP address-list-timeout=1d chain=input comment="XT DROP list (connection attempts to not 55554)" dst-address=200.200.200.10 dst-port=!55554 \
    in-interface=l2tp1 log-prefix=DROPL-XT-CONN protocol=tcp
add action=drop chain=input comment="XT drop udp attempts to router on L2TP" dst-address=200.200.200.10 in-interface=l2tp1 protocol=udp
add action=drop chain=input comment="DROP XT conn to L2TP non 55554" log=yes log-prefix="DROP XT-CON to Router:" protocol=tcp src-address-list=TCP-2-L2TP
add action=drop chain=input comment="prevent ICMP smurf attack - drop dst- broadcast pings" dst-address-type=broadcast protocol=icmp
add action=accept chain=input comment="Echo Request with limit 2 per sec, (burst 5) to avoid ping flood of the router" icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=jump chain=input comment="also jump to ICMP processing chain" jump-target=ICMP-chain protocol=icmp
add action=accept chain=ICMP-chain icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP-chain comment="Echo Request with limit 200 per sec, (burst 5) - for all network ICMP type 8" icmp-options=8:0 limit=200,5:packet protocol=icmp
add action=accept chain=ICMP-chain icmp-options=3:0 protocol=icmp
add action=accept chain=ICMP-chain icmp-options=3:4 protocol=icmp
add action=accept chain=ICMP-chain comment="traceroute - time exceeded (11:0)" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP-chain icmp-options=11:3 protocol=icmp
add action=return chain=ICMP-chain
add action=drop chain=input comment="prevent ICMP smurf - drop ICMP coming from outside the network" in-interface-list=WAN protocol=icmp
add action=drop chain=forward protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all last rule" disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark incoming new (SSH) connection" in-interface=l2tp1 new-connection-mark=L2TP_CONN passthrough=yes
add action=mark-routing chain=prerouting comment="mark for returning SSH communicaiton for l2tp routing table" connection-mark=L2TP_CONN in-interface=bridge new-routing-mark=l2tp-table \
    passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat comment="local DNS" dst-port=53 in-interface-list=LAN protocol=tcp src-address=!192.168.88.27 to-ports=53
add action=redirect chain=dstnat comment="local DNS" dst-port=53 in-interface-list=LAN protocol=udp src-address=!192.168.88.27 to-ports=53
add action=dst-nat chain=dstnat comment="DNAT to the ssh server on LAN" dst-address=200.200.200.10 dst-port=55554 log=yes log-prefix=SSH-DNAT-from-EXT: protocol=tcp to-addresses=192.168.88.18 \
    to-ports=22
/ip firewall raw
add action=drop chain=prerouting comment="UDP flood protection in case we have DNS enabled" dst-port=53 in-interface-list=WAN protocol=udp src-address-list=""
add action=accept chain=prerouting comment="internal UDP DNS flood protection" dst-port=53 in-interface-list=!WAN limit=100,5:packet protocol=udp
add action=drop chain=prerouting comment="internal UDP DNS flood protection" dst-port=53 in-interface-list=!WAN protocol=udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.200.200.10 pref-src="" routing-table=l2tp-table scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2244
set www-ssl certificate=*1 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=unreachable disabled=no routing-mark=l2tp-table
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/system upgrade upgrade-package-source
add address=159.148.147.204
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Top
Post Reply
  4. RouterOS
  5. General